Minimizing Cyber Risk and Doing it in a Simplified Way – the Key to Secure IT Infrastructure Success

While cybersecurity has long been a focus of our industry, it is now considered the top business concern for companies. Maintaining secure IT infrastructure is challenging work and it is only becoming more complex. Data breaches make headlines in the news almost every day and generally the ‘buck stops’ with the CIO.

The reported cost of an incident globally is more than $4 million – that’s just one cybersecurity incident. Clearly it’s a concern of many boards that a cyber incident could materially impact a company. Harvard Business Review reported that publicly traded companies suffered an average decline of 7.5% in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion. And it took an average of 46 days for companies to recover their stock prices to where they were before the breach, if they were able to accomplish that feat.

The HBR article delved into other impacts from a cyber attack that we may not think of immediately. The aftermath can consume a company’s resources, the effects can be felt throughout the supply chain, and the attack may even result in a credit-rating downgrade, which could affect the company’s ability to secure financing.

We see two major areas of focus when it comes to cybersecurity. And there are inherent contradictions:  while executives list cybersecurity as a top concern, they don’t often do the basics to help prevent attacks.

Keeping firmware up to date and following best practices – simplifying the complex

When it comes to minimizing the risk of a cyber incident, keeping firmware up to date and following best practices is essential. Unfortunately, accomplishing this is a known area of weakness because most customers don’t do it. Our best information indicates that at least 60% of devices are running out-of-date firmware and 78% of devices have known vulnerabilities that hackers with malicious intent could exploit.

It’s easy for vendors to blame the customer for not applying updates, but we decided to turn that question on ourselves: have our EcoStruxure IT team members done everything they could to help customers with this problem?

We concluded that we needed to do more to make it as simple as possible for our customers to keep their firmware and software up to date, to make sure they were following best practices.

In the case of our embedded systems, we developed a new set of tools that proactively check to see if a new firmware is available and make it easier to mass deploy firmware upgrades. The Secure Network Management Card (NMC) System Tool transforms the cumbersome process of researching and installing the latest firmware on all devices, making the process up to 90% faster. That means users no longer need to search for firmware on an ad hoc basis, check to make sure that firmware is the latest one for their device, and read the release notes to understand what’s included in the new version before they download it and update their device. Instead, the Secure NMC System Tool notifies customers that new firmware is available and directs them to install the new version. It reinforces our ability to simplify the complex.

For our cloud-based software, we continuously release updates so we generally feel we are putting customers in a good position with this solution.

However, we recognized a gap in our on-premise software. We are working to have more robust notification to customers about releases that are up to date and implementing systems to ensure they can receive those updates.

Importance of cybersecurity certifications for secure IT infrastructure

The second area of focus we identified is cybersecurity certifications, which have become a necessary way to ensure vendors are following best practices minimizing cyber risk in their development processes.

Our team is making an ongoing investment in obtaining cybersecurity certifications from independent standards organizations to ensure that products designed for data center and distributed IT environments meet a set of well-defined requirements and undergo thorough testing and assessment.

As Paul Kirvan wrote in a TechTarget article explaining IT security frameworks and standards, “These frameworks help security professionals organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.”

Examples of these certifications include:

• ISO27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring it remains secure. This particular certification has a wide reach and includes people, processes, and IT systems by applying a risk management process.

• IEC 62443-4-2 outlines the International Electrotechnical Commission (IEC) technical security requirements for components within IACS, providing guidelines for product developers and manufacturers to ensure resilience against cyber threats.

• FIPS 140-3 is a U.S. government standard that specifies the security requirements for cryptographic modules. These modules are the hardware or software components that encrypt and decrypt data, ensuring secure communications and data protection.

Independent cybersecurity certifications are not simple to obtain and they aren’t a one-and-done approach. They are an on-going investment of time, money, and resources, and consider them essential for demonstrating a commitment to cybersecurity.

The outlook for the future

Cybersecurity is a journey and, for my team, it is one we have been investing in for a long time. We strive to continue to have a long-term perspective, being strategic in our approach. We want our customers to be assured that we will be there for the long haul, which is important in an industry such as ours where devices will be used for 5, 10, or even 15 years. Using the latest technology and methods to keep IT infrastructure secure combined with doing the basics well and following best practices is helping our customers navigate this journey.