Rockwell Automation Sub-Saharan Africa MD, Canninah Mapena discusses the importance of considering human behaviour in your company’s cybersecurity strategy.
While digital transformation and the move to the Connected Enterprise offer amazing benefits to organisations – improved visualisation, better and faster data acquisition and processing, remote support, and informed decision-making – there is industry-wide concern that the “smart” enterprise is increasingly vulnerable. More connected technology may mean more opportunities for cyber-attack. Add to the mix remote work, where employees are potentially working on their home or personal computers with insufficient anti-virus software, and the concern increases.
Bringing this into a manufacturing, process or mining environment, the threats presented by cyber-attacks go beyond malware, denial of service or ransomware and towards debilitating bugs and downtime. In a process operations context, risks include costly production stoppages and the potential for human harm. One harrowing example was reported by the New York Times in 2018, where a petrochemical plant in Saudi Arabia was hit by a new kind of cyber-assault that was not designed to simply destroy data or shut down the plant. Investigators believe it was meant to sabotage the firm’s operations and trigger an explosion. Luckily, the attack was prevented by an error in the attacker’s coding.
While this is a rather drastic example, the message is clear: the risks are very real.
Protecting Your Connected Enterprise
The obvious option is to have trusted, high-quality, plant-wide industrial cybersecurity. To ensure our customers have access to this, Rockwell Automation recently acquired Oylo, an industrial cybersecurity services provider based in Spain. Oylo is dedicated to providing a broad range of industrial control system (ICS) cybersecurity services and solutions, including assessments, turnkey implementations, managed services and incident response.
However, there is another element to consider when protecting your virtual and physical assets: your human assets. While many cybersecurity firms classify the “human aspect of cybersecurity” as a weakness or security threat due to the subjectivity of human behaviour, I am not a fan of this definition. It suggests that your own people are working against you, or don’t have company success in mind.
While it’s not impossible that deliberately malicious actors may exist within a company, logic would argue that an organisation’s own people surely prevent more attacks than they cause. Think about it: whenever someone ignores a phishing email, they keep a network secure. When your colleague locks their computer screen before taking their lunch break, they prevent potential unauthorised access. When a staff member closes a website following a security warning, they are keeping your network secure.
At Rockwell Automation, we believe that your people can be your biggest defence. Humans have a unique ability to actively prevent attacks – it might just take some training and awareness.
Cybersecurity for Humans
While digital skills are not particularly abundant in South Africa, this is not a showstopper. In many cases, this can be easily rectified with some basic in-house training and perhaps annual cybersecurity workshops. This will go a long way in empowering your team to protect your company’s assets. It is worth investing some resources in upskilling and creating awareness in your team, as it will lead to improved business continuity and more resilient technological infrastructure, ensuring you maintain your company’s cutting edge.
Here are my five top tips when it comes to training your staff:
- Ensure your training initiatives are engaging; blunt lectures aren’t memorable and won’t stick.
Use practical examples to reinforce best practice.
- Hold regular refresher courses that explain new trends in cyber-attacks.
- Implement an incident-response policy so that staff are never in doubt about what to do in an attack scenario.
- Be the kind of manager your staff can approach if they have made a mistake and opened your business to risk.
As connected smart devices are introduced into the plant floor, having a comprehensive cybersecurity strategy that protects your operational technology and information technology is critical now more than ever before – and people are key in this strategy. To be successful in your organisation’s journey to a Connected Enterprise, remember that your people are integral in this journey. Failing to consider their importance in keeping your environment secure and operational may see your company name in the next cyber-attack news headline.