Environmental Science & Engineering Magazine | Complacency To Catastrophe: The Perils Of Neglecting Cybersecurity

In the fast-paced world of consulting engineering, where digitization is as much a part of the
daily grind as our morning coffees,
we may not fully appreciate the impact
cyber-attacks can have on our ability to
serve clients.
We shouldn’t wait for an incident that
leaves teams unable to communicate,
invoices unable to be sent or paid, and
day-to-day operations caught in suspended animation. In our rush to connect and streamline technology, we might
just leave the digital backdoor unlocked.
As consulting engineers integrate
more technology into their workflows to
drive efficiency and innovation, they also,
perhaps unwittingly, are constructing a
digital playground ripe for cyber mischief. The recent hack of a sophisticated,
multi-national company in the energy
sector is a cautionary tale of how this
could happen.
In June 2023, a cyber-attack successfully penetrated that company’s defenses,
leading to widespread service outages.
Customers were left without access to
essential services, and the company
faced significant operational disruptions.
The attack not only halted immediate
activities, but also posed long-term questions about the security of critical infrastructure and the importance of cyber
vigilance in an era where such breaches
are becoming all too common.
It is high time for the consulting engineering sector to focus on cybersecurity.
With digital incursions becoming more
commonplace across various sectors, it is
imperative for consultants to safeguard
their networks and fortify their systems
against unauthorized access. Ignoring the
potential for cyber calamity is no longer
an option.
Instead, proactive investment in comprehensive security measures and incident response strategies is essential. By
doing so, consulting engineering firms
not only protect their own interests, but
also ensure the integrity and continuity of
the vital services they provide. It is time
for industry leaders to elevate cyber resilience to the forefront of their operational
strategies, ensuring that today’s vigilance
translates into tomorrow’s security.
DATA BREACHES ARE
GOING TO HURT
The cyber threat landscape is expanding at a breakneck pace, bringing considerable risks for all organizations. Consulting engineers today face an escalating
array of cyber risks that have major financial, reputational, and operational impacts
if not properly addressed, because clients
are paying them to be on top of these
problems.
Data breaches that expose sensitive
client information, or proprietary intellectual property, are a prime concern.
Hackers and cyber thieves are always
looking for ways to infiltrate systems and
steal valuable data assets. A breach could
not only result in costly recovery efforts,
but also erode client trust if a consultant
fails to keep information secure.
A data breach can unfold like an intricate heist, where the target is the wealth
of sensitive data that firms hold. It’s a
multi-stage process that often begins
with reconnaissance, where cybercriminals identify potential vulnerabilities in a
firm’s digital defenses.
Attackers may start by scanning for
exposed or weakly secured endpoints,
such as outdated systems or unprotected
IoT devices. They might also engage in
social engineering tactics, like phishing
emails, to deceive employees into revealing login credentials, or to trick them
into installing malware that provides a
backdoor into the network.
Phishing, malware, and social engineering schemes aimed at compromising
corporate systems and data are incredibly
effective. These only take one person at
an organization to fall for the trick and let
the hackers in. Through emails, fake websites, and other techniques, attackers seek
to gain a foothold in a network for further
infiltration. Without proper employee
training and safeguards, falling prey to
these traps can trigger cascading crises.
Once inside, hackers exploit these
vulnerabilities to move laterally across
the network, seeking out databases, file
servers, and other repositories of valuable data. They may employ privilege
escalation techniques to gain higher levels of access, allowing them to reach sensitive areas that are typically restricted.
Data can be siphoned off slowly to
avoid detection, or in a rapid burst if the
attackers feel their presence has been
noticed. This data might include personal client information, proprietary
designs, project bids, financial records,
or strategic plans.
And they won’t stop there! Even
after the initial exfiltration, attackers
often try to maintain access to the system for future exploitation. They may
install backdoors or rootkits, which
continued overleaf…
As consulting
engineers integrate
more technology into
their workflows to
drive efficiency and
innovation, they also,
perhaps unwittingly, are
constructing a digital
playground ripe for
cyber mischief.
www.esemag.com @ESEMAG December 2023 | 43
SPECIAL FOCUS: CONSULTANTS’ FORUM
out boosting cyber defenses is counterproductive. Organizations
need to be doing both, because a hack is more expensive by far.
