TCEP 219: Cybersecurity for Engineering Firms: This Is Why You Need It

In this episode, I talk to Michael Castro, C.DIR., ASC, MBA, the Founder and CEO of RiskAware (Cybersecurity) Inc., about the importance of cybersecurity for engineering firms and how engineers can introduce cybersecurity into their business.

Engineering Quotes:

Here Are Some of the Questions I Ask Michael:

How can engineers introduce cybersecurity into their business?

How is cybersecurity affecting the engineering community specifically?

How often should businesses be reviewing their cybersecurity measures?

What are your cybersecurity metrics and how do you address/achieve them?

What are the top three simple and cost-effective things people can do right now to protect their business' cybersecurity?

Do you have any advice for engineering managers who would like to implement cybersecurity at their firms?

Here Are Some Key Points Discussed in This Episode About Cybersecurity for Engineering Firms: 

There are many changes in trends in the way hackers are working today. Most attacks are now aimed at smaller and medium-sized businesses, and no longer the larger companies. Engineers must think about and prepare themselves for needing to do something in cybersecurity for their organization.

Eighty percent of cyberattacks are the same for all types of companies, including engineering firms. The other 20% of attacks are what must be focused on because they are very specific to different professions. In engineering firms, OT Networks and operational security must be looked at. The OT Networks contain information on critical infrastructure and systems that must continue functioning. Hackers will try to disrupt these systems and infrastructure in their attack. Civil engineering firms have a lot of information about intellectual IP, schematics, drawings, reports, and models that need to function. Hackers want to steal the information or install ransomware to cause it to not be available to the firm. Customer and client information can be stolen and used for identity theft.

Engineering firms must embrace continuous improvement of their cybersecurity and should always be reviewing their cybersecurity measures. As soon as you complete something in cybersecurity, almost immediately hackers try to find ways to disrupt what you have done or find other ways to get access with new and more sophisticated and complex ways of attack.

Cybersecurity is difficult to measure in metrics. People are the weakest links in a company’s security model. Measuring how successful cybersecurity training is in your firm can be used as a metric. System health in the form of upgrades or patching is of vital importance for your cybersecurity. Companies must put in a regimen for these firmware upgrades or software patches to keep the system secure. A good security program must have management involvement and support that stems from senior management understanding what security is and what is going on in the company.

Not everything in cybersecurity costs a lot of money, and some things can be done quickly and at a low cost to improve your cybersecurity. There are both paid and free training pieces available on security awareness that can help your workforce understand the risks. Understanding the risks and how an attack might present itself is the first step to ensuring your company will not take a misstep. Email is the main way that attacks will present themselves from a malware and ransomware perspective. Fake emails from a manager asking employees to do things is also a current threat. Focus on protecting the endpoint by utilizing the capabilities given by Microsoft or Apple. These capabilities are patching or upgrading software and encrypting the data on your systems.

More Details in This Episode…

About Michael Castro, C.DIR., ASC, MBA