July 2023- Distributor takes cybersecurity threats seriously with multi-layered approach to combat breaches

Shawn Kaelber is the IT manager at Parker Steel Co., which specializes in metric-size products made from carbon, stainless and tool steels; aluminum; copper; and brass. The applications for these products are virtually without limit.

Kaelber has a background in network management and security and has worked in a similar position with previous employers. He finds the metals distributor a good fit, and the company has benefited from his expertise: during the six years since he began working there, the company has been successful in combating threats.

“One of the big risks to a company is data breaches, and a big part of that risk is internal. Your own people are the first and last defense,” says Kaelber. Employees are taught to recognize the red flags of malicious emails and/or links that might contain serious threats, such as ransomware, which can encrypt all your data and make it unavailable.”

Criminals, he says, see small businesses as a target, because many “don’t have the budget or expertise to spend on cybersecurity.” Redundancy is built into the Parker Steel system. That starts with “a zero-trust environment,” which reinforces the practices defined in standard acceptable use policies. “My job is to ensure that our people, data and systems are protected from the wide variety of threats we face,” Kaelber explains.

The company implemented the zero-trust solution in 2021, preventing any unauthorized or illegally licensed applications to run on company devices. “It won’t allow programs that we don’t use to install or run on our systems, so it keeps our systems locked down pretty tight,” he says. Kaelber and his IT staff learn a lot about new threats through networking: peer to peer conversations, webinars and security conferences through which the team gleans advice on how to upgrade the company’s security. “As criminals evolve, the technology does, too. We have to work smarter.”

       A data breach has the potential to cost millions of dollars, according to the IT manager at Parker Steel.

       The service center is working to implement multi-factor authentication for all its information sharing.

About once each quarter, he meets with other IT professionals to discuss what’s going on internally and what they hear in the broader community. “I have a former colleague that recently experienced an aggressive ransomware attack. Because they weren’t prepared, they had to pay a large sum of money to regain access to their files.” This is a key reason to build relationships with fellow IT professionals who have “different experiences you can learn and utilize.”

NO COMPROMISES

Parker Steel has “a very layered approach” to cybersecurity. “We must have protections inside out and outside in.” The internet connection has a firewall to protect inbound and outbound traffic. “From there, you have your servers, PCs, antivirus and anti-malware software, which scans for updates every hour,” Kaelber says.

“We can quarant ine inbound material—maybe files or emails that appear suspicious. Our email spam filter filters tens of thousands of emails per day. On top of that, our security software has antimalware and antivirus components that can block private information such as credit card numbers from being shared. It will hash numbers out with asterisks, preventing the sharing of confidential information.”

Many of the large-scale breaches that happen with retailers can occur when only one user’s credentials are compromised, according to Kaelber.

Parker Steel is working to implement multifactor authentication (MFA), which requires a third step beyond entering a username and password, such as receiving a code by text message, when accessing accounts and other sensitive information.

“We are implementing that right now. It is especially necessary for those who have administrative access to our systems,” says Kaelber. “We had an identity compromise happen to one of our staff in which many emails were sent out under his name. The system recognized abnormal behavior and shut his email down so that only a small number of 3,800 potential emails went out.” When such events occur, “we notify the proper authorities, and any customers and vendors that might be affected.”

     Parker Steel Co. uses an integrated digital platform for security awareness training, combined with simulated phishing attacks

SNIFFING OUT SCAMS

Parker Steel also uses KnowBe4, an integrated platform for security awareness training combined with simulated phishing attacks. “KnowBe4 is top of the market with functionality, including the training,” Kaelber says. All of Parker Steel’s employees are required to complete these training sessions. “During training, they learn what is spam, what is phishing, which methods criminals use to try to get people to click on things.”

Afterward, he says, the IT department will send out test emails to see how well employees understood the risks. “Our team has gotten really good at this. They can sniff out when something is off and send it to me for a second opinion.”

Most times, says Kaelber, the breach attempt is a phishing email, searching for payment information or passwords. “This is where the awareness training really pays off. If we have an employee that fails frequently, they will take part in additional training. I will highlight red flags as a refresher.” He notes that he often sees a substantial uptick in phishing around big events, like political elections or sports playoffs, as opportunities to get into employees’ systems.

MORE TESTS

The last layer that Parker Steel uses to prevent data security breaches consists of an outside contractor that conducts vulnerability and penetration testing, “to make sure our systems are up to date and secure. This includes the services of an ethical hacker to attempt to gain access to our systems and identify areas that may need to be strengthened.” Many vendors will send regular notifications about security updates. “If we have equipment that might be behind in the software versions they are running, we want to bring those up to date. “A lot of small businesses struggle to pay for this,” Kaelber says, but we performed “a cost-benefit ratio analysis to really see the impact this could have. A breach has the potential to cost millions, depending on severity of the situation.”

INTERNATIONAL STANDARDS

Parker Steel holds C-TPAT certification with the U.S. Customs and Border Protection because “we import so many of our products.” Along with obtaining this certification, Customs requires importers to adhere to a set of cybersecurity guidelines, NIST 800-171, “which dictates the layers of data protection. “This covers many requirements to follow as well as some suggested practices” he says. “When I started, there were only four line items of requirements for the cybersecurity portion and now it’s several pages, and we are audited once per year by U.S. Customs.” These layers of protection have worked well for Parker Steel. “User awareness and multifactor authentication shuts down many threats from the get-go,” Kaelber says. “With MFA, it is said that you can prevent 99.9 percent of identity compromises.” To some degree, artificial intelligence is already being used throughout Parker Steel as part of the learning capabilities of the security systems. Whatever the threat, the company is constantly seeking to learn and grow so employees are ready.

Parker Steel Co., 800/333-4140, http://metricmetal.com/