Cybersecurity — even in the heavy building materials industry — can keep us up at night.
At some point, the size of your organization will indicate the number of dedicated full-time positions supporting data protection and cyber resilience. But no matter company size, everyone benefits from routinely checking and refining your foundational best practices.
So, let’s get into it.
Even for younger businesses, aligning on baseline security practices protects us from the worst-case scenario. As customers, we’ve all at least heard tales of ransomware’s crippling vice. You’ve probably seen a fair share of phishing emails that’ve become increasingly difficult to combat. Or maybe you’ve followed extreme hits, like the recent attack on Japan’s largest shipping port, Port of Nagoy, that was forced to suspend container operations.
The stark reality is that ransomware is disabling for a business of any size or strength, in any industry. And it’s not slowing down. According to National Public Radio, 2023 marked one of the most aggressive years in terms of ransomware payments — tracking $450 million in mid-July and setting a new precedent.
Knowing ransomware’s seriousness, how can we be proactive in avoiding it? By continuously testing our systems using advanced security standards and best practices. Command Alkon partners with third-party security firms to ensure the highest level of assurance. One partner continuously evaluates public-facing APIs and apps against emerging threats. Meanwhile, another firm performs a blind assessment of source code and control flows. Command Alkon also conducts internal reviews to check on infrastructure and remediation plans.
Internally, misconfiguration can be just as damaging as ransomware. This is often seen when infrastructure is set up without proper oversight, leaving an organization vulnerable to a malicious third party. Without complete awareness of all controls, unintentional omits can be disastrous.
While ransomware and misconfiguration are just two examples of threats, they’re also quite common and you’ll want to have a mitigation plan. Again, there’s a broad spectrum when it comes to security capabilities, but with a baseline understanding, we can all create checklists with protection must-haves. As you keep up with patching and system updates, a checklist like this will put you in a more secure spot.
As an organization grows, dedicating a leader who then manages that security checklist becomes critical. And depending on the size of the company, that leader may need help. At Command Alkon, we have a Chief Information Security Officer (CISO) who works to protect our data, systems, and networks from potential threats and ensures compliance with security regulations. Another option here could be working with a vetted third party as added assurance — someone who’s earned your confidence.
This brings up another question, and we think it’s one that often gets overlooked.
What should we be asking technology vendors to ensure our data remains secure?
In today's highly competitive landscape, it’s important to ask questions about security best practices. By doing so, you can gain the knowledge and insights necessary to make sound business decisions, gain a competitive advantage, and demonstrate your commitment to continuous security improvements. These checks can range from whether your vendor is framework certified, independently audited, or GDPR (General Data Protection Regulation in the European Union) compliant. Security is a landscape that’s continuously evolving, and it’s important to know if vendors are matching the pace.
A great place to start is researching the vendor to determine which security frameworks they follow. In our space, many domestic companies adhere to NIST 800-171. If you’re not familiar, no, this is not a spaceship out of Star Wars. The NIST cybersecurity framework lays out standards for how United States government contractors must manage controlled unclassified information. Essentially, NIST 800-171 helps ensure the confidentiality of data ranging from personal identifiable information (PII) to proprietary business information (PBI). And if you’re working internationally, the ISO (International Organization for Standardization) 27000 series lays out how to meet international information security standards. Depending on your location, security requirements can vary.
Why do we look for these certifications? They validate our commitment toward safety and resilience with continuous independent audits. However, depending on an organization’s size, they can be expensive. If you’re in a situation where you can afford them and you already have dedicated resources, certifications are worth the investment.
Working with a vendor may also require system integration. If it’s well-baked into your process, strong cybersecurity can make integration consistent, easier, and faster. Creative, ad hoc solutions — especially toward integration — may appear as cost-saving shortcuts but are oftentimes what stir data breaches and compromises when done incorrectly. Errors can arise when hiring a third party who’s not familiar with a system (which is why it’s good to know if they’re certified). This is common enough that research firm Gartner Inc. estimates that up to 95% of cloud breaches are caused by misconfiguration or similar errors.
Whether your operation is global or local, asking these questions around security can identify system vulnerabilities. The more answers we have, the safer our systems can be.