What did we learn from the IRN cybersecurity webinar?
24 December 2021
What did we learn from the IRN Webinar ‘Cybersecurity for Rental’ on 4 November? IRN Editor Belinda Smart, who moderated the discussion, reports.
Due in part to increasingly digitalised workplaces necessitated by the pandemic, cybercrime is accelerating; in May, US cloud-based information security company Zscaler calculated a rise of 69% in 2020; over a quarter of this attributed to ransomware.
Webinar panellist Gareth Lloyd, Chief Digital & Information Officer at Loxam, summed up the challenge. “Every business out there is subject to attempted cyber-attacks every day,” he said. “Almost all the time they get intercepted by one of the layers of security that we’ve all got in place.”
Palfinger’s Alexander Wörndl-Aichriedler, VP Corporate Global Information and Communications Technology at Palinger AG, confirmed that in January, a ransomware attack froze operations at Palfinger sites in Europe, North America, South America and Asia for around 12 days, which necessitated the shutdown of Palfinger’s production and administration processes.
Meanwhile in 2017, the purchase ledger team at Loxam Powered Access had experienced a potentially devastating phishing attack, Lloyd confirmed. Although the company didn’t lose money or data, the incident elevated cybersecurity to a “board-level topic” for the first time.
Following the January attack, Palfinger established a security operations centre (SOC) and implemented EDR (end point detection response) technology as well as DNS (Domain Name System) security, said Wörndl-Aichriedler. At the time of the webinar, it was also reviewing its privileged accounts - which can give cyber-attackers access to servers, databases and high value systems.
Alongside these measures, a key challenge for Palfinger was recruiting staff with cybersecurity skills. “You need six to eight months sometimes 12 months to find network technicians,” said Wörndl-Aichriedler.
On whether businesses should keep cybersecurity in-house or engage third party consultancies, the panel agreed that outsourcing some cybersecurity functions was often the best route; “We don’t have the scale to do everything in house,” said Loxam’s Lloyd, “It’s a hybrid approach.”
Panellists also discussed whether cloud-based or on-premise cybersecurity solutions were more effective.
“A lot of cloud providers give you the platform baked in with some security, but it’s still ultimately your responsibility and it’s important that you treat it as your own network,” said Guy Dulberger, VP Information Security at Ritchie Bros.
“If you’re with a major cloud provider, Google, AWS [Amazon Web Services], or Azure, it’s all about how you set it up and configure it, but overall, they have much better levels of expertise than we have around security,” said Lloyd. “In a lot of sectors this is a debate that’s already been had, and the conclusion is that on premise is dying, or will die.”
Ransomware is a dominant cyberthreat, with various tools deployable as protection. One of the most important was influencing human behaviour, as ransomware typically enters an organisation via email.
“Investing in security and awareness training of staff are some typical approaches. Put simply, don’t click on something suspicious,” Dulberger said.
Also critical was a good back-up and disaster recovery strategy. “We also do tabletop exercises where we simulate a ransomware attack. We ask the question: ‘If this happened today, how would we handle that?’”, he added.
Loxam runs regular training programs including simulated phishing, while Palfinger staff go through similar exercises and are regularly updated on common threats.
“Be prepared,” said Lloyd. “Do you have a 24- and 72-hour incident response plan in place? Do you know what you’re going to do? Do you know who you’re going to contact? Quite often it could be a question of identifying things as soon as you can. It could be an unusual pattern of tickets through your service desk, for example.”
What was Palfinger’s cybersecurity response?
In the case of an actual attack, Palfinger’s Wörndl-Aichriedler said that in some cases, paying the ransom “if it’s in a reasonable range” was a regrettable but necessary solution. “In the time difference between your last backup and the time when the ransomware hits, the data is usually lost.”
While the laws in some countries officially steered businesses away from paying ransoms, “it’s quite common that people do pay,” Lloyd agreed. “Cybercrime is a fantastic business model [for criminals]. It’s really cheap to pick up tools, to execute attacks, and there’s a very low risk of getting caught,” he said. “So sometimes, the economically rational thing to do is to make the payment.”
