In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Robert Nawy.
Robert Nawy is CEO of IPKeys Power Partners, provider of industry-leading, secure OT/IT intelligence platform that addresses the complex cybersecurity, data, and critical infrastructure protection challenges faced by operators of mission-critical networks for customers in the energy, government, public safety communications and industrial markets. The company’s suite of solutions encompasses cybersecurity, cyber compliance, and operational network monitoring for a range of dynamic OT/IT environments. The company is headquartered in New Jersey and has offices in California, Louisiana and Texas.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Highland Park, New Jersey, a town so small we were all able to walk to school. It was a heavy football town and I was an All-State Quarterback.
My hometown was near Rutgers, where my dad was a civil engineering professor and department chairman — I eventually went to college there as well.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I became tuned into the critical needs for cybersecurity back around 1998 when I was working for a prominent DoD contractor. We were assisting the Army in rolling out its new email system called Defense Message System (DMS) which was a major upgrade from the legacy system called Autodin. The speed that the DoD was moving in authentication, encryption, common access cards (CAC), and biometrics was a real eye-opener as to what critical infrastructure protection (CIP) assets the USA needed. Unfortunately, the grid, civilian and commercial enterprises have never quite caught up to the DoD. This is where my motivation comes from.
Can you share the most interesting story that happened to you since you began this fascinating career?
As a founding member of the Advanced Energy Management Alliance (AEMA), I was able to visit the white house twice and engage and communicate with industry leaders on the need for cyber-secure energy management policies and programs. I found it fascinating to hear challenges from all around the country, particularly California energy leadership’s openness regarding climate change and the drastic outlook brought by droughts, fires, and an uncertain environment. This experience was approx. 8 years ago and the foresight and openness of a need to reduce the exposure made it all so real — meaning it wasn’t a story one just read online or in a paper but a daily crisis.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The guiding principles I have always followed, and the culture of our company has embraced, is that:
- “Our word is gold” — This has set the tone for the IPKeys leaders to know they may trust the company and its CEO. This trust has fostered long-term retention and has flowed to the client base. Trust is everything, knowing you can count on the company to do what it says, and the IPKeys team carries that torch!
- Innovate and make a difference solving issues that impact our society — The issues of grid cybersecurity, climate change, military interventions, extreme weather events, and their impact on society have driven the company to innovate and provide solutions to these pressing issues.
- Focus on technology and solutions that are market leaders — Stay true to the mission, and focus efforts and technology where we have a path to market leadership. We are seeing this path resulting in leadership in a unique arena where GRID CYBERSECURITY meets CRITICAL INFRASTRUCTURE PROTECTION (CIP) compliance.
Are you working on any exciting new projects now? How do you think that will help people?
Recently we announced the launch of IPKeys Cyber Partners, a strategic branding that differentiates it from the energy management focus of IPKeys Power Partners while still maintaining a laser grid focus. This differentiation strengthens our leadership position in Operational and Information Technology (OT/IT) security and intelligence, with solutions addressing complex cybersecurity challenges faced by clients in the energy, government, public safety communications, and industrial markets. This allows us to provide deeper engagement and greater accountability to grow. We are currently working on solutions to cybersecurity concerns with electric vehicle charging stations, which is something that not many are talking about. In fact, in order to spread awareness, we are developing a whitepaper that will be live on our website soon! Be sure to check it out to learn more.
For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?
I have been deeply ingrained in the cybersecurity industry for many years. Through my work with the DoD infrastructure provider, system integration, and now IPKeys I have worked with the best cybersecurity experts. In learning from my colleagues and in pursuing my own cybersecurity initiatives, I have accumulated quite a wealth of knowledge.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber-attacks that we need to be cognizant of?
The most common forms of cyberattacks include phishing, exploitation of known vulnerabilities, and weak authentication protocols. At the enterprise and grid operator level mitigating the vulnerabilities associated with necessary Patch updates, known as Patch management, is an important recurring practice all entities should do. Out of date and unsupported aged operating systems are targets for hackers and ransom takers. I’m sure we’re all especially familiar with phishing emails and text messages, which are a way for hackers to trick you into sharing your personal information with what appears to be a secure website, organization, or friend, but provides hackers with sensitive information and allows them to deploy harmful software on your device.
