On 12/2 I was listening to the WSJ Pro Cybersecurity Executive Forum and the methods have not changed — just the problems. What I learned and you should learn –
“Attackers can still get through the str
ongest defenses; plan your budget accordingly; have third party security consultants ready in-case of data breach. Have candid conversations about a data breach scenario.”
“Securing a digital business”
Featuring speaker Bobby Ford, Unilever CISO
- Unilever: 150k employees, 400 brands, 2.5 billion consumers in 190 countries, 300 factories in 200 site locations
- Threat: Disrupt/degrade/attack data or disrupt/destroy/degrade organization’s ability to operate (operations)
- Critically important to prioritize one over the other (data vs. operations); Unilever prioritizes ability to operate, including manufacturing sites
- Move to industry 4.0 — at the heart of 4.0 is digital transformation
- Meet, anticipate, exceed needs of customers, democratizing data to meet their needs; however, with an increase in functionality there is an increase in vulnerability
- Unilever has established a dedicated team that protects their manufacturing plants; maintain an operational technology (OT) register
-
- Assess My Network
- Segment My Network
- Secure assets and network
- In the case of an attack, do not want ransomware to move laterally; so segment “My Network”
- Rate and identify factory sites that are most vulnerable (Group 1, 2, 3); prioritize through help of supply chain organization
- “You have to have a framework and not create in a vacuum”; prioritize assets and work with the business to secure what’s most critical because you can’t secure everything
- Identify what is most critical by talking frankly with key stakeholders
- There’s no one-size-fits-all solution for a dedicated cyber team. Make sure you have the infrastructure and partner with the supply chain.
- When it comes to deploying, there is a talent gap in the OT cyber field. Therefore, how do you get the right people in the right place? The size of the team will depend on the size of organization and manufacturing supply chain.
- “If everything is important then nothing is important.” Identify critical activities (i.e., dynamic; what/when is critical for Unilever and activities that support critical), then look at the systems, and then look at the suppliers that support the systems that support critical activities.
“Regulating data in a pandemic”
Helen Dixon, Irish Data Protection Commissioner (Ireland)
- “Every aspect of our work has had to be transformed.”
- Q: More complaints of data misuse since the beginning of the pandemic? A: No, the figures are roughly the same as last year; however, there’s a slightly different profile in the breaches.
- Advice to companies collecting data or collecting new data, and how to protect privacy: Think carefully about why collecting personal data, what purpose it serves, and if there is a need to retain it; it’s really about not simply the crowd in terms of thinking, think about why it’s necessary to collect the data and the sensitivity of the data and individuals’ rights.
- There needed to be high levels of trust between public health authorities and public health authorities to participate in contract tracking app. There was a lot of transparency around the implementation (over 1/3 of adults downloaded); and there’s talk about pivoting the contact tracing to other uses and must be aware of “tech solutions.”
- Need the trust of the users if you’re going to avoid disruption and carefully collecting and publishing data protection, and also publishing source code to be open to public scrutiny.
- “There’s no glory in prevention.” But as a regulator it is important to anticipate
