Cyber Defense: BSI’s Kristin Demoranville On The 5 Things Every American Business Leader Should Do to Shield Themselves From A Cyberattack
It’s essential to be curious about your profession and open-minded to learning every day. It doesn’t have to be just about technical skills, but those soft skills are vital to having a successful security career. You must be able to listen actively, find the truth behind situations, and have the aptitude to adjust to changing conditions in real-time.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Kristin Demoranville.
Kristin Demoranville is the Global Practice Director of Cyber, Risk, and Advisory for BSI. She is responsible for managing the global team of consultants that help clients discover the best cybersecurity risk management strategy focusing on people and processes for their organizations. Also, she has Security Training under her care. Kristin has more than 20 years of expertise in Industrial Cyber Security (ICS), Operational Technology (OT) Security, and Information Technology (IT). She has extensive experience in various industrial environments, including manufacturing and semiconductors. Lastly, Kristin has a Bachelor of Science in Environmental Management with a concentration in Behavioral Ecology.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in Portland, Maine, but my parents moved back to Central Massachusetts when I was three years old; I grew up in the same small town that included most of my extended family. I was lucky to be exposed early to industrial equipment, ICS, PLC, and other technology because of my multigenerational firefighter family. At the firehouse, I learned the importance of service to others, remaining calm during the chaos, and fostering my curiosity when new technology arrived.
Is there a particular story that inspired you to pursue a career in Cybersecurity? We’d love to hear it.
I don’t have a particular story that inspired me to pursue a career in Cybersecurity; I crash-landed down the rabbit hole sideways and ended up in Wonderland if I’m being honest. I wouldn’t change it for the world, transitioning from IT to Cybersecurity has been such a fantastic journey.
Can you share the most interesting story that happened to you since you began this fascinating career?
That would be my first breach as a security leader after stepping into my first CISO role. Of course, it happened on a Friday afternoon on a holiday weekend, and it was a spear-fishing attack that resulted in a massive breach of personal data. I will never forget that excitement, “oh, we have a breach,” and “oh no, we’ve had a breach,” all simultaneously. Additionally, when the COO looked at me during the crisis meeting and said, “Kristin’s the best we have and the only one with the security knowledge to get us through the situation.” At that moment, I kicked my imposter syndrome in the face. That is the moment that made me realize how vital advocates are in the security business and that I truly belonged in the security industry.
You are a successful leader. Which three-character traits do you think were most instrumental to your success? Can you please share a story or example for each?
The three-character traits that helped my success would be curiosity, high aptitude, and empathy.
It’s essential to be curious about your profession and open-minded to learning every day. It doesn’t have to be just about technical skills, but those soft skills are vital to having a successful security career. You must be able to listen actively, find the truth behind situations, and have the aptitude to adjust to changing conditions in real-time.
Often you are head down into one thing, and oh boy, here’s an attack; you’ve got to be able to shift gears quickly to manage the situation calmly.
Lastly and most importantly, you need empathy to be a good leader and security professional. All these skills were tested when I stepped into my first factory so many years ago. A factory is a family, but you have to earn your place. It took some trial and error to learn how to work effectively with those teams, but ultimately, empathy won my place in the family. I spent time learning about different jobs, the people who did them for 40+ years, and really became part of the culture of the factory, rather than just come in telling them what was wrong and leaving without lifting a hand to help.
I love working in Operational Technology Security because it’s about the people, process, and technology. My curiosity, high aptitude, and empathy were the keys to my success.
For the benefit of our readers, can you briefly tell our readers why you are an authority on the topic of Cybersecurity?
I’ve worked in technology and security for over 20 years and in several different industries, but I found my niche in Operational Technology Security (OT) and, more specifically, Manufacturing Security. I learned that security isn’t always about the cookie-cutter approach of technology solutions and hoping for the best; it is about learning about people’s behaviors and processes then finding solutions that work in conjunction with those behaviors and processes. I earned my blood-stained t-shirt and realized I was full of gumption.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. To ensure that we are all on the same page, let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?
The top five cyber-attacks that both businesses and everyday people should be concerned about are (in no order) Malware, Phishing, Man-in-the-Middle (MitM) Attacks, Denial-of-Service (DOS) Attacks, and Internet of Things (IoT) Attacks.
When I was an onsite home IT Tech back in the day, we were constantly pushing anti-virus and anti-spyware protection for home computers. People seem to understand that the internet is dangerous, and they need to protect themselves and their families. I’m not sure why we’ve moved away from that ideal somehow, but Malware, viruses, worms, trojans, and spyware are all still issues that have lasting effects on systems and personal data. However, the one highlighted the most is Ransomware. It’s in the news, it has taken down pipelines, factories, etc.
If you need a reminder, ransomware is when your data is held to ransomware, and you will not be allowed to access it without paying the attacker. It’s hazardous, and we’ve been learning firsthand lately in the news just how disruptive it can be on infrastructure, hospitals, and businesses. It can even be life-threatening.
The second one is phishing. Most security professionals carry the scars of phishing attacks in their careers. I dealt with a whale phishing issue early on in my career that was a double attack because they targeted the correct executive to release all the data they were after and impersonated another executive who was notoriously difficult to access. The person who fell for the phishing did it out of fear for her job from the other executive. It is still one of the most well-executed phishing attacks I’ve seen at a company.
