Puts together a new global strategy.
BlueScope Steel is putting together a new global cyber security strategy that will – among other things – set the company on a path to implementing a zero trust model.
Zero trust is a model where “users, devices and applications are subject to checks every time they request access to a corporate resource,” according to one definition.
Chief Information Security Officer, Audrey Hanson told a recent Secureworks webinar that the move to zero trust is necessitated by the large-scale shift to working from home.
Although not all of BlueScope’s staff could work from home – its manufacturing facilities, for example, required people to be onsite – those that can work from home do, and not all of them use BlueScope-owned devices or the corporate VPN.
“One of the big thing that we’ve had to deal with is moving to environments that we really have no control over,” Hanson said.
“In the office, we basically have control over everything: their device, the network, what they access, how they access it.
“But now…, the majority of our staff are working from home on networks that we have no control over, on devices we have no control over.”
BlueScope does have some policies in place, including that the corporate VPN can only be accessed through BlueScope-owned devices.
“If people are connecting to our network through the VPN, that’s only allowed on BlueScope devices,” Hanson said.
“At this time, we don’t allow them to do that on non-corporate devices.
“We will look at moving more towards that, but in a step-by-step approach. We want to make sure we have the right controls in place so it checks their antivirus and things like that before we allow it.”
BYOD users can still access the company’s Office 365 environment remotely.
With working from home arrangements to continue for the foreseeable future, Hanson said BlueScope would revise its strategic approach to security.
“Where I’m looking at moving – and this is more of a strategic thing – is more towards the zero trust model, where you don’t have a trusted user anymore, where you don’t trust anything and have have to put appropriate technologies and controls in place,” she said.
“How we do that and when we do that… we are looking at addressing in our (cyber security) strategy. We’re refreshing the strategy right now. We’re putting together a global strategy.
“The focus is going to be more on that zero trust model: how do we establish that, how do we implement it?”
The strategy will also cover increased global governance, in line with Hanson’s global remit.
She said that parts of BlueScope still “run their own IT shops”, and that she was keen to wrap greater governance around these distributed operations.
Hanson also flagged potential investment in a cloud access security broker (CASB), which is used by enterprises to extend security policy to cloud-base applications.
The company had multi-factor authentication on the cloud apps it used and dealt with the risks of software-as-a-service under an internal program around identifying and mitigating third-party security risk.
Hanson said that BlueScope had run- and continued to run – multi-layered education and awareness programs internally to keep employees and their families safe from cyber threats while at home.
For industrial sites that the security team could not physically attend, the company had enlisted its health and safety team to bring cyber safety messages to those workers, many of whom did not have a dedicated computer or access to other digital channels where such messages would usually be relayed.
Hanson also said that BlueScope had increased its use of phishing simulations during COVID, in recognition of the rise in the number of bad actors and scammers trying to exploit the pandemic.
“Typically, I would only do that probably two or three times a year but we increased that … and pushed that out to all of our global entities,” she said.
BlueScope was hit by a ransomware infection in mid-May. The company has said little about it, though last week briefly said the incident had no material impact on sales or operations, and that a program of improvements is underway.
Courtesy of itnews (www.itnews.com.au). Written by Ry Crozier, 26 August 2020, 6.56am.