Today, cybersecurity is more important than ever, no matter how big a company may be. Threat actors do not discriminate, making it imperative for all businesses to incorporate best cybersecurity practices and a standard business continuity plan to ensure the protection of their data and facilities.
In a roundtable discussion, David Masson, Sam May and Bryan Bennett discuss the importance of having a business continuity plan in the event of a cyberattack or emergency. Bennett is the vice president and practice leader of cybersecurity at ESD, Masson is the director of enterprise security at Darktrace and May is the senior compliance advisor at Steel Root.
This discussion has been edited for clarity.
ICS Pulse: There have been a number of flaws in the government response to cyberattacks. What can we be doing better? What should we be doing to eliminate some of this confusion that’s proliferated thus far?
David Masson: The sudden rush to try and get everything done as quickly as possible, is that going to support this current situation or make it worse? I’m thinking in particular of the Biden administration’s sprint on energy. As soon as I hear sprint, I think, “Has somebody really planned that out, or are we going to get to the end of the 100-meter dash and discover we missed things?” Or worse, we suddenly discover that maybe the federal government got to the end of the race, and the private industries are still standing on the block saying, “What’s going on?”
Sam May: I learned long ago that there’s no point in ever running into anything. The faster you approach any kind of a trauma scene, the more likely you are to miss all the things that you should have noticed by just simply taking your time. When we talk about something like responding to critical infrastructure threats, and threats against our national cybersecurity infrastructure, there is no sprinting because our enemies are universal. They’re going to constantly come at us from every direction, and so there has to be a very logical approach to this that doesn’t involve sprinting at all.
The No. 1 thing a business can be doing right now to help itself is to be working on policies and programs internally. You can’t just take a platform, put its box in your infrastructure and say, “We’re now secure. The job’s done, the analysts are going to write us once a week and tell us they’ve done a great job, and we’re all secure. We can go home now.” That’s a tool, but that’s not what cybersecurity is.
What cybersecurity is are programs and policies that are inside your business that your business creates and says that we’re going to make security a pillar of our business, and we’re going to talk about it just like safety. Most manufacturing facilities put safety first because they can’t have their employees missing hands and fingers and then continue to make their widgets. Like safety, security has to be one of those things that’s everyone’s responsibility and should be a part of the initial training.
When you have these access control policies, and you have configuration management policies, and you have policies around who does maintenance and who’s able to access logical devices and network infrastructure, you have all these policies, then you can get machines into your environment and make these policies and programs more efficient. I should be able to walk into a company and pull the Darktrace box out and have a bunch of techs freak out because they have more work to do, but still be able to rely back on administrative programs that secure the company that now are made less efficient, because Darktrace is no longer in the environment., but they can still function.
Masson: I’m pretty sure Darktrace is cybersecurity or network management, but if you did pull the box out, you’d probably find most people go back to where they were before. You find most people would be going, “Do you know what? I’m right back to the whole NIST principle of identify, and I’m struggling to identify.”
May: What is in your environment? What is your system boundary? What do we need to secure? What can we automate and make more efficient? And where our weaknesses? I think it’s something that comes up maybe a little bit more naturally to people who have served in the military to think of this idea of boundaries and walls, and wherever our weakness is, and focus on where [that] weaknesses is and understand where your strengths are.
In order to do any of that, you have to understand your environment, which then comes back down to this basic principle of, “Do you have the programs and policies in place?” Yes, this costs man hours. It costs time. It’s frustrating to sit down and get all the stakeholders together and make your business continuity plan to do disaster recovery and incident response. It’s hard to envision your small manufacturing company in the middle of Pennsylvania or upstate New York or Kentucky suffering a cyberattack.
The reality is, these are automated attacks that happen globally, run by AI (artificial intelligence). There’s not a human being in a hoodie in their mother’s basement trying to hack into abc.com. A business is being scanned 24/7 by entities all over the world, both malign and not trying to get into your infrastructure. Once they get in, there’s going to be more automated things that happen once they get further and further and further into your infrastructure until, eventually, someone’s going to come in and start rooting around and establishing persistence.
What do you need to do to prevent that to begin with? It all starts with understanding what your business is, what the core functions are and how you protect those things. This is business impact analysis and business continuity planning. These are things that you don’t need to have expensive consultants come in and do. You just need to be able to sit down with your core people. If you’re not doing that, if you don’t have a business continuity plan at your business, then it’s a great place to start.
Masson: Not that I want to deprive people of consultancy fees and the rest of it, but a lot of this stuff is available free on BNCC website, the British National Cybersecurity Centre website. How to deal with all this stuff, it’s all actually there, and it’s not that particularly difficult a thing to do.
May: When you sit down as a business, you just ask yourself, “What is it that we do? What does our business do? How do we stay in business when the disaster has been recovered from?”
COVID is a great example of how you can look around the landscape of your small town and see what businesses had done some level of continuity planning and which ones are boarded up right now. Most businesses should look at themselves and say, “OK, I’m a restaurant. I serve food to people. That’s my core business. What happens if, for whatever reason, I can’t serve food to people? How long can I go and still be a business? What do I have to do? Do I have to lay people off? Do I have to turn the lights off? Do I have to turn down the insurance? What do I do to give myself as much time as possible to recover from whatever this interruption was and get back so that when the disaster has been recovered from, there’s still a business to operate?” As David said, you can download these things. You can just Google “business continuity plan,” and there will be bazillions of them. There’ll be everything from extremely complicated to way too simple.
This may be where you need a little bit of help to steer you, but largely companies can do this themselves. You have to form that administrative backbone, that policy and program backbone, and then begin layering in technology. Then, in doing so, you’ll start realizing “Oh, we need a Darktrace,” or “Oh, we need to have a managed cybersecurity firm because we don’t know how to do any of this stuff. We do have a policy that says that we have to at least keep Bryan out of our network so he’s not rooting around in there.” That is where I believe every company should be focusing their time.