Six strategies for improving cybersecurity
Against this backdrop, what can utilities do to improve their cybersecurity? Here are just six of the strategies recommended by Red Hat.
Don’t just look at the technology.
Tech is an “enabler to reduce risk”, says Jenkins. “But tech is designed and implemented by people and therefore you need people with the right skills and qualifications, using documented processes. Security experts often say people are the weakest link when it comes to cybersecurity.”
This means a holistic approach to security, taking into account human factors, cultural issues and process issues, as well as tech, is needed. “To err is human. You can inadvertently bring vulnerabilities or exploits into a system. It’s not malicious, it just happens.”
Beware targeted, socially engineered attacks.
The phishing net of today is often much more precise: enter spear-phishing. Spear-phishing targets individuals and encourages them to reveal sensitive or otherwise confidential information by posing as a communication from someone they trust.
The credibility of a spear-phishing attack can be dramatically enhanced if the hacker has personal information about the target or understands what interests them – information which could be gleaned from their Facebook profile. “This is where hackers can spend a lot of time pulling together different pieces of information, ultimately giving them inroads to an individual, or to the system itself,” explains Roberts.
“You don’t have to be a particularly clever hacker,” adds Jenkins. “You just need a Twitter or Facebook account.”
Understand what you’re trying to protect.
Making every part of your network hardened to any eventuality could also render it unusable, Red Hat points out. “You need to understand what the crown jewels of the IT system are,” says Jenkins. “You will want to secure commercially sensitive information more than information that is already on the internet, for example.”
Therefore, carrying out a risk assessment on different classifications of data can be invaluable. “Organisations need to understand what they are trying to protect.”
Consider the security of your software supply chain.
SolarWinds is a stark example. The network and infrastructure monitoring company was hacked in 2020, exposing 30,000 of its public and private sector client organisations to malware during a seemingly legitimate upgrade to its Orion software. The incident demonstrated the vulnerability of not just a company but an entire supply chain to attack: critical national infrastructure operators using third-party software developers, take note.
Roberts says outsourcing of software development is now the norm. “A lot of energy companies used to build their own applications but decided rather to outsource to expert software developers. However, it’s critically important they validate that the code they are using is appropriate, has been written by the contracted organisation, and that nothing malicious has been integrated.”
Think about the ‘onion’.
A security onion, as the name suggests, consists of layers. There’s the strategic level that is the domain of CISOs and their teams. There’s a design engineering layer beneath that, where a system is implemented. And then beneath that there’s the operational model, where security is tested and alerts to threats appear. The strategic layer determines the organisation’s appetite for risk and dictates security governance and policy. But it’s essential that security controls are implemented at the other levels of the business too. So, an effective approach to security means good security at each layer. Roberts says: “In our view, security is about layers, and layers of the technology you are going to implement, and making sure everything is as strong as possible at each point. Security is not just a mandate from on high. “The different parts of the business need to talk to each other, assess their risk profile, and ascertain the security controls they need.”
Don’t make things too complicated.
When it comes to security, there’s such a thing as overdoing it. Jenkins says: “One example I love is when someone says, ‘your password must be 18 characters, 11 of them upper case, three Kanji characters, some exclamation marks’, and so on.
“The first thing people will do is write that password down and stick it on their desk. There’s the idea we need super-long, super-complex passwords, but if I have difficulty remembering, I will also reuse it across my systems because I’m told it’s secure. Mandating heavy security guidelines means people often find a way around them.”
in association with