In terms of threats specific to construction equipment rental, IoT and machine telematics systems are a growing cyberattack “threat vector” for rental companies, Lloyd warned. IoT attacks were still relatively uncommon, “but should be on the radar of every rental company executive team.”
“Once you connect a machine to the internet, you are exposing it to the risks around cybersecurity.
“IoT is an area where there is a huge imbalance between the sophistication of the security protection in the machine and the sophistication of the cyber criminals.
“I’m guessing that in 99% of devices it is impossible to patch the software or firmware on the machines. You literally have to replace the device.”
Lloyd said machines were at risk of being hacked as a way of gaining access to a wider network; to change safety settings on a machine; or to disable machines as part of a ransomware attack.
Attack via customer base
Another potential threat for rental companies is attack via their customer bases, said Lloyd.
“People in rental might think, ‘We’re low profile, why would we be a target?’ But if cyber criminals are targeting a particular entity - it could well be one of our larger customers, someone who’s in critical national infrastructure, someone who’s in utilities or telco; it could be Ukrainian power plants or Iranian nuclear facilities - we could be an easy route into those organisations.
“Being the Trojan horse that lets a cyber-criminal inside one of our customers’ organisations, that’s a huge reputational threat.”
Lloyd said it was “the norm” for Loxam customers and suppliers to do detailed cybersecurity checks. “When we’re pitching for work, the tender documents are 30 out of 100 pages on cybersecurity.”
Ritchie Bros. which has a large global customer base, takes a layered approach, said Dulberger. “We do encryption on sensitive data, and we do access control, so people only have access to data on a ‘need to’ basis. We’ve done a lot of work to address privacy and respect our customers’ privacy.”
How are cyber-attacks affecting insurance premiums?
Panellists also discussed the pros and cons of insurance. The rise of cyber-attacks had led to rising insurance premiums with onerous requirements for the insured, Wörndl-Aichriedler said. “As with every insurance contract, you should read small print.”
“Insurance is a business continuity and corporate risk question. I absolutely think it’s the way to go,” said Lloyd. Insurance companies also provide access to specialist providers should an incident arise, “so it can be a good way to get early support.”
The European Rental Association’s (ERA) Cybersecurity Working Group
A member of The European Rental Association’s (ERA) Cybersecurity Working Group, Lloyd pointed to the Cybersecurity Best Practice Guide and ERA reference materials, including a 48-hour response template.
He said the work had led to the conclusion that aiming for an “external benchmark” was helpful for companies. “In the UK, companies can get going with looking at the Cyber Essentials program, which gives you a basic action plan, and can then move up to Cyber Essentials Plus. It’s a good way to look at what best practice is broadly; a good place to start.”
Priorities for the rental industry
Overall, cybersecurity should be regarded as a business priority for rental companies, the panel agreed.
“Security doesn’t have to be expensive,” said Dulberger. “You can do a lot without spending a lot of money. The first step is to identify the threats to your company. If you have a public facing website, secure that. If you’re a sales organisation and you do a lot of email, invest in email security.
“Awareness is free, so figure out a creative way to engage with your user base to ensure they’re safe and they know what to do and what not to do.
Lloyd said demonstrating return on investment was often a barrier for businesses. “It’s a harder sell to say you’re spending money to avoid a potential problem,” he said. “But I think we need to think creatively about how to make those business cases.
“Construction and rental are at the lagging end of digital transformation. But we are rapidly increasing our level of exposure and we need to make sure the investment in cybersecurity is there, rather than waiting for something bad to happen, and then realising we need to do something about it.”
“In terms of where this should sit, cyber security is one of the top business continuity risks for any modern company.”
To view the webinar in full, click here.
Alexander Wörndl-Aichriedler, VP ICT, Palfinger
Gareth Lloyd, Chief Digital & Information Officer, Loxam Powered Access
Guy Dulberger, Vice President, Information Security, Ritchie Bros.
Belinda Smart, Editor, International Rental News
ERA cybersecurity initiatives
The European Rental Association’s (ERA) Cybersecurity Working Group was set up at the end of 2020 and has produced the Cybersecurity Best Practice Guide for the equipment rental industry, which takes an enterprise-wide view of cybersecurity and outlines the leading practices relevant to the rental sector. The guide can be found in the Publications section at www.erarental.org.