October is National Cybersecurity Awareness Month. Tosibox CEO Jarno Limnéll took some time to answer questions about the cybersecurity risks and what people in similar roles should look for. Limnéll, who is an internationally known cybersecurity expert and frequent lecturer on the subject, took over as Tosibox CEO in August 2018.
P&S: What is your background as it relates to cybersecurity?
Limnéll: I have been working with security for 25 years—as an officer in the Armed Forces, as a university professor, as the director of cybersecurity at Stonesoft and McAfee, and now as CEO of Tosibox. As digitalization has proceeded quickly during the last 10 years, I’ve focused on security issues in the digital world, which essentially defines what cybersecurity is today. As digital and physical security become more and more intertwined, it is now essential to think about a more comprehensive approach to security in general.
P&S: What are the CEOs/presidents of companies not doing as it relates to cybersecurity?
Limnéll: I’ve noticed leadership not taking cybersecurity issues seriously enough and not having enough understanding of the strategic points related to this topic. We have to remember that today, every company—literally—is a software company and if the security is not taken care of, you will lose business since you will lose your customer’s trust. Cybersecurity efforts must be monitored and improved all the time since the opportunities and threats of the digital environment are changing rapidly.
P&S: How can that be rectified?
Limnéll: The key point here is to understand how cybersecurity affects your business. Over the years, I’ve had lengthy discussions with several executives, talking about how cybersecurity affects their brand value, business continuity and especially their customers’ trust. When they find answers to these issues, it’s easier to understand the value of cybersecurity. Having strategic commitment and guidance is extremely important, otherwise we get stuck thinking only about the technical details of cybersecurity.
P&S: How can CEOs/presidents/OEMs train or educate themselves on cybersecurity?
Limnéll: The first thing they need to do is to add cybersecurity issues to the agenda at every board or executive management team meeting. Then, I always recommend inviting inside and outside experts to challenge your thoughts and to help you look at what you're actually protecting, against who, and how you’re able to make cybersecurity a competitive advantage. I have also noted executives attending cybersecurity educational events, which is good.
P&S: How has the rise of IoT impacted the threat of cyberattacks?
Limnéll: We are only at the dawn of the internet of things (IoT) era. Eventually, everything will be connected to internet, which in turn will increase the attack surface. The most important point here is that whatever we are connecting to the internet, security must be built in through a process that I call responsible technology development. We need to continuously improve and evolve the way we can prevent cyberattacks.
P&S: For pump systems, cybersecurity seems like a safety imperative, not a choice. What industries are most at risk?
Limnéll: When we talk about cybersecurity, we’re talking about how to protect our societies, businesses and our daily life. Cybersecurity is part of all vital functions in our societies, which means that risk exists everywhere, no matter what industry we’re talking about. At the moment, however, the main malicious interest is targeting power supplies, the financial sector and the health care industry.
P&S: If a small municipality is just starting a cybersecurity program for its water treatment plant or power grid, what are the first steps they need to take?
Limnéll: First, it is important to evaluate two things: define what you're protecting and what the threats are that you may face. From a protection point of view, once you have a good understanding of these two issues, you can then train your team members to monitor and mitigate risk. I also recommend making sure that every digital access point and IoT enabled device at the plant is secured, especially if a remote operating system is in use.