Guarding against cyber threats: procuring cyber security from a maze of choices
Cyber criminals are an ever-present threat to business. There are a number of challenges facing those responsible for procuring the right cyber security solution.
During times of economic uncertainty such as recession, businesses often re-evaluate their budget allocations and look for ways to cut costs. One of the common mistake organisations do is try to reduce their investment in cyber security and position it as a non-critical factor. However, these are the times when cyber security becomes more important than ever before. Businesses must understand the consequences of a cyber-attack which can lead to financial tension, whether it is having to pay ransomware or a huge fine from a regulator. On top of that, cyber-attacks also hold the potential to harm organisations’ reputation.
Cyber criminals are always on the lookout for vulnerabilities during these uncertain times –whether it is the start of the pandemic or the Ukraine crisis, hackers will continue their efforts to penetrate a company’s network to find opportunities to extract or encrypt data for ransom.
Since the rise in popularity, IoT (Internet of Things) devices have been under scrutiny for the lack of security. Many of these devices are open to anyone over the internet and there are often no plans for updates or bug fixes. Regulators have recognised the need for a response and are increasingly taking action – for example, the US IoT Cyber security Improvement Act of 2020.
Businesses who leverage OT (Operational Technology) aim to take advantage of the benefits of IIoT (Industrial Internet of Things) such as their cost-effectiveness. It goes without saying that the convergence of IoT/OT opens up several opportunities; however, businesses must not overlook the potential risks that follow.
The procurement challenge:
There are more than 1,800 cyber security companies in the UK, and the current development is strong across the several key categories of the market. Keeping up with growth and market overview is difficult and necessitates allocating team resources to determining which supplier or solution is most appropriate. It is very easy to pick one of the top ten providers for a certain product or service, but the challenge is to know which of the products actually suit the company’s requirements best in terms of given infrastructure, cost, SLAs and other factors.
Cyber security vendors should be able to provide a clear pricing model, appropriate references, and be able to support proof of concept – especially for company wide solutions. But the cyber security market is renowned from being non-transparent and driven through established channel sales. This often makes it difficult for companies to plan and project their expenditure on securing a company’s resources effectively. This is the reason: the purchasing departments work with CSOs/CIOs/IT Directors to identify the best risk-based approach and requirement gathering.
Furthermore, it can be organisational measures like new cyber security guidelines or a disaster recovery plan that need no external spend, but the internal effort still remains. It is not about spending a lot of money but increasing the overall maturity in parallel.
Cyber security challenges in manufacturing:
Attack surface challenges are especially acute in industries like manufacturing, which has become a tempting target for hackers. The convergence of IT and OT in smart factories is helping businesses to drive efficiency and productivity; but it is also exposing them to increased risk as legacy equipment is made to be connected.
One of the key challenges for implementing cyber security in the manufacturing industry is the complex nature of the sector. Manufacturing plants involve several machines with a shelf life from fifteen to forty years – this makes it difficult to keep them updated within this rapidly changing landscape. In addition, these machines are shipped either with an OEM system or one that is customised by a third party.
As a result, there are different types of individuals that require access to these machines to carry out relevant tasks, such as internal users for making changes to the parameters and external staff such as service technicians for amending the parameters. This makes it difficult for manufacturers to track and monitor each access.
CISOs (Chief Information Security Officers) need to consider several appropriate solutions, policies and procedures to ensure the security of the critical information. This can only be achieved through customised cyber security solutions that are capable of meeting the exact requirements of businesses.
How to procure cybersecurity effectively:
One of the best ways to implement cyber security in a cost-effective way is to avoid any unnecessary expenditure on solutions which are not required. Businesses should identify key requirements of the business and set priorities; this can include vulnerabilities that need protection first and the available budget for cyber security. Once the requirements are clear, organisations can then look for different solutions and service providers that match technical requirements have compatibility with the existing environment, meet business objectives and legal requirements and provide clarity on resources to implement, monitor, maintain, including people, and processes.
If the organisation is looking to replace or consolidate an existing solution, they should also consider the cost of implementing the change and any subsequent training for the users and operators alike.
Cyber security solution procurement, like any other specialised service, necessitates the inclusion of dedicated professional individuals either embedded in procurement or seconded from the company’s security team. Due to a scarcity of experienced cyber security staff, many businesses outsource cyber security to an established or specialist security service provider. This is perfectly acceptable if the service provider guarantees compliance with applicable industry security standards and protocols, such as frequent penetration testing and emergency response processes if they are penetrated by a cyber assault.
It is also advisable that the businesses look for an independent advisor or consultancy that specialises in evaluating and comparing cyber security solutions/services to meet companies needs.
Nehal Thakore
CyberCompare (A Bosch Business)
