“There are only two types of companies: Those that have been hacked and those that will be hacked. Even that is merging into one category; those that have been hacked and will be again.” This famous quote from the former FBI Director Robert Mueller is becoming more relevant than ever in the era where cyber-crime is offered as a service, e.g., ransomware-as-a-service (RaaS). Cyber offenders are operating like start-ups, and plenty of opportunities exist given the interconnectedness of the world we all live in.
Strategic insights backed by research are becoming common among these offenders to make the compromises more effective with higher return on investments, only to reinvest returns into more technical sophistication to better orchestrate future attacks. It is no more only about encryptions, rather deploying data theft tools to take a backup to use for ransom, should the companies manage to rebuild the landscape. The timing of launching such cyber-attacks is carefully looked at and such attacks are socially engineered and are targeted to match critical events like the promotion cycles to prompt an anticipating employee to click on attached promotion letters. While qualifying the targeted companies, the impact is strategically assessed by looking at the company’s complete ecosystem. The year 2020 saw some instances where companies like SolarWinds were strategically targeted to penetrate because of their deployment at multiple supply chain customers, the one with Kaseya was meant to impact their small-scale end consumers like local grocery chains.
This article explores typical cyber-security related issues that the engineering, procurement, and construction (EPC) firms face, and attempts to share a quick view of how to manage these better.
Identifying the crown jewels: EPC customers often operate in multiple lines of businesses with widespread siloed functions and teams. It is common to see such customers dealing with functions of engineering, utilities, infrastructure, logistics, transport, and facility management to managing ships or rail fleets in some unique cases. While it is important to have complete coverage of assets, prioritizing the identification of the business-critical assets can help improve the security posture. The critical areas to look out for include corporate, compliance and business-critical functions. It is important to maintain this view as the IT landscapes are ever-changing. Events like acquisitions, the addition of newer platforms, the introduction of new systems would demand alignment of the initially established business view, and efforts on such exercises should be planned and budgeted upfront.
Lack of joint ownership on information security: A cyber vigilant enterprise demands a culture change and a full-scale participation from all the IT and key business stakeholders. In certain situations, a firm’s IT infrastructure could be supported by one vendor while the IT applications could be managed by another, adding to the overall complexity. Separating the CISO function from the risk management function and enabling underlying support with the right operating model will ensure better participation on this journey. Well defined responsibilities for remediation vs communication, cross-functional teams that govern the progress, operational level agreements among moving parts of the enterprise, and so on, can incentivize the stakeholders to jointly own the agenda and collaborate better on cyber risks.
Identifying risks from the suppliers: Managing a large ecosystem of suppliers and assessing the cyber risks across is an uphill task. Prioritizing the critical and strategic suppliers can make this activity manageable. Supplier contracts should be periodically reviewed for security and data-related clauses. With cyber risks taking shape of geopolitical issues, a critical supplier must be evaluated for these risks and the contracts should provide sufficient safeguards to protect the company. Security reviews can be embedded as part of the onboarding process depending on the nature of procurement and respective risks should be mitigated through an actionable and agreed plan.
Lack of inhouse information security capabilities: Cyber-security skills are most in-demand and building capabilities in-house can be a slow and an expensive affair. Instead, a combination of in-house and IT security services providers can add scale to the capabilities rapidly, yet in a cost-effective manner. The overall consolidation of contracts towards a single strategic partner should be encouraged. In absence of the right capabilities and higher cyber debt, companies can look at cyber insurance as interim mitigation.
Cyber-security parlance is evolving every six months and with thin budgets, a holistic cyber-security strategy is the need of the hour. A strategy that draws strengths from existing business continuity or disaster recovery plans, configuration management database, business view of critical assets should be sharpened to reduce the ‘time to detect’ and ‘time to remediate’ instead of trying to deal with individual threat. By jointly working with the ecosystem, the right capabilities can be built lap-by-lap in a never-ending race.