As I mentioned before, something that isn’t talked about enough is the cybersecurity risk to electric vehicle charging stations. Widespread and rapidly adopted, these high-tech vehicles have become a new focus for hackers who can use the charging stations as a back door to access vehicle functionality and shut down the charging stations themselves. Just imagine if the charging stations were to go down across an entire state, and those citizens were unable to charge their vehicles!
Who has to be most concerned about a cyber-attack? Is it primarily businesses or even private individuals?
We should all be concerned about cyberattacks, from businesses to individuals. Anyone who is a frequent user of the Internet may be putting themself at more risk than you know. Cyberattacks can affect anyone, but businesses are more at risk for large-scale attacks because of their assets and vast repository of confidential information. Some of these at-risk industries are far behind where they should be in terms of cybersecurity infrastructure — for example, the supply chain and transportation industries are already struggling due to limited resources due to the pandemic. With 93% of firms globally admitting they have suffered a direct cybersecurity breach because of weaknesses in their supply chains and the average number of breaches increasing 37% year-over-year, the threat of cyberattacks across the entire supply chain sector will only continue to grow in 2022.
Who should be called first after one is aware that they are the victim of a cyberattack? The local police? The FBI? A cybersecurity expert?
Of course, the first step is always prevention, to harden your systems and take actions that make your organization a less simple target. However, if your organization suffers a cyber-attack or data breach, immediately contact the nearest FBI field office or report it at tips.fbi.gov.
Here are a few immediate things you can do to attempt to contain a data breach:
- Disconnect your internet
- Disable remote access
- Maintain firewall settings
- Install any pending security updates or patches
In addition, you should change all affected or vulnerable passwords immediately. Create new, strong passwords for each account, and refrain from reusing the same passwords on multiple accounts. That way, if a data breach happens again in the future, the damage may be limited.
A key thing to remember is to preserve evidence for law enforcement. Victims of a cyberattack are often tempted to delete everything after a data breach occurs, but preserving evidence is critical to assessing the perpetrator and how they gained access. Determine which servers were breached and contain them quickly to keep others protected.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The most common cybersecurity mistakes companies are making today are based largely on how we’ve come to live in the new, modern world. The COVID-19 pandemic forced millions to begin working remotely. All those workers require more doors of entry in a much less secure or scrutinized environment. While the internet of things (IoT) and cloud-based options improve collection and coordination of data and promote greater efficiency and safety, these tools also create new doors for cyberattackers to walk through. We want those doors guarded by Superman and a herd of trained German Shepherds but, the reality is, smaller enterprises are lucky to have Paul Blart the mall cop, and a disinterested pug. They just don’t have the resources.
Then, simple human behavior of maintaining secure passwords, not sharing passwords and information, clicking on unknown links and sharing potentially dangerous documents and links are far too commonplace. It may sound simple, but the first step is to educate employees. Regularly training workers on best practices and how to prepare for a breach are critical to improving cybersecurity.
What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?
We all know that you cannot plan for every contingency, so the key is implementing security measures that can cover for multiple forms of attack. In general, however, there needs to be more of a concerted effort to advance the power grid to include security measures. Better education on what a cyberattack looks like, the consequences of an attack, and the simple things we can do to prevent them (not clicking on suspicious emails, for example) is also crucial. Anyone who does fall victim to a cyberattack should also know where to go for assistance.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
- Assume an attack is already in your network attacking your devices at the office and at home. At some point, they will be.
- Password keepers with 2-factor is the only way to stay securely. Keeping unique passwords is not practical in today’s world. Turn on 2-factor at any site you use if it’s available.
- Don’t assume your IT department knows how to secure your network and systems both internally and externally. Your team needs cybersecurity training to have any chance to secure a network.
- Network Intrusion Detection is like antivirus for networks, if you don’t have it, you won’t even know an attack is occurring. Regular authenticated network vulnerability scans are the only way to know if your network is vulnerable from an attack and how secure your systems really are. Be aware, if you have never scanned your systems, it will be eye-opening.
- Segment your company’s network so any one compromised system can’t attack the entire network. Limit who has access to parts of the network and physically secure your servers. have backups for your critical servers so you can recover from ransomware attacks quickly with options.