Recently, PackExpo — a trade show about the packing industry, as well as other industrial facets — took place at McCormick Place in Chicago. At the show, there were several educational sessions about cybersecurity, with one entitled “Cyberattacks: Responding to a Breach,” led by Andy Lomasky, director of information technology (IT) at PMMI. This session discussed the importance of cybersecurity protocols and how to respond in the event of a cybersecurity breaches.
Cybersecurity is a mindset, not a box to check
At the beginning of the session, Lomasky made it very clear that it’s a matter of when, not if a cyberattack will plague your systems. When an attack does hit, there are several steps to take, according to the NIST framework — a framework that provides standards and guidelines on cybersecurity practices. The steps are as follows:
- Identify – Discover an attack on a system.
- Protect – initiate immediate measures to protect a system.
- Detect – A difficult step, as many cyberattacks are happening in the background over many months.
- Respond – Communicate to stakeholders, communicate with law enforcement.
- Recover – This is the most critical part of the process. It includes restoring systems and data with backups, as well as learning from the attack and practicing continuous improvement.
These five steps are a cycle, meaning there will always be cyber threats and, further, always ways to better protect yourself from impending hacks and attacks.
According to Lomasky, it’s important to understand what your “crown jewels” are when trying to prevent cybersecurity breaches. These could include data, intellectual property, recipes, machines and your supply chain. Once you’ve identified what most needs to be protected, it’s important to master the cybersecurity basics, like multifactor authentication, passwords and segmentation.
When it comes down to it, cyber entry is usually not that complicated. Threat actors seldom spend months actively searching for the one hole in your firewall; typically, they just send something like a phishing email and let you do the work for them.
Expediting recovery from cybersecurity breaches
There are several methods to help recover from a cyberattack more swiftly, according to Lomasky. For example, conducting regular tabletop exercises on what to do in the event of a cyberattack (and, to break it down further, the different types of attacks). According to NIST, cybersecurity tabletop exercises are defined as “discussion-based exercise[s] where personnel with roles and responsibilities in a particular IT plan meet in a classroom setting or in breakout groups to validate the content of the plan by discussing their roles during an emergency and their responses to a particular emergency situation.”
This is a great way to not only set a protocol in place, but to give employees peace of mind in knowing that there IS a protocol in place. It’s imperative that these exercises include both the IT and operational technology (OT) teams so they know how their two “separate” departments work together and play off each other.
Equally as important is to have backup plans and systems in place to keep a business, especially a plant, running to limit downtime. Often, it isn’t the cyberattack that causes a business to close its doors, but the downtime on operations resulting from the attack. These backup plans should include backups of data and drives so there is a failsafe if data recovery cannot happen.
According to Lomasky, another important factor in recovery is knowing who to ask for help and having critical contact information available when an attack does happen. This includes law enforcement and your cyber insurance provider (if you have one).
On the topic of cyber insurance, this is another way to recover more swiftly. However, cyber insurance should not be the only crutch. Be sure to read your policies closely because at the end of the day, insurance is still a for-profit business.
Finally, shut down everything as quickly as possible. It’s essential to contain the spread of cybersecurity breaches by closing off anything that is (or could be) compromised.