FM leaders must invest in the technology, training, people and processes to ensure a strong culture of cyber security. Ajay Unni recommends cyber drills should be included.
Cybercrime is a huge issue in Australia, currently costing the Australian economy around AU$3.5 billion a year. Globally, the cost is set to rise to US$2 trillion by the end of the year, up from US$400 billion in 2015.
But the risk is more than financial: cyber-attacks on infrastructure or machinery even have the potential to physically harm workers. One example saw hackers take control of a furnace at a steel mill, preventing safe shut-down and causing massive damages.
During the pandemic, cyber-attacks have only become more frequent. A large increase in the number of people working from home coupled with digital adoption more broadly has seen a rise in unsecured technologies and lax security protocols. Attackers have seized the chance to exploit new vulnerabilities in unprepared workplaces.
As adoption of connected devices has grown increasingly mainstream in the facilities industry, it’s time for cyber threats to be taken seriously. In fact, all businesses should implement cyber drills with the same frequency as fire drills.
Introducing cyber drills
Cyber security drills are designed to simulate real-life threats to test the preparedness of your organisation to identify, react and respond to a malicious attempt at compromising your information security.
During a cyber-security drill, a group playing the role of the hackers (this can be in-house or by outside security specialists) otherwise known as a ‘red team’ attempts to challenge or test the organisation’s security capabilities.
Following one of these drills, organisations can review where they succeeded in protecting their information security and where they need to enhance their capabilities, whether those changes are to people, processes, or technology.
Preventing a cyber attack
Since 77 percent of cyber attacks are due to human, not technological, failure, the facilities management industry must not only invest in technology but also people and processes to ensure a strong culture of cyber-security.
Misinformation and ignorance around cyber-security are a big part of the problem. A report from the government’s Australian Cyber Security Centre (ACSC) found almost half of SMBs rated their cyber security understanding as ‘average’ or ‘below average’ and had poor cyber security practices.
One in five SMBs did not know the term ‘phishing’. Many businesses are unaware of the threats they face, with SMBs who outsource their IT security believing they are better protected than they really are.
In order to better protect themselves from an attack, facility management businesses must educate themselves on what they’re up against. There is a huge range of ways that a business can be attacked including trojan, typosquatting, keystroke logging, insider threats, malware, phishing, ransomware, and spear phishing.
One technique sees busy, high-profile executives commonly impersonated within the organisation, using a technique called typosquatting. Google.com might become Goog1e.com or Gooogle.com, with the hope that the victim may miss the spelling mistake and assume the email is legitimate.
In a case like this, cyber criminals might send an email using a fake lookalike URL from the CEO to the actual legitimate email ID of the CFO asking for some funds to be transferred urgently to a specific bank account. The CFO trusts that the email is legitimate and performs the transfer.
By educating staff throughout your organisation, these kinds of attacks are far less likely to fly under the radar and can be picked up before disaster strikes.
Assess your cyber risk
In order to assess their cyber security risks, businesses should look in three main areas: people, systems, and processes. Then, they should see how those weaknesses can be exploited to cause damage to the business.
For example, if no training was ever given to the people in your company, how likely is it that staff would click on a link that could install malicious software? Or if your systems don’t have the latest security patches, how easily can they be breached? If there are no policies or processes for cyber security in place, is it even possible to prevent an imminent attack?
Ask yourself: do we have everything we need in place? Do we have the right kind of strategy, governance, policies, procedures, and risk assessments? How strong are our monitoring, detection, response, threat intelligence, and testing? What training do we have in place? Do we have a good mix of people and partners to help support the business from cyber risks?
It starts with leadership
Cyber security is seen by some business leaders as an intimidating technical topic that isn’t the concern of the C-suite. However, it’s not the job of the IT department or the chief information security officer (CISO) alone to defend against malicious actors.
Company boards and leadership team members, including the CEO, are just as responsible for a business’ cyber security as the finance department. Board members must look at cyber security through the lens of risk and exposure, and realise that they are responsible for the impact of any risk – including cyber.
Making directors and stakeholders accountable for cyber security will require commitment, education, awareness, training, change management, and strong leadership. Not taking these responsibilities seriously can have severe legal, reputation and financial implications, both personally, and for the company as a whole.
Cultural change is not a quick or easy fix, but it’s one that must be made for the good of your business, and the industry as a whole. It’s time to take cyber security seriously, before it’s too late.
Ajay Unni is founder of StickmanCyber, a business that helps companies mitigate cyber security risks.
Read more: IT and OT must work together. Here’s how.