By Sarah Nicastro, Creator, Future of Field Service
With service organizations deploying new technologies at a rapid pace to stay competitive and improve their customer experience, we must be sure to fully examine the security ramifications of those digital transformation initiatives. With every mobile device, mobile app, smart device or Internet of Things (IoT) endpoint, you are bringing greater intelligence into your business; but you are also introducing new vulnerabilities to your networks.
When it comes to connected field service, cyber security should not be an afterthought. Small and mid-sized companies are as much as three times more likely to be targeted by cyber criminals (you can read more in this Forbes article). If you think your regional HVAC service company can’t possibly be on the radar when it comes to cybercrime, you need to think again. Increasingly, criminals are launching ransomware and other types of attacks against all types of companies (there have even been attacks against regional utilities and school districts). If you have data, it can be stolen. So how do you ensure that while you are driving technological advancement, you’re also mitigating cyber security risk?
Charlie Hales is the Managing Director at Waterstons, an Australian business and technology consulting firm. Charlie joined us at the Future of Field Service Sydney event and spoke about how service organizations can leverage new automation and intelligence technologies while still keeping their company secure against cyber-attacks. I asked Charlie for a follow-up discussion to go into more detail about cyber security and field service, and you can read about that discussion in the Q&A below.
What are the biggest cyber-security risks that service-based businesses face today?
Charlie Hales: With the move to remote working during COVID and advances in technology to monitor and manage systems remotely there has been a push to do more with less, including implementing remote access technologies. Some of this was implemented quickly without looking at best practices from a security perspective; this has actually made companies less secure and added vulnerabilities to the service-based business and the clients they’re supporting. If you work in the infrastructure sector this is even worse with new legislation to ensure better security implementations and data management in place. So, all companies should review what they do in this area to ensure cyber security is factored in. This doesn’t need to make access harder, to be clear, which is what some people think. The technologies available these days to protect businesses are great and can keep the access seamless but also secure.
As companies seek to increase connected assets, incorporate more automation, and drive more predictive models, what needs to be top of mind from a security perspective?
Charlie Hales: Everything that is connected to a network and the Internet adds a new vulnerability to your environment. This does not mean you shouldn’t use this new technology, but it does mean you need to implement and manage it correctly. Also, there is a misconception that everything needs to be updated 100% of the time, but this is not the case. You should do so for critical infrastructure and anything storing your data but items like printers, smart IoT, CCTV, etc., can be updated less often as long as they are on a separate network with no access or very limited access to the network connected to your critical systems and data. This network segregation between IT, OT and IoT is crucial, along with access controls and information management.
Automation also comes with benefits as well as risks. Automation is great for companies that want to implement it for repeatable tasks; they just need to think about where human elements need to be added or where monitoring should be implemented to ensure this automation isn’t breached. For example, if the automation usually pulls in data from a process to help with new orders and there was a big fluctuation in order volume, this should be flagged to check that nothing is amiss.
What’s the #1 mistake you see companies make related to cyber security?
Charlie Hales: The #1 mistake is that companies think cyber security is an IT problem. IT teams are great, but they are not cyber experts and shouldn’t be expected to be. Cybersecurity needs to be built in at a board level (they’re ultimately liable if something happens), factored into corporate risks and managed and driven through the business accordingly in partnership with the Cyber and IT experts.
Over the next five years, what changes will most impact how companies need to approach cyber security?
Charlie Hales: In Australia, we will see data management and protection. With recent breaches throughout Australia there will be a move to implement things similar to GDPR across Europe.
Globally I see more collaboration defining what can/can’t be done and managed (and by who), and recent examples include the likes of ChatGPT and TikTok. What you can use where and what data can be stored where is a hot topic at the moment, and I only see it getting bigger.
For companies looking to better understand the topic of cyber security, what resources do you recommend?
Charlie Hales: There is so much out there. A couple of examples include academy.attackiq.com and udemy.com. They have some great videos for CISOs as well as other videos for various roles in the business. But where I would start is to engage an expert to work with you in your organization to understand your business and what risks apply from a cyber security perspective. If you support infrastructure, you will have very different requirements than a manufacturing plant. What you need to do and what business risks you can accept will be very different. A general solution for all companies is not the answer. Understand what is critical to your business and then apply appropriate cyber security around that.
Given the shortage of IT staff in general and cyber security specialists specifically, how can service organizations make sure they are properly addressing their security needs? What options are available?
Charlie Hales: There are many cyber security consultants out there so find a partner you trust to work with. That way you can actually get a multitude of skills for less than recruiting an in-house team. If you are a large organization, you will likely want someone internally to manage your cyber risks and program of work, but you don’t need all resources in house. That will be cost prohibitive at the moment. You can get multiple part time staff members from a provider with varying skills for less than a full-time person with expertise across multiple areas.
Any other comments?
Charlie Hales: Don’t think that cybersecurity is a massive issue that’s too hard to look at, or that a breach is something that won't happen to you. It will. What are the biggest risks to your business, customer data, production line, internal designs? You need to protect them. Find an expert that can understand your business to advise you about where you can add the best cybersecurity protection for your organization. That way, when an attack does happen you can recover quickly with little impact to your business and your clients.