Barrett Steel CISO Sam Ainscow is in no doubt that the company’s digital transformation was key to it surviving the first Covid-19 lockdown. At a time when many of its competitors were struggling to stay afloat, the UK’s largest independent steel supplier was able to pivot to remote working for much of its administrative team in less than a week and, crucially, keep its depots running.
“We had competitors who went out of business during the first lockdown or had to close for a period of weeks,” he recalls. “Because of our digital transformation, we were ready for homeworking, and afterwards it was good to be able to sit down with the board and for them to see that it absolutely saved us.
“It’s important to be able to demonstrate that value to the business, and I think that’s why we’ve been successful with the investments we’ve made so far around technology. It’s all well and good having the most secure systems, but you need to be able to show a business benefit too.”
Barrett Steel’s zero-trust policy
The transformation is still ongoing. Barrett, a family-owned business that was founded in 1866, is moving many of its operations to the cloud and setting up a new ERP system to manage day-to-day activities.
The central plank of the security strategy underpinning this has been creating a ‘zero trust’ environment, Ainscow explains. A zero-trust environment treats every action, whether it comes from inside or outside of the organisation, as a potential threat.
“I don’t want this to sound too much like an X Factor audition, but we’ve been on a journey with zero trust,” says Ainscow. “It’s become increasingly apparent over the last few years that the principle of trust is dead. Why should my laptop be trusted just because I’m the CISO? If anything, because of the job I do and the permissions I have, I am more of a target because if you compromise this machine it’s a portal into the network.”
Barrett has developed its zero-trust security environment, the first part of which went live in November, with security partner Palo Alto Networks. It involved overhauling its firewalls and erecting a series of new checks within its network to monitor information flowing between servers.
It was crucial to the company that this did not add latency to the company’s network. “We were prepared to accept a bit of friction but we didn’t want any latency, and we’ve managed to build a system that does that,” Ainscow says. “We replaced our existing firewalls and installed new ones at the core of our network, so rather than just being routed between internal subnets, as you were previously, you now have to go through a firewall.”
“We’ve started to build rules on those, so that in the next three to four months we’ll get to a position where there will be a deny-all policy in place for crossing that firewall. So that was the first step on the journey, and the next stage is to bring the concept of identity in.”
The rise of phishing and typosquatting
The importance of these additional defences has been highlighted during the pandemic, with Barrett, like many businesses, experiencing an exponential rise in the number of attempted cyberattacks.
The company has been particularly targeted by typosquatting, which involves registering domain names similar to legitimate websites, with one or two letters changed, to persuade people to click on them and enable malware to spread.
“We see people looking for vulnerabilities in our networks all the time,” Ainscow explains. “The thing that changed was a massive uptick in phishing and mobilising typosquatting domains. We used to deal with two or three typosquatting incidents a year, and during Covid-19 we’ve been getting anything up to ten in a two-week period.”
Barrett had already moved many of its services to AWS before the pandemic hit, which enabled it to retain control of its security perimeter even when staff switched to remote working.
“From an attack surface perspective, nothing really changed,” Ainscow explains. “We don’t allow split tunnelling [wherein users can access public and private networks from the same machine], everything gets funnelled back into AWS. So while a lot of companies were scrabbling around buying laptops and things, we were able to tell staff to take their desktops home and everything worked.”
The biggest challenge, says Ainscow, was adapting the system to match people’s different working habits during the pandemic.
“People are going about their day-to-day work in a different way now,” he says. “They might get up in the middle of the night to do a bit of work because they can’t sleep, or stay online till 8pm to finish something off. So the machine-learning defence systems we have set up suddenly started alerting us to all sorts of unusual activity or things they thought were going wrong, when in actual fact they weren’t.”
Making security a business issue
Ainscow now hopes to automate the company’s entire security process, so that users are automatically assigned access privileges to applications and information relevant to their job role, which can be monitored and reviewed in case of any problems.
Decisions about access rights and privileges should be taken at a business level, he believes. “I want to take security away from being an IT thing because, in general, most security issues should be approved by the business.”
“There will always be some things where IT makes the decisions, but business users and business process owners are the ones who need to decide who has access to which applications.”
“This new ERP system is a great way to formalise this relationship and, more importantly, automate it,” he says. “I don’t want someone to have to be manually assigning security when they could be doing something that delivers more value to the business.”