This article is the last in a four-part series on cybersecurity and how the construction materials industry can prevent, protect, and prepare for threats and attacks on computer systems and digital assets. Part 1: Cybersecurity Should be at the Top of Your List. Part 2: Prevention: Your First Tool in Cybersecurity Part 3: Protection: The Second Layer of Your Cybersecurity Plan.
CalPortland CIO Luis Angulo and Keith Onchuck, CIO of Ozinga, will present at NRMCA’s ConcreteWorks on October 12 at 3:30 p.m. in Aurora, Colorado. Their session, “Guarding the Digital Realm: Confronting Cyber Threats in the Concrete Industry,” will provide practical strategies and best practices for protecting your business from cyber attacks, ensuring the security of your digital infrastructure. ConcreteWorks is scheduled for Oct. 10-14.
Cybersecurity starts with prevention, which funnels to protection and ultimately ends with preparation. When you’ve reached the preparation phase, it usually means a data breach has occurred.
“Unfortunately, this is becoming much more common in the digital world in which we live,” says Ozinga CIO Keith Onchuck. “We all ‘want’ everything digitally, but are we prepared if our digital information is unavailable for any reason? Preparation is key.”
From a technology standpoint, the preparation phase is typically considered the most boring phase because you have to look outside the IT department. You have to work with other departments across the organization and create a set of policies and procedures.
“As IT leaders, it’s our responsibility to prevent, protect, and prepare our organizations from all the threats that exist in our digital world,” says Onchuck. “We must have a policy that outlines the procedures we need to undertake if we fall victim to cybercrime.”
One way a company can prepare is with a detailed Incident Response Plan that documents the procedures necessary to undertake in the event of a security breach.
In all phases of cybersecurity, a company must make a long-term investment and be willing to adapt over time. Prevention involves training exercises for employees and systems users, conducted on an ongoing basis. The tools used during the protection phase must be constantly evaluated to protect against the ever-evolving cybersecurity landscape. The same can be said for the preparation phase. Procedures companies put in place during the preparation phase should never go stale. They must be updated because technology continues to change and evolve.
“Even though we’re always hoping for the best and hoping that we’ll never have to reach this phase, you must plan for the worst and keep those plans updated constantly,” says CalPortland CIO Luis Angulo.
An Incident Response Plan usually involves three components: internal procedures, external procedures, and insurance.
Internal & External Procedures
“While preparation doesn’t guarantee that you're not going to be impacted, it gives you a greater chance of survival and recovery.”
—Ozinga CIO Keith Onchuck>
A key aspect of the preparation phase is to lean on external expertise and internal expertise outside of the IT department. Internal and external procedures need to be figured out to ensure business continuity. Without this level of coordination, a single incident can bring business to a halt.
“It all comes down to being prepared to handle an event if it ever gets to that level of criticality,” says Onchuck.
When there is a security breach, companies must lean on all internal departments, including human resources, payroll, marketing, sales, legal, etc.
Companies should also prepare external procedures for tasks that go beyond the IT department’s purview. For example, a plan should be established with your marketing and communications department detailing how the company will respond to a security breach. This could involve issuing a public statement and communicating with employees, customers, vendors, etc.
A communication plan is necessary so employees are clear on what they can and cannot say if there is a breach. The plan needs to be funneled through the marketing and communications team.
“While preparation doesn’t guarantee that you're not going to be impacted, it gives you a greater chance of survival and recovery,” says Onchuck.
Another tool in your arsenal should be a secure backup of your data. “When cybercriminals get in your network, they try to find your backups and hold them hostage as well,” says Onchuck. “If you are using immutable backups [copies of databases that cannot be altered], this makes it much harder for bad actors to corrupt or encrypt them.”
Technical experts also recommend having a cybersecurity firm on retainer in case of a breach. Ensure all agreements are already signed and serviced are agreed upon. This will reduce the time to bring them into the organization to help with detection, eradication and recovery from a cyber attack.
Insurance
“Cybersecurity insurance is not a ‘nice-to-have,’ it’s a must,” Angulo says. “It’s not an option anymore.”
—Luis Angulo, CalPortland CIO
Think of your company’s cybersecurity as a home security system. We prevent access to our home by using locks, we protect the house by having an alarm system or a guard dog, and we prepare for a break-in or other catastrophic event with an insurance policy. The same can be said when trying to protect our corporate data.
“Cybersecurity insurance is not a ‘nice-to-have,’ it’s a must,” says Angulo. “It’s not an option anymore.”
While cyber insurance does not prevent an incident, it will help you overcome the impact of one. You also need to know how and when to call on that cyber insurance when someone does infiltrate your system.
“Time will be of the essence,” says Angulo. “You don’t want to be trying to figure out how to deal with the insurance after a breach occurs.”
The Framework
Each company must develop its own plan that involves the three Ps we have discussed: prevention, protection, and preparation. The framework can be simple and continue to grow to meet the company’s needs. This may be different for each producer, but the basic approach still applies.
“When tools are used correctly, they represent a significant leap forward in our ability to do business,” says Angulo. “But these tools can also represent a liability if you’re not doing your due diligence.”
The stakes grow higher as companies use more advanced technology such as artificial intelligence.
The goal of the National Ready Mixed Concrete Association’s IT Task Force, which Angulo and Onchuck co-chair, is to create a cybersecurity framework that all companies in our industry can follow. “We’ve recognized that we’re an ecosystem,” Angulo says. “We all do business together and, in that moment, we are linked.”
“The more we can share best practices as an industry about how we are tackling cybersecurity, and the more our vendor partners, like BCMI, Command, and Sysdyne, can share what they do from a security standpoint, the better off we will all be,” says Onchuck. “We’re stronger together.”
