Every industry has its "religion" — the one thing everything must revolve around in order for a participant to comply.
In construction and plant maintenance, the religion is safety. Everything revolves around safety and the goal is a TRIR of zero. Why? Because above all, nobody should be injured or die simply to complete a project. Moreover, if your safety incident rate is too high, you won’t be able to bid on contracts or obtain cost-effective insurance, impacting your ability to bid. When reviewing a safety incident, it’s often the case that a standard existed but was temporarily ignored, resulting in a preventable injury.
When a safety incident does occur, a report is always written. The situation is examined, and the root cause analysis is determined to understand if additional safety standards need to be implemented, or if current standards need to be modified. Regardless, it’s a certainty the incident and its prevention will be reinforced in future safety training.
The cyber threat landscape is similar to safety. On a construction site, however, you typically don’t face criminal actors with financial motives actively looking for ways to delay, disrupt or sabotage your work. Imagine if a criminal actor were to swap the strap for a heavy lift with one not rated for the load, or perform some other catastrophic change? What would the consequences of those attacks be on your business?
Now imagine cybersecurity where criminal forces are using social engineering to trick employees into allowing them access to a system. The criminal installs a replacement application that allows the computer to operate normally while stealing credentials for enterprise resource planning, customer relationship management, HR, project management, banking or other systems. The criminal learns how and with whom you communicate with your vendors, prospects, employees, subcontractors and clients, and it creates rules in the email program to redirect emails from specific customers to folders within your invoicing clerk’s Microsoft Outlook. The criminal duplicates a legitimate invoice for actual services provided but changes the wiring instructions and sends it to the client.
The client trusts the sender at your company but emails them to ask if the wiring instruction change is legitimate. Your employee never saw that email because it was redirected to a folder only the criminal can read. Of course, the criminal responds that the wiring instruction change is legitimate, using the same "voice" your employee would use, plus referring to the customer by their nickname and using the same sentence and grammatical rhythms that the client unconsciously trusts. Your client wires millions of dollars to the criminal and it goes undetected until that invoice appears on an accounts receivable report.
This incident describes the most common cybercrime against businesses, according to the FBI. Sure, ransomware makes national news, but invoice crime via hijacked mailboxes causes greater financial loss. Regardless of the attack vector, cybercrime is constant and silent. Since today looked similar to yesterday, our recency bias leads us to believe the system must be safe and that we have nothing to worry about. I’m here to tell you to worry.
Similar to safety, your organization must be 100% correct at all times to stay secure. In contrast, the criminal only needs to be correct once. Moreover, the financial incentive for the criminal to be correct is greater than an organization’s financial incentive to be ever more secure. I say "ever more" because security is a continuously evolving landscape. Security is never a destination. It would be unconscionable to have one safety meeting with your team and never address it again. With cybersecurity, organizations do the "necessary amount of security" in a check-box-like fashion within an IT budget that prioritizes keeping the core infrastructure available and reliable.
It’s time to move cybersecurity from the kids’ table. Treating your IT security like a child is a financial burden you can’t afford.
For more information, visit omnipotech.com or call (281) 768-4308.
