Estimated reading time: 4 minutes

Nolan's Notes: Data Security—It’s Incumbent Upon You

The news broke in Portland, Oregon, in May 2022 that the city government had suffered a “cybersecurity breach” and lost $1.4 million in city funds. The city’s official statement announced, “Preliminary evidence indicates that an unauthorized, outside entity gained access to a City of Portland email account to conduct illegal activity.”

KATU-TV reported that the city’s Office of Finance confirmed the breach occurred in late April with a fraudulent money transfer. The first transaction did not trigger a warning flag, and the breach was not detected  until that email account attempted a second transaction.

Multnomah County’s spokesperson Dennis Tomlin told KATU, “It’s not a matter of if you’re going to get hit but a matter of when you’re going to get hit. So, what’s incumbent upon the county is to do as much as we possibly can to reduce the risk of a serious event from occurring.” We should note that the City of Portland encompasses most of Multnomah County, making Tomlin’s comments even more meaningful.

Andrea Peterson, reporting on the incident for The Record, referred to a similar attack on Erie, Colorado, in 2019, where it was believed that $1 million intended for a bridge project was stolen.

These are incidents from just two U.S. city governments, however, we know such attempts are widespread. As we spoke with cybersecurity experts for this issue, the “human factor” was a constant concern. Fraudulent email remains the number one method for hackers to gain access to a company’s internal systems. In fact, the FBI has issued two dire warnings, with the most recent detailing Business  Email Compromise/Email Account Compromise (BEC/EAC) scams account for $43 billion in fraudulent take. We found the FBI announcement to be so on point with the topic that we decided to reprint it in its entirety in this issue.

With all that we know about the risks of being involved in a cyber world, we must be getting a handle on it, right? Unfortunately, no. In a recent Washington Post article¹, the author cites two industry experts on the state of cybersecurity in the U.S. in general.

1. “[We’re] less vulnerable against the threats of five years ago. But I see no evidence that the threat has stood still, and in fact, it is likely that it has grown at a faster rate than our defenses,” said Herb Lin, senior research scholar for cyber policy and security at Stanford University.
   
2. “We’ve become ever more vulnerable with each passing day,” warned  Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center. “I don’t know where the bottom is.”

It may feel like it’s all doom and gloom, but my point is that cybersecurity is our collective responsibility. As an industry, if we want to grow, thrive, and endure, we need to ensure any private and protected information passing through our hands stays private and protected. The key here is “passing through.” The data moves along with the physical assemblies. We must ensure secure entry, processing, and exit for that data set. This is the core intent of the Cybersecurity Maturity Model Certification (CMMC).

Data security is now a business imperative. Whether it’s defensive (to repel hackers and data leaks), evolutionary (to support digital twins and industrial automation), or competitive (certifications and new capabilities), you can be reactive or you can be proactive. Either way, you will be responding to data security in some form. In this issue, we look at three main security initiatives underway, and ask, “Can this be accomplished affordably?”

That last question is the one that’s the hardest to nail down, of course. In our interview with Divyash Patel of MX2 Technology, he says that basic cybersecurity “hygiene” (as he calls it) is lacking in a significant percentage of our facilities. We must start there before we can build a solid cybersecurity system. If your organization has already secured your basic email hygiene, you are well ahead of many others. You won’t need to fund that part of the project.

What we didn’t find—and not that we realistically expected that we would—was a formulaic approach to cybersecurity budgeting estimation. It’s not like one can estimate dollars-per-line, Euros-per-facility, or pounds-per-employee. But as Ryan Bonner of DEFCERT explains in his interview, the CMMC assessment preparation documents make for a valuable self-assessment. IPC’s Validation Services programs are equally valuable not only in providing a certification recognized by government purchasing agents, but also as a process and security verification step. Look for Randy Cherry’s IPC 1791 discussion in this issue as well. In short, with a well-trained IT department, much of the work can be done in-house.

Here at I-Connect0007, we trust that digital security is high on your to-do list (if it isn’t, hopefully this month's issue of SMT007 Magazine will change your priorities). While digital security is not an insignificant project, achieving certification continues to become more clear and more focused. Now is a good time to move security to the top of your priority list.

Reference
1. “The U.S. isn’t getting ahead of the cyber threat, experts say,” by Joseph Marks, Washington Post, June 6, 2022.

This column originally appears in the July 2022 issue of SMT007 Magazine.