close
close

Cybersecurity culture starts at the top of any business, panelists say

Posted on by Bobb
Cybersecurity culture starts at the top of any business, panelists say

Cybersecurity is a business risk that must be addressed at the highest level to protect employees, customers and business interests, panelists on data security, system stability and the current state of the collision repair industry said during the MSO 2024 Symposium on Monday.

CDK was hit by a ransomware attack last summer. rocked the auto dealership and collision repair industry. The attack knocked out its management system for 15,000 dealerships, which also disrupted parts ordering and inventory management for collision businesses. The system remained down for almost two weeks.

Ashley Denison, chief information officer at Caliber Collision Centers, said the attack showed how connected each business is to the others. She said CDK is a tier 5 supplier to Caliber.

“It wasn’t on our radar But This had such a big impact,” Denison said.

The attack affected the supply chain and forced the company to review its security for any connection risk.

“We had to pull people away from other projects,” Denison said. “It took us months to get things in order.”

Caliber checked its relationships with other companies in every department, including revenue, parts and labor.

Denison added: “What would we do if there was another CDK? What if some claims management systems go down?”

Review includes communication with other companies that Caliber connected so, she said. For example, Denison said that Caliber has asked CCC about its communications plan in the event of a cyber attack.

Denison said Caliber also creates its own own communication plan in case various outage scenarios and discussed what steps need to be taken to keep people working or completing tasks such as payroll.

Preparing for a cyber attack is just as necessary as preparing for major weather events a business might face, such as hurricanes or wildfires, Denison said.

“It’s not just about protecting Caliber, but how do we respond when something happens outside of Caliber?”

According to Jerry Davis, software and digital platform security specialist at Microsoft, every business should have a business continuity plan (BCP) in case technology stops working.

“When something happens, everyone is going to be involved,” Davis said during the event. “The CEO is involved and the board is going to be involved; obviously legit, your PR team. There needs to be a plan for how you communicate internally and with clients.”

Kyle Rankin, chief information security officer at CCC Intelligent Solutions, said you need to go through exercises like tabletop exercises. exercises before anything happens.

“One thing I’ve learned in cybersecurity is to never learn a lesson because something is real happenssaid Rankin.

BCP is a collection of what you are going do in a cyber attack, he said.

“Obviously it’s impossible to explain everything,” Rankin said. “But if you can get 90% of the way through training that thought process, that’s a huge achievement.”

Rankin said timing is everything in cybersecurity efforts.

Those running businesses must take steps to ensure cybersecurity, Davis said.

“Who owns security? “In the industry, we say this is everyone’s problem,” Davis said. “Or I would like to say that this is an opportunity for everyone. In security, we must view this as a business risk. CEO manages row risks throughout the business. Cyber ​​is another aspect of the business that needs to be managed.”

Davis said the CISO implements and manages day-to-day security activities on behalf of the business.

He said that culture is set by global leadership. He said Microsoft recently faced two cybersecurity breaches. One was made by the Chinese and suffered row government clients and government emails. The Russians completed their second attack.

“Microsoft has launched an initiative called Security First.nd The CEO said that when it comes to safety or the features of our products, we will focus on safety first,” Davis said.

Davis said the new safety guidelines are spreading throughout the culture, but it all starts at the top.

Spencer Colemire, head of product management at Cisco, said that at Cisco, risk and security management systems are the most important. first priority.

“Part of our role here is to create and provide services,” Colmer said. “We have to step back and make sure we have a number of different risk and safety management systems in place and get to the point where we can make sure they’re all met and miss the deadline to meet those requirements. It’s more important for us to enter the market as a reliable supplier without holes and risks in our system than to get there on time.”

While decisions must be made from the top, panelists said a cybersecurity culture is essential to keeping a business secure.

“Every person has to be responsible,” Rankin said. “I’m developing this culture, introducing it into the environment, introducing it into the company. But at the end of the day, everyone has to be responsible.”

According to Rankin, there are many great tools in the industry. He said the industry had come to rely on these tools and had almost forgotten about the human element.

“If you just look at the statistics, 60% to 90% of breaches are caused by compromised credentials,” Rankin said. “Culture matters a lot.”

Colemer said even small businesses should have a password policy, such as requiring that passwords not be written down in a notepad. He said password management could be enforced. including multi-factor authentication.

Databases can be encrypted and provide backup information, he said.

“Another thing we don’t talk about much is making sure that our software is up to date,” Colmer said. “There have been a lot of feats the last couple of times. years where people find their backdoor through a vulnerability that has been fixed a year ago And this company has not made any updates.”

Colemer said other complex security measures require the use of experts to prevent attacks, such as construction and installation firewalls.

Denison said there are many free tools associated with Microsoft operating systems and machines that companies can use to make their business more secure without investing in new products.

“We make sure they wear safety glasses and their wearing masks properly, and we have dust-free sanders and all those things that physically protect them,” Denison said. “How can we help protect them in much the same way we protect our clients and our clients? How can we help them see what their bank accounts or addresses are, all these pieces are in danger.”

Davis said businesses should explore resources provided National Counterterrorism Advisory System Cybersecurity and Infrastructure Security Agency.

“They do a lot public-private partnership And they create a lot of guidance for the general public,” Davis said. “If you go to their website, there’s all kinds of information (and) tools. This especially for small businesses and medium business.

IMAGES

Artistic photo of data security, system stability and the current state of the collision repair industry during the MSO 2024 Symposium on November 6/Repairer Driven News.

Share this: