Volume 3, Number 8 - August 2, 2005

We all know that computer viruses and worms can be a pain. We expect antivirus software, firewalls, and our MIS/IT folks to keep us safe and help us recover quickly when something goes wrong. But for many businesses cybersecurity presents business risks too significant to delegate. While you may not relish the thought of becoming involved in the technology, it’s important to understand the potential risks to your business and establish appropriate policies and make suitable investments to limit it.

In 2003 when the Davis-Besse (DB) nuclear plant was shut down for unrelated safety issues, a worm penetrated a DB private computer network and disabled a safety monitoring system that plant personnel wrongly believed was protected by a firewall. How could that happen? The worm first entered the unprotected network of a contractor, then moved through a T-1 line to the DB network, bypassing the DB firewall.

When risks include community and employee danger, legal liability, financial costs, and damaged reputation, attention from the top of the organization only makes sense.

Even though yours isn’t a nuclear plant, your downside risks may be so significant that cybersecurity examination and policies are good business.

Does any of your plant equipment run off automated systems (PLC’s or other) electronically connected to your business applications? If so, any virus/worm or hacker that reaches your business systems can reach your operations systems. Devices that regulate the flow of chemicals or that control the temperatures of furnaces can be manipulated by hackers or impacted by worms. Is equipment linked to an OEM for debugging, data exchange or software updates? Can your employees link in from home, where they may have unsecured links to the internet? Just how protected are the various connections to your systems? Downtime and process variation can be expensive. Ruined equipment or chemicals released into the atmosphere can be even worse. Any electronic link of equipment to the outside world, including the laptop the service tech brought with him, can present risk to your operational equipment. Proper controls can make or break your business.

Cybersecurity will gain importance in the coming years. Standards for cybersecurity assessments are in place and a formal review can kick-start appropriate policy and priorities. The downside is that once you are aware of a problem, mitigating liability requires that you deal with it. That would seem to be good business anyway. Is it better to not know and hope nothing bad happens, or to understand risk and take appropriate precautions? What choice would you expect your employees to make?

Despite the proliferation of information, the globalization of trade, the bombardments of technological change, and the flexibility of podcasts and TIVO, there remain only 24 hours in a day, 7 days in a week, and the need for sleep and sustenance. The lead article above suggests you add consideration of cyberterrorism to your list of things to do. It’s always something.

What’s the secret to getting it all done? Simple. Stop doing something you currently do. In terms of time, today is a zero sum game. In terms of output, it is not.

As you decide to add time consuming activities to your plate, consciously remove an equal amount of time consuming activities. Make sure the things you add are more valuable (to you) than the things you remove.

As your company grows, the demands of you change. As business changes, what you must contribute grows. It’s much too easy to become the constraint that limits growth or profits. So stop doing something so you can start doing what needs done.

Fulcrum ConsultingWorks, Inc. All rights reserved.
For reprint permission, just give Rebecca a call
or e-mail her at [email protected]