Whether you have a dedicated cyber security team of 10 or none, midmarket CIOs are undeniably focused on strengthening their companies current cyber security policies.
In nearly every conversation around cyber defense and strategy development, employees top the list of easiest targets for a data breach.
But IT organizations tasked with securing company data simultaneously receive pushback when they implement security measures like multi-factor authentication, which frustrates employees and is perceived as a hindrance to productivity.
Mike Benz, VP of IT at Kraus-Anderson Construction in Minneapolis, said the key to conveying the importance of individual responsibility to a company’s cyber posture is to make it personal.
A project manager at a construction site may not believe data like the tracking information on a delivery of materials is all that attractive to potential hackers. But if during his lunch break, he logged into his bank account to pay a bill and found his family’s bank account was suddenly emptied, only then might employees better understand the potential threats regular transactional online activities pose, Benz explained.
“We have to constantly find the right balance between comfort, convenience and effective security,” he said.
During a recent panel discussion at Midmarket CIO Forum, Benz encouraged fellow IT executives to keep an honest dialogue with the executive board as part of overall security strategy.
“If they don’t hear from us in IT, they assume the company is ok.”
Rather than fear mongering – the average, non-IT users understand the basic concepts behind distributed denial of service (DDoS) attacks, malware and viruses thanks to national news headlines – it’s more appropriate to present potential cyber threats as a risk management opportunity to be addressed in the best interest of the business.
“Those presentations can’t be too watered down or too geeky,” he continued, advising once a company better understands their threat risk following a security audit, it’s best to keep these critical board discussions concise, yet frank, without being alarmist.
Strengthening Security Posture
Construction companies, most commonly privately held, are somewhat relieved of heavy regulatory compliance requirements when compared with banks, hospitals and retailers regulated by the FDIC, HIPPA and Federal Trade Commission, respectively. As a result, their networks often lack sophisticated security protocols and make them an easy target for hackers.
After spending a significant portion of his career in management consulting, Benz sought to develop a risk evaluation and mitigation framework to help strengthen Kraus-Anderson’s security posture.
The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity offered a baseline evaluation to begin providing much-needed statistical answers to help assess and correct the company’s security gaps. While still very general in nature, this framework helps CIOs with limited resources prioritize their most critical security vulnerabilities.
Benz took the framework a step further and surveyed several peers in the construction industry to self-assess their own cyber maturity. Questions covered a vast landscape, from how frequently users were required to change their passwords to whether the company regularly inventoried digital assets. While many fell short of security best practices, often due to a lack of clear understanding of risks, his research showed that basic improvements are possible without hiring costly consultants.
“It’s one thing to check the box that you’ve gone through an audit; it’s another thing to begin implementing the changes that will make a difference in reducing your company’s cyber risk.”