The third one is a Man-in-the-Middle (MitM) Attack. I know this one sounds a bit Science Fiction, but it’s prevalent. The most popular of these attacks is with a “ Pineapple “ device, a rouge wifi device that mimics a public wifi access point. A person, unknowingly, connects to the device, granting hackers access to their data. With free wifi available in many places, from airports to cafes to libraries, people are at risk when they connect. This can be mitigated by using a Virtual Private Network (VPN) when connecting to a public wifi network.
The fourth one is Denial-of-Service (DOS) Attacks. This attack often happens and can lead to website crashes from server overloads or traffic floods. A few examples I’ve seen in my career are launching a new product on a website, the server is flooded with requests to the point of the system’s resources overload, and the bandwidth grinds to a halt. The systems cannot process or fulfill legitimate requests because of all the attacker’s traffic to the site. Additionally, this often happens with online mass-multiplayer games, and the servers will overload with traffic and crash. In both cases, commerce halts, customers are upset, brand reputation is questioned, and consumers end up taking their money elsewhere.
Lastly, we have Internet of Things (IoT) attacks. These attacks are the ones that keep me up at night since I’ve lived in smart-lock apartments and seen how IoT devices are used in infrastructure. If a device is exploited, an attacker can gain access to the machine and connect to the network the device uses. This can lead to additional attack vectors and points of entry that the attacker can exploit. On a more personal note, intelligent devices such as thermostats, cameras, and smart locks are used in domestic violence situations. If passwords are shared, or an additional account is on these devices, a bad breakup or an attacker can exploit these to turn off the heat in winter or spy or open doors. It is crucial to understand how to protect your home and business with additional security messages such as two-factor authentication.
Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?
This is an exciting question because private individuals should always be concerned about protecting their data from an attack or breach, but businesses are even more responsible for ensuring they are well protected and ultimately protecting their customers.
It goes back to the old saying, “vote with your money”. Private individuals should care about the security of a company, what technology they buy, from whom, is it secure or has had a breach, and was it handled adequately? Businesses should feel that peer pressure from their customers, in my opinion.
Who should be called first after one is aware that they are victims of a cyber attack? The local police? The FBI? A cybersecurity expert?
The first call is always to the security team at an organization. Suppose the local police or the FBI needs to be involved; that will be handled through the Security Crisis team once they determine the severity of the situation.
What are the most common data security and Cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
The most common mistake I’ve seen companies make is not knowing the priorities of protection for their business. What is the most important to keep the business running? What and where is the critical data, and most importantly, who has or needs access to that data? Often companies cannot answer those questions. Usually, it’s a knee-jerk reaction rather than a proactive action. Companies with a better security posture often make the same mistakes of not recognizing what attack vectors are specific to their environments.
What would you recommend for the government or tech leaders to do to help limit the frequency and severity of these attacks?
There are two things leaders can do: be an advocate and share best practices. I know that seems simple, and yes, this does happen, but security awareness isn’t a once-a-year compliance training; it’s a lifestyle. You have to be an advocate for your industry and profession.
As the digital world expands, we will see more life-threatening cyber-attacks and data breaches. It won’t just be from a pipeline or an oil refinery that threatens lives; it could be consumable medical technology or digitally connected agriculture. Routine daily tasks have become digital through the Internet of Things (IoT), which opens more attack vectors for bad actors.
Businesses and people need to understand the risks so they can protect themselves. Additionally, knowing what the risks are for a business is an essential role of a security leader. Not every risk is a risk in specific environments, such as comparing an enterprise and an industry ecosystem.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)
The five main things are actually questions they need to keep asking: Who has access to our critical data? what is our critical data? where is our critical data? when are changes made to or around our critical data? And how is our data stored, managed, and secured? If you can answer these questions, congrats; you’re doing well. However, it’s essential to keep asking these questions often and not just because of an audit.
From this perceptive, let’s think about it; you’re a huge international company. You have multiple operating companies, and one day, Malware jumps onto your network from a third-party vendor connecting to the network without security authorization. That Malware cuts its way across your network like a hot knife through butter and finds its way to some older operating systems used in a factory 5,000 miles away from its original location. The factory grinds to a haul because that exploit targeted a system that was the most critical portion of the production line. This causes delays to production, which causes scheduling issues, logistics issues, and now people are either in physical danger from equipment not responding or are sent home without a full day of pay due to inactivity. Is this a security awareness issue, lack of security policy, or neglect? How do you account for malware rampaging on the network only to completely halt a factory’s production in another Hampshire? Why was the enterprise network connected to a factory network?
Here’s why: Business Leaders lack awareness in their businesses. They assume security is handled and are not informed of risks. Why didn’t anyone know that one critical system was the key to taking down the entire production system for the factory? This is why these questions are so essential to keep asking their security teams and their operations teams. The further away you are from the product, the less you understand all the interdependencies around the product.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)
I would say that the security community needs to become more inclusive, diverse, and open-minded. If you only have one way of thinking that isn’t secure, we need to become adaptive and creative to help security become part of a culture rather than an outliner.
We have such amazing technology developing, but it doesn’t include security in its design. Security should be part of the conversation from inspection, not just something that has to be done post-production. That goes for cloud development to devices. Imagine how much safer the world could be if we changed our perception of security?
How can our readers further follow your work online?
My LinkedIn profile is the best place to find me: https://www.linkedin.com/in/demoranvillekristin/ or the BSI Digital Trust Consulting LinkedIn page: https://www.linkedin.com/showcase/bsi-digital-trust/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