THE ART OF DIGITAL DEFENSE
Cybersecurity as an afterthought needs to change. Firms
have to get serious about strategic resilience by baking cyber
defense into their DNA through both proactive measures and
incident response plans, or they will be hacked. Most hackers
are not picking an organization to prey on because they have
a personal vendetta against it, it is because they are an easier
target than the next company.
On the proactive side, cyber hygiene basics are a must.
These include strong passwords, access controls, and software
updates. But it can’t stop there. A layered defense model is necessary, incorporating firewalls, endpoint monitoring, intrusion detection, and data encryption. The goal is creating depth
across systems to better prevent, detect, and contain threats.
Don’t forget the human element either. Ongoing staff education is key, so employees at all levels understand their role
in the firm’s cyber resilience. IT partnerships provide valuable
outside expertise as well. With remote work expanding, securing endpoints off-site becomes more important than ever. The
right security platforms provide centralized visibility and protection across distributed teams.
Also, it is essential to prepare for the worst. Response plans
should designate roles, outline communications protocols,
address legal and compliance obligations, and define how
to contain attacks and restore operations if a breach occurs.
Detailed continuity planning minimizes downtime. Offline
backups, alternative work arrangements, and third-party
response contracts give firms the tools to rebound quickly.
Prioritizing cybersecurity now, pays dividends through
avoided crises down the road. Resilience is about being proactive, not reactive. Consulting firms must embrace this mindset
shift to remain competitive and uphold client trust, or they’ll
lose business to companies that do emphasize cybersecurity.
TURNING THE TABLES ON DIGITAL THREATS
The cyber dangers facing all companies today is clear. As
connectivity and data exchange accelerate, so do the risks of
breach, theft, and operational disruption. Lack of adequate
defenses and preparedness plans expose firms to potential
catastrophe. So, don’t be the company that gets hacked.
Consulting engineering leaders who recognize cyber resilience as an urgent strategic priority can gain a competitive
edge. Investing in layered security, staff training, and incident response protocols demonstrates commitment to clients
while future-proofing operations. By contrast, firms that lag
on cybersecurity undermine their own viability.
By infusing operations with a rich blend of vigilance, training, and cutting-edge cyber defenses, consultants can ensure
that their work, and their clients’ trust has the lid on tight, preventing a spill.
John Daly is with Parsons Corporation. Email:
[email protected]
allow them to return to the compromised network undetected.
They might manipulate logs to cover their tracks. Slicker than
Danny Ocean’s team stealing from the Bellagio.
Consequences of a data breach are far-reaching. There’s the
immediate financial impact of investigating the breach, legal
fees, potential fines, and the cost of strengthening cybersecurity
measures post-incident. The damage to the firm’s reputation
can be even more devastating, leading to a loss of client trust.
Ransomware represents another top digital threat. Using the
same tactics, cybercriminals can encrypt and lock down critical files and servers, bringing business operations to a standstill. Paying the ransom demand may be the only way to regain
access quickly, but even then, the impacts of work delays and
disrupted client services can linger.
WHO LEFT THE DOOR OPEN?
The downside to working in digital workflows is all the additional security measures you need to be thinking about. Cyber
defenses are all about shrinking an organization’s attack surface
to be as small as possible, because nothing is truly “hacker-proof”
unless they are an organization completely off the grid.
The main crux of the problem comes down to a lack of oversight on data flows and access controls, which renders valuable information vulnerable. Without stringent cyber hygiene
practices, a single endpoint infection can spread quickly.
Proactive cyber risk assessment, disaster planning, and
implementation of security controls are fundamental to resilience. Unfortunately, such measures are often treated as an
afterthought rather than an integral part of business strategy.
Insufficient attention to detection, monitoring, and incident
response capabilities leaves gaps.
It is not getting enough attention because it’s not top of mind
for employees. That goes right into our next point of minimal training on cyber best practices. Engineering consultants
are subject matter experts in their technical realms, but not
always properly trained on cyber basics like spotting phishing
attempts, using strong passwords, and securing devices. Lack
of regular staff education on the latest threats and defense tactics amplifies risk.
Many firms direct the bulk of their technology budgets to
core engineering systems, while under-investing in protections
like network monitoring, endpoint security, access controls, and
data encryption. Purchasing the latest design applications with