Cybersecurity is not a one and done job.

Creating a successful cybersecurity program requires education, user buy-in and ongoing vigilance to harden a company’s cyber defenses, experts said during the Fortifying Offshore for Cyber Resilience executive dialogue May 2 at the Offshore Technology Conference in Houston.

, Lior Frenkel of Waterfall Security Solutions, Brian Boetig of FTI Consulting and Harvey Perriott of CISA, during a session on cybersecurity during OTC.
Lior Frenkel of Waterfall Security Solutions, Brian Boetig of FTI Consulting and Harvey Perriott of CISA during a session with a moderator on cybersecurity during OTC. (Source: Scott Morgan, Offshore Technology Conference)

Once end users are on board with the necessity of cybersecurity precautions, the experts said, they are far more likely to spend the extra time — and even aggravation — associated with tasks such as routine password changes and multifactor authentication than trying to find workarounds.

And sometimes gaining traction in the fight for cybersecurity requires baby steps.

Industry workers don’t question the need to “wear a hardhat and crazy heavy-duty boots” when they go on a rig because they are educated about the potential repercussions of not doing so, Lior Frenkel, CEO Waterfall Security Solutions, said.

The same frame of mind should apply to cyber safety.

“The problem here is that people are not educated about this cyber risk yet. Because when you understand the risk, you say, ‘Okay, it'll take me 10% more time or 10% more money, but it's for a good reason because these bad things won't happen,’” Frenkel said. “The most important thing is to find ways to educate and make people understand and appreciate the risk personally and for the company.”

Brian Boetig, senior managing director at FTI Consulting and former director of the FBI’s National Cyber Investigative Joint Task Force, said safety is fully ingrained in a factory’s setting. Cyber awareness should be equally embedded in the digital world.

Currently, too many people are likely to take shortcuts, he said, such as taping passwords to the underside of keyboards.

“Shortcuts kill, and shortcuts are a way to alleviate processes that were put in place to secure,” he said. About “90% of cybersecurity is really just the very, very basic stuff,” such as password changes, multifactor authentication and keeping passwords in a secure place.

Further, he said, the end user has to understand the importance of security over convenience — not convenience over security.

The focus should be on “getting the cybersecurity standards to that point that people don't question it and complain about it, like they just put on the hard hat and they put on the steel toe boots.”

And the ramifications of a cyberattack can be large for personnel, said Harvey Perriott, regional director for the federal Cybersecurity & Infrastructure Security Agency.

“If something negative were to happen, how is that going to affect the company? How is that going to affect the employees? You know, if the company, if we go out of business, guess what that means? You're out of a job. So that's why you are using multi-factor authentication,” he said. “Guess what? Your paycheck is in jeopardy. And I think it sounds crude and may come across as harsh, but it's that simple.”

Common sense

Perriott said the main threats the industry faces are criminals, nation-states and disgruntled employees.

Criminals are typically financially motivated and operate primarily via ransomware. They may not care whether that ransomware causes catastrophic damage because “‘oh well, I’m trying to make money,’” he said.

Frenkel said most cybersecurity is about good common sense: don’t give the appearance your company is an easy target.

“On the criminal side, if you look vulnerable, you’ll get hit first,” he said. “They’re here for the money. It’s their job. They want to do the least work to get their money. And so if they fail with you, they’ll look to others.”

When nation-states engage in cyberattacks, Boetig said, they might focus on data aggregation, disruption of service or lingering covertly in networks — unobtrusively vacuuming up intellectual property.

“Just understand, nation state attacks don't always mean disruption of service,” Boetig said. “Sometimes they're very, very quiet and go sometimes unnoticed.”

And even when a company understands the potential damage that can result from a successful attack, sometimes getting buy-in from companies to spend money on cybersecurity is a hard sell.

Sometimes, Frenkel said, companies understand the risks and costs of not being protected, but they’re more concerned about spending money on prevention and protection.

That can be particularly true when the spent money doesn’t bring in revenue.

But small steps can make all the difference. That means wading through the “whole big spaghetti” to focus on what’s most important to an organization.

Successfully securing a position often leads customers to expand the security efforts after they get “peace of mind that this part is now more secure.”

Baby steps, Frenkel said, are sometimes the only way to bring customers along the cybersecurity journey. But, Boetig cautioned, even when the systems start to become secure is no time to relax.

Cybersecurity is not a sure thing because threats are always mutating.

“The landscape changes so frequently” that companies need to invest in regular, routine updates, Boetig said. “It’s a process that requires constant maintenance and constant updating.”