In this episode, I talk to Michael Castro, C.DIR., ASC, MBA, the Founder and CEO of RiskAware (Cybersecurity) Inc., about the importance of cybersecurity for engineering firms and how engineers can introduce cybersecurity into their business.
Here Are Some of the Questions I Ask Michael:
- How can engineers introduce cybersecurity into their business?
- How is cybersecurity affecting the engineering community specifically?
- How often should businesses be reviewing their cybersecurity measures?
- What are your cybersecurity metrics and how do you address/achieve them?
- What are the top three simple and cost-effective things people can do right now to protect their business’ cybersecurity?
- Do you have any advice for engineering managers who would like to implement cybersecurity at their firms?
Here Are Some Key Points Discussed in This Episode About Cybersecurity for Engineering Firms:
- There are many changes in trends in the way hackers are working today. Most attacks are now aimed at smaller and medium-sized businesses, and no longer the larger companies. Engineers must think about and prepare themselves for needing to do something in cybersecurity for their organization.
- Eighty percent of cyberattacks are the same for all types of companies, including engineering firms. The other 20% of attacks are what must be focused on because they are very specific to different professions. In engineering firms, OT Networks and operational security must be looked at. The OT Networks contain information on critical infrastructure and systems that must continue functioning. Hackers will try to disrupt these systems and infrastructure in their attack. Civil engineering firms have a lot of information about intellectual IP, schematics, drawings, reports, and models that need to function. Hackers want to steal the information or install ransomware to cause it to not be available to the firm. Customer and client information can be stolen and used for identity theft.
- Engineering firms must embrace continuous improvement of their cybersecurity and should always be reviewing their cybersecurity measures. As soon as you complete something in cybersecurity, almost immediately hackers try to find ways to disrupt what you have done or find other ways to get access with new and more sophisticated and complex ways of attack.
- Cybersecurity is difficult to measure in metrics. People are the weakest links in a company’s security model. Measuring how successful cybersecurity training is in your firm can be used as a metric. System health in the form of upgrades or patching is of vital importance for your cybersecurity. Companies must put in a regimen for these firmware upgrades or software patches to keep the system secure. A good security program must have management involvement and support that stems from senior management understanding what security is and what is going on in the company.
- Not everything in cybersecurity costs a lot of money, and some things can be done quickly and at a low cost to improve your cybersecurity. There are both paid and free training pieces available on security awareness that can help your workforce understand the risks. Understanding the risks and how an attack might present itself is the first step to ensuring your company will not take a misstep. Email is the main way that attacks will present themselves from a malware and ransomware perspective. Fake emails from a manager asking employees to do things is also a current threat. Focus on protecting the endpoint by utilizing the capabilities given by Microsoft or Apple. These capabilities are patching or upgrading software and encrypting the data on your systems.
More Details in This Episode…
About Michael Castro, C.DIR., ASC, MBA
Michael Castro is the Founder and Chief Information Security Officer of the cybersecurity firm RiskAware. His 20-plus years of experience in cybersecurity as it relates to a wide range of industries can be credited to his top cybersecurity positions at a variety of large Canadian businesses, including Canadian Tire and Loblaw companies. He has become a recognized thought leader on cybersecurity and is well-regarded as a professional speaker and author specializing in cybersecurity education as it relates to entire organizations, from its systems to its employees.
Books Mentioned in This Episode:
This Episode Is Brought to You by PPI
PPI has helped engineers achieve their licensing goals since 1975. Passing the FE and PE exams can open doors to career advancement and new opportunities. Check out PPI’s wide range of prep options, including Live Online courses, OnDemand courses, and digital study tools to help prepare you to pass your licensing exam. Check out PPI today at ppi2pass.com to see all the options available for FE and PE exam prep.
We would love to hear any questions you might have or stories you can share on cybersecurity for engineering firms.
Please leave your comments, feedback, or questions in the section below.
To your success,
Anthony Fasano, P.E., LEED AP
Engineering Management Institute
Author of Engineer Your Own Success