Why data security is still one of the hardest challenges for many organizations

Register now

Data security remains one of the biggest challenges facing industry, and as technology delivers increasing interconnection and digitalization, assuring data security in every sector needs to be a long-term investment.

For many organizations, this continuous process requires an initial step change in mindset, implemented in a sustainable and efficient way.

Cyber security needs are now not just recognized, they are also discussed and debated at board level. Corporate executives are seeing the impact of security concerns on share price, and failure to address cyber risk can result in large fines. The cost of incidents is being fully understood, and we are seeing corporate boards held liable for insufficient security controls.

Almost a third of respondents to the Kaspersky Lab State of Industrial Cybersecurity report in 2018 believed it very likely that they will be targeted by a cyber-attack. Obvioiusly, we are way past the point of data security not being taken seriously. So why is effective cyber security still such a challenge?

A hard problem to solve

Organizations know they need to manage risk and threats from data security, but they face several challenges in doing this effectively:

  • Data security is a hard problem to solve. Just like in any office where you’d find a range of computers of different ages using alternate technology providers, so too do industrial data control systems have variances and complexity. There is so much diversity, and this is made more complex by how plants have been built and developed.
  • Recently, the C-suite have become the key driver for cyber security, with very large companies implementing this step change and scaling up. A mentality of ‘zero trust’ is increasingly being adopted, where you already assume someone has accessed your network. Your data strategy needs to identify the type of data and the impact of it leaving the business, as well as how it could leave – this all informs where it should live. As always, the right place to start is user stories.
  • Through threat- and risk-modeling, we can understand the threats. There will always be new vulnerabilities. Failure comes from a lack of imagination – we need to be thinking about what could go wrong, the impact of a data breach and how the data could be used. We might even be asking, is it a risk?
  • Digitalization is not just about technology. Equally important are people and processes. Often technology is of less concern, with investing in training being integral to ensuring smart decisions are made.

The future of data security

Thinking more holistically, data will, in the long-term, provide opportunities to bring together predictive maintenance, operational improvements and cyber security. Changes will mean fewer and fewer data systems, and the same data structure implemented throughout an organization.

A modern cyber security system protects industrial vulnerabilities across plants, simplifying secure day-to-day operations and supporting compliance activities. This will allow focusing on revenue-generating operations, not routine security.

We can look at modeling the flow of data by individual users. What does a plant engineer need, compared to an operator? Technology has enabled monitoring without the need for major infrastructure changes. With this new ability to monitor not only data flows but also data sets and types, coupled with strong data modeling tools now available to industry, we can share insights to enable better decision-making.

With isolated control systems, previous monitoring was available only at an end point. Now, we can monitor in real-time, take advantage of security operation centers and use this real-time data. We can monitor, and crucially understand, what is going on. With a distributed architecture, we can get data out and across entire organizations, not just in isolated operations.

The risk and the solution

The real risk is not having the discussion. If you want to be a digital innovator, you need to get the near real-time data to the C-suite. What has your organization defined as an acceptable risk at board level? And have they budgeted accordingly for this?

The key to success is having a risk adjustment mindset and engaging with stakeholders - both externally and internally. Everyone needs to be involved – it’s not just an IT project.

In order to master industrial data security challenges, companies need to develop a strategy. They need to have an organization and incident response plan and put measures into place. Of course, this also involves ensuring there is enough funding to work smoothly.

For effective scale, companies need to address critical points of a reference architecture – standardizing security technology, and planning around monitoring, vulnerability management and incident response.

A disciplined focus on making risk adjusted decisions is vital. The principles of risk management are so important when implementing a security program. When we talk about security, we are also talking about culture. So, everything you would do to drive a major initiative in a corporation must start with culture.

Cyber security is a five-step process that we characterize as identify, protect, detect, respond and recover, and consult.

For reprint and licensing requests for this article, click here.