October is Cyber Security Awareness Month Perhaps the most enduring lesson we can learn is not to wait for when it happens, but be ready for when it does.

Marc Petock, Chief Communications Officer, Vice President, Marketing Lynxspring & Connexx Energy Contributing Editor

Often, we are reminded of the many national days that have been created to acknowledge this or that.  Whether they are important ones such as our country’s national holidays like Labor Day, Presidents Day, Independence Day, Memorial Day, etc. or whimsical national days and even month’s that recognize such things as National Pie Day, National Ampersand Day (yes, true), National Beer Lovers Day or American Cheese Month, we are constantly reminded.

Well one “national thing month” that gets overlooked because it is usually considered an “after-thought or it won’t happen to us” mentality, is cyber security. October is National Cyber Security Awareness Month.
Sponsored by the Department of Homeland Security, National Cyber Security Awareness month is a reminder to us all to practice vigilance and utilize cyber protection measures both within our business environments as well as our personal ones.

When we talk about cyber security these days it often focuses on technology. As with many things, there are multiple sides that should be discussed. With cyber security, it's an issue that goes well beyond the technology. There is a business side that should be part of the discussion. From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures and procedures to increase the cyber security posture of your systems, far outweigh the risk of not making them secure.

IT security professionals used to warn that only two types of businesses exist: those that have been hacked, and those that will. Now, many divide the world’s businesses into two types--ones that know that they have been hacked, and those that don’t.

I was recently asked, while we’ve talked about cyber security for some time now, when it comes to buildings and the systems that run them, do you think we are embracing and practicing good cyber posture and practices? My answer, cyber security continues to be the biggest issue facing our industry. While some have and are taking it seriously, there are many more who are not and nor is it part of their conversation.

An example, according to Censys, a search engine that allows you to ask questions about the devices and networks that compose the Internet, in the United States, as of July 21, 2017 there was 4,672,221 exposed building control devices; in the world, there were 12,395,101 exposed building control devices.

I am also reminded of a story I heard. After a cyber incident occurred at a company (Name purposely not mentioned), it was reported that one of the IT folks had complained to management about the issues leading up to the breach and was told, 'listen, we sell hammers here,' or something to that effect; we're not going to spend money on cyber because it’s not a core function. Our core function is to sell hammers. My thought, how many hammers must be sold to pay for the cost of stupidity?

While it is unlikely that every company has experienced a cyber incident (whether known or unknown), no business is immune. Just ask some of the leading companies in the world: Fedex, Maersk, Mondelez, and Merck, all of which have missed 2017 earnings projections because of cyber related incidents. The assault on Merck was so crippling that it was forced to halt production of its key drug lines, a disruption likely to undercut profits for the rest of the year.

Cyber incidents have become the 3rd largest risk to businesses worldwide according to a recent report from the Insurance Information Institute.

So, what are the business issues we need to be concerned with?

Ramifications (Internal & External)	Compliance
Governance	Legal
Assessments and Ratings	Liability
Responsibility	Brand
Cost	Earnings
Insurance	Occupant Harm
Operational Shut Down	$1.3M (Average Cost of a Cyper Incident)

[an error occurred while processing this directive]In the wake of the number of cyber instances that continue to make the nightly news and the many, many more that don’t, take time to examine the cyber security posture of the systems and devices managing and operating your buildings.  Ask yourself and the people who manage and operate them:

• Are we secure?
• How do we know we’re not compromised today?
  
• How would we know?
  
• What would we do about it if we were?
  
• Are we prepared to face the threat?
• Do we have a cyber security statement?  
  
• How about the companies in our supply chain, what are their cyber security practices?

Cyber security is a business issue and not just a technical one. Effective security must go beyond technology to encompass business strategy and practice. The first and last line of good cyber practices is to have strong corporate value systems and governance standards. Perhaps the most enduring lesson we can learn is not to wait for when it happens, but be ready for when it does. The operational, financial and reputational impacts to a business are tremendous.

At the end of the day, cyber security comes down to two things, RISK-how much are you willing to take and COST-how much will failing to be cyber secure cost you?

Happy National Cyber Security Awareness Month.