October is National Cybersecurity Awareness Month! Seventeen years ago, the U.S. Department of Homeland Security and the National Cyber Security Alliance created this initiative to ensure that individuals are equipped with the knowledge they need to remain safe online.
To celebrate this month, we sat down with our most seasoned cybersecurity expert at Omnitracs, Chief Information Security Officer Sharon Reynolds. Here’s what she had to say about cybersecurity in the transportation world and beyond:
What does National Cybersecurity Awareness Month mean to you?
It’s an opportunity for anyone with a cellphone, email address, tablet, or laptop to stop, consider, and not be so very trusting of everything we see and hear and all the people who might do us harm. It’s a reminder for our business, all companies, and our nation.
With all the natural disasters — wildfires, hurricanes, and the pandemic — we are very distracted as a country right now. It’s hard to focus and remember to stop and think: ‘Do I click on this?’ or ‘Is this phone call real?’ And the adversary knows we are all distracted.
As the chief information security officer for Omnitracs, what first prompted you to pursue a career in cybersecurity?
I worked as a receptionist in a company, and we were in one of those remote offices. The IT team would send us the updates and security signatures on a disc, and we would update them. Since I was the receptionist, they’d send me the instructions and send me the discs. And then I’d do the configuration with them. That was my first brush with IT and security, and I immediately wanted to get into IT.
When I was working for a Department of Defense contract, I was involved in unified communications, telephony systems, and streaming media solutions for the company. I was trying to implement all of those in a very secure environment. These systems are all about connectivity — everyone, everywhere connecting everything. Since those systems were very insecure, it was a constant battle to get them done securely. And that was what got me involved in security: How do I take an insecure solution, make it secure, and achieve a business objective?
Problem-solving, curiosity, and significant challenges are very exciting to me. Don’t tell me it’s impossible because I’ll double down.
The theme for this year’s National Cybersecurity Awareness Month is ‘Do Your Part.’ According to the National Cybersecurity Alliance, this theme empowers individuals and organizations to own their role in protecting their part of cyberspace. How can businesses make this theme a success in their circles?
I think companies can help by providing real, tactical, practical things that folks can do. It’s not enough to tell people, ‘Hey, you should be aware of this issue.’ Knowledge does not solve the problem. It’s muscle memory and how someone acts in the moment — even when they’re not thinking.
We have to do the awareness piece, but we also have to get specific with folks from their perspective and day-to-day lives. It’s not only about knowledge, but also about giving you the skills, tools, and abilities to use your best judgment.
How do you envision 5G will impact cybersecurity in the future?
I think it will just increase our ability to defend and the adversary’s ability to attack — just like every other new technology. We will have more opportunities to provide more security layers, and the adversary will have new opportunities to utilize new vulnerabilities. It is going to create a more pervasive and connected landscape. It’s not a negative — it’s just more connectivity.
With many people working from home due to the current pandemic, how has this transition impacted cybersecurity? Does it have a positive, negative, or neutral effect?
It’s an interesting duality. The widespread ransomware and malware risks have been reduced slightly because you’re alone in your home and not in an office. However, the office and all the office’s data has just come to your home. It has shifted the risk profile.
In some cases, I know some companies don’t have good command and control of remote workers and are having to deploy solutions to configure and manage their systems remotely. I think it has sort of changed the risk landscape. We used to pretend the perimeter was in the data center in the office. That idea of a perimeter has eroded over the last ten years because of consumer devices coming into the enterprise. Some companies may not have realized the perimeter had holes in it already — the defensive line has been pushed all the way out to the endpoint — all the way out to the employees’ homes.
A principal motto for this year’s initiative is ‘If You Connect It, Protect It.’ What does that motto mean to you?
I have always said that if it has electricity, I should be suspicious. If you’re going to use something on your home network or your corporate network, you should know how to protect it. You need to understand what the vulnerabilities and risks are.
As a population, we accept the convenience of things. It’s essential to look at the convenience of something and the vulnerability of something and make secure decisions. For example, if you have apps on your phone you don’t use, you need to think, ‘Do I really need this?’ Often, we grab things for convenience and ignore where our data is going and what vulnerabilities may open up.
How does cybersecurity uniquely impact transportation companies?
I believe that transportation is a critical infrastructure component for the U.S. It can directly impact our supply chain, affecting our day-to-day lives in our communities, grocery stores, and hospitals. So, we must protect that, because we live here.
Transportation — like some of the other critical infrastructures — has a kinetic threat with the truck itself since we have this technology with moving parts.
What is the top threat to cybersecurity in today’s world?
It’s ransomware. We are still stuck on ransomware. The adversaries are getting very good at deploying ransomware and holding companies hostage for data. They’ll say, ‘Not only did we steal your intellectual property, but we will post your data somewhere if you don’t pay.’ We’ve seen situations when criminals are shorting stocks, stealing sensitive data, encrypting all the servers, and demanding payment. They are monetizing very well.
What is the best way businesses can ensure they’re cyber secure?
The very first thing they need to do is identify the most critical business processes. What can your business not live without for a day? Once you identify those processes, look at the dependent people and systems. Reach out to a third-party security vendor if you don’t have the team members to do a critical assessment. Security vendors will help you recognize what is most important, identify gaps in your security posture, and help you create a roadmap for improvements. I recommend using third-party viewpoints because we are not very good at looking at ourselves and understanding what is truly most important.
Read our throwback blog post from 2019’s National Cybersecurity Awareness Month to learn more about how you can protect your fleet through digital transformation.