Every industry has its "religion" - the one thing everything must revolve around in order for a participant to comply.
In construction and plant maintenance, the religion is safety. Everything revolves around safety, and the goal is a TRIR of zero. Why? Because if your safety incident rate is too high, you won't be able to bid on contracts or obtain cost-effective insurance, impacting your ability to bid. Above all, nobody should be injured or die simply to complete a project. When reviewing a safety incident, it's often the case that a standard existed and was temporarily ignored, resulting in a preventable injury.
When a safety incident does occur, a report is always written. The situation is examined, and the root cause analysis is determined in order to understand if additional safety standards need to be implemented or current standards need to be modified. Regardless, it's a certainty the incident and its prevention will be reinforced in future safety trainings.
The cyber threat landscape is similar to safety. However, on a construction site, you do not actively have criminal actors with a financial incentive, seeking every possible way to delay, damage or destroy your ability to complete your job. Imagine if a criminal actor was to swap the strap for a heavy lift with one not rated for the load, or perform some other catastrophic change? What would the consequences of those attacks be on your business?
Now imagine cybersecurity where criminal forces are using social engineering to trick employees into allowing them access to a system. The criminal installs a replacement application that allows the computer to operate normally, yet steals credentials to an enterprise resource planning, customer relationship management, HR, project management, banking or other system. The criminal learns with whom and how you communicate with your vendors, prospects, employees, subcontractors and clients, and it creates rules in the email program to redirect emails from specific customers to folders within your invoicing clerk's Microsoft Outlook. The criminal duplicates a legitimate invoice for actual services provided, but changes the wiring instructions and sends it to the client.
The client trusts the sender at your company, but emails them to ask if the wiring instruction change is legitimate. Your employee never saw that email because it was redirected to a folder that only the criminal can read. Of course, the criminal responds that the wiring instruction change is legitimate, using the same "voice" that your employee would use, plus referring to the customer by their nickname, and using the same sentence and grammatical rhythms that the client unconsciously trusts. Your client wires millions of dollars to the criminal and it goes undetected until that invoice appears on an accounts receivable report.
This incident describes the most common cybercrime against businesses, according to the FBI. Sure, ransomware makes national news, but invoice crime via hijacked mailboxes causes greater financial loss. Regardless of the attack vector, cybercrime is constant and silent. Since today looked similar to yesterday, our recency bias tells us the system must be safe and we have nothing to worry about. I'm here to tell you to worry.
Like safety, your organization must be 100-percent correct, 100 percent of the time in order to remain safe; however, the criminal only needs to be correct once. Moreover, the financial incentive for the criminal to be correct is greater than an organization's financial incentive to be ever more secure. I say "ever more" because security is a continuously evolving landscape. Security is never a destination. It would be unconscionable to have one safety meeting with your team and then never address it again. With cybersecurity, organizations do the "necessary amount of security" in a check-box-like fashion within an IT budget that also prioritizes keeping the core infrastructure available and reliable.
This holiday season, it's time to move cybersecurity from the kids' table. Treating your IT security like a child is a financial burden you can't afford.
For more information, visit www.omnipotech.com or call (281) 768-4308.
