In the aftermath of the recent SolarWinds cyber attack, many have been rushing to better safeguard their organizations. But according to critical infrastructure cybersecurity provider SecurityGate.io, these organizations should start by looking at their own people.
“SolarWinds is the latest example of what data has shown is behind a lot of these cyber attacks,” says Matt Willbanks, CMO at SecurityGate.io says. “It’s usually starting with a human process failure at some point. With SolarWinds, there were alot of sophisticated things they did technology wise but the key event that enabled it to happen is one of their customers had been breached by the same group that ended up pulling off the whole thing later.”
Recent reports indicate the SolarWinds breach was enabled after hackers gained access to a third party’s email account where the default password secrets had not been changed.
“That one little misstep allowed this group, when they came back the next time, to just walk right in,” Willbanks says.
On January 19, risk management software provider SecurityGate.io announced a new update to it’s platform. The company’s new PPT (People, Process, Technology) Insight is designed to help organizations avoid these types of human process missteps that can be entry points for hackers.
“This platform update has been in the works for a little while,” says Willbanks. “Some of the feedback we’ve got from customers is they want more insights on how to recognize missing controls and where risks might be. “
The new update gives organizations insight on where their risks are and can be used to demonstrate the importance of devoting time or resources to specific areas.
“When they take that data internally to talk to their leaders, they need help communicating that in a way their leaders understand,” Willbanks says. “Through our conversations, what we found was if we can show the type of risk in a way that other people around the company can understand, it’s easier for them to get behind it. It’s much easier to go into a board room and say ‘43 percent of our top cybersecurity risks are related to our people.’”
PPT Insight provides risk management leaders with the ability to automatically score a cyber assessment, create remediation tasks, and prioritize them based on the context of their use in the organization. It also instantly maps missing controls in the cyber assessment data to their respective control families, and categorizes them into people, process, and technology groups.
“We can spend tons of money on hardware or software and try to cover every gap but if the smallest human process is left out, what does the rest of it really matter,” Willbanks says. “What we did with our platform with this update is helping to put a spotlight on that so that leaders understand why they need to spend extra time on people or why they should invest more budget into training.”
The update also allows organizations to quickly see if their risk management strategy is balanced across people, process, and technology controls, and where time and budget should be re-prioritized.
“I’ve been in cybersecurity the majority of my career, over 20 years, and what I was finding is the same questions were being asked time and time again,” says Cherise Esparza. Co-Founder & Chief Product Officer & CISO at SecurityGate.io. “What are our risks, how do we know we’re spending our budget efficiently across those risks, and how can we best communicate that to the board. What the platform strives to do is to communicate in nontechnical terms, a back to basics approach. What I mean by that is understanding the fundamentals of your risk domain to people, process, technology based on a given framework. This allows the organization, the executive leadership to understand something that is very technically complex at a higher level so they can make the best decisions for the company in reducing cyber risk around operational technology.”
PPT Insight seeks to address a larger problem in the industry. According to Esparza, IT/ICS organizations are often siloed and those in the industrial control system sector often lack advanced cybersecurity expertise.
“What we see consistently is a lack of enforcement around policy configuration changes. That’s the crux of a lot of attack vectors that are typically leveraged and it’s usually due to the skills gap in the industry,” Esparza says. “Oftentimes when it comes to any kind of OT security or ICS security, it’s done by the engineers, the supervisors, the people who have been in those environments the longest and they’re not necessarily cybersecurity savvy, much less the ones who are managing and implementing new cyber tools.
“That’s where SecurityGate comes in, recognizing the gap in our industry to be able to holistically address and identify the risk posture of a given ICS environment. “