Why educating and empowering your end-user is key to achieving robust cybersecurity

Why educating and empowering your end-user is key to achieving robust cybersecurity

Benjamin Corll, VP of Cybersecurity at Coats, discusses the organisation’s work with Zscaler which offered improved visibility and secured its Industry 5.0 transformation. He also explains why it’s important to empower your people, because they ‘are not our weakest link, but our best sensors’.

Coats, the world’s leading industrial thread manufacturer, has adopted the Zscaler Zero Trust Exchange cloud platform to secure its Industry 5.0 transformation.

With its deployment, UK-headquartered Coats will implement Zscaler for its SSE framework which will provide 17,000 employees secure access to IT and OT systems, including its manufacturing locations and R&D facilities across six continents.

Coats is implementing multiple fully integrated Zero Trust Exchange user protection and digital experience monitoring services. This includes Zscaler Internet Access, for supplying employees and contractors with streamlined, secure connectivity to the Internet and SaaS applications such as Microsoft 365. Coats is also adopting Zscaler Private Access for high-performance, virtual private network-free secure access to private applications residing in its data centres and hosted in public clouds, along with Zscaler Digital Experience, for proactively detecting access issues before they affect remote or in-office users, applications or workloads and for rapidly troubleshooting complaints.

We caught up withBenjamin Corll, VP of Cybersecurity at Coats, to find out more about the organisation’s work with Zscaler and the benefits gained.

Tell us about your role as VP of Cybersecurity at the world’s largest industrial thread manufacturer and what this entails?

I have the privilege of leading the organisation’s cybersecurity – I own all aspects from operations to governance to incident response and even defining the policies and standards. It’s been a challenging role, stepping into a company that has centuries of experience and is also highly diverse with over 100 sites operating in dozens of countries.

Speaking of challenges, what were you looking to overcome ahead of your work with Zscaler?

Visibility – knowing what’s on our network and what’s leaving our network. Once we had that improved visibility, the second element was protection – being able to put rules or policies in place. The other thing we wanted along with that protection was flexibility. Previously, we had rules in place and we had a solution that was all or nothing. For example, if an employee would go out to a cloud-based storage site, like Dropbox or Box, we could either allow access or deny access. But when we looked at Zscaler, we were able to say, ‘you’re allowed to download from the sites but you cannot upload to it’. So a user can still get there. We’re still serving our user community and users can still go and get sales materials or things from others without us worrying about loss of sensitive information from something being uploaded to a site. That flexibility was very important to us.

What’s your strategy for ensuring robust cybersecurity and how do you manage this successfully across six continents?

It comes down to multiple layers – build your defence in depth and have multiple layers. We’ve multiple protections – if one’s going to fail, hopefully the other one will catch it. I say defence in depth and multiple layers, but I also love simplicity. We want application access to be as simple as possible because we’re here to support the business. So, simple, with multiple layers, but as invisible as possible to my end-users because we want it to be seamless and beneficial to them too.

Also, it’s our view that users are not our weakest link, they really are our best sensors. If you educate your end-users, make them aware, engage them, then you will be shocked at what gets reported; how great information starts flowing in when you have properly educated people. People have this thing called intuition that computers just don’t have yet – despite all the advances and Artificial Intelligence, people’s intuition still trumps anything that a computer can do. So again, people are not the weakest link, they are our best sensors and we believe in empowering them.

Can you tell us more about the adoption of the Zscaler Zero Trust Exchange cloud platform to secure your Industry 5.0 transformation?

We’ve begun our journey to improve the security of our organisation by utilising Zscaler and starting within identity-based access: Who are you? How do we know you are who you say you are? What should you have access to? And then it comes down to whether we know your device – is the Zscaler agent on your device or are you coming from an unknown device? And, if you’re on an unknown device, do we change the access – so if you’re coming from your corporate-owned device with the Zscaler agent, you can access, you can download, you can do whatever you want – but if you’re coming from an unknown device, do we give you access to a web-based option where you can view but not download? Zscaler really gives you the ability to have this granular access and it starts with this identity-based access.

The second aspect is segmentation and segmentation means our end-users, including myself, should not be able to see the entire network. I don’t have legitimate access to the entire network so I shouldn’t see the entire network. Instead, we only give access to what one needs, when one needs it for as long as they need it. I’m not saying we’re there yet by any means, but that’s the journey we’re on – to really give very explicit access only to the user, only to where they need and only for how long they need it. And then when they’re done with that access, we can easily remove it.

What are your plans for implementing Zscaler for your SSE framework and how will this allow you to provide 17,000 employees secure access to IT and OT systems?

We started our Zero Trust, SSE journey with Zscaler Internet Access by pushing out the lightweight agent, ZCC (Zscaler Client Connector) to all of our workstations. By deploying the agent on every system, we protect our users no matter where they are – whether they’re in our factory, whether they’re in one of our corporate offices, or whether they’re working from home. When we pushed the agent out, we also implemented strong policies around authentication, which means if you don’t authenticate, you cannot get access to the Internet. That’s because we want to know who’s going to where, who’s logging onto the Internet, what website they’re going to, so we can enforce those policies as well. We don’t want a person going to ‘X’ type of site based on the policies we establish, not because we’re trying to stop people from being productive, we just need to know where they’re going and what they’re going there for.

ZCC was the first step, which we strictly enforce – you can’t get to the Internet if you don’t authenticate. Now, this may sound like it could create a problem if your helpdesk ticketing system is an SaaS solution. However, Zscaler also allows us to provide exceptions to our polices, such as allowing users to still send emails to the helpdesk, or log on to the ticketing system, to say ‘my Internet’s not working. Can you help me troubleshoot my Internet?’. Users can still chat, they can still email the helpdesk and they can still reach out. Meaning, it’s not black and white – there are still ways for us to add exceptions even with strict policy enforcement.

The next logical step for us, once we pushed out the ZCC with the Internet access, was access to our private applications. So how do I put that secure framework in place? Granular controls and replacing the traditional VPN client. Zscaler Private Access is now going to be able to give us that seamless access, which we’re pushing out based on region. We’ve already pushed it out to one of our regions and eliminated the traditional VPN client. Users who are authenticated by the ZCC agent on their system can now log on to internal applications without the need for the traditional VPN client. Whether that’s going to our ERP or whether that’s going to our company Intranet, all of it is seamless. We also have profiles and policies assigned to those profiles, for finance, HR and for our IT team too.

Next on our list will be deploying Zscaler Digital Experience to assist us with identifying issues more rapidly and resolving them quickly so our users can focus on their jobs.

What advice would you give to those starting out on their journey to achieving more robust and resilient cybersecurity?

First and foremost; go slow. Don’t try to do everything at once. Don’t try to force it upon the business. Talk to the business, to your stakeholders, to your executives and find out what the tolerance is for change. Then over-communicate – ‘this is what we’re doing, this is why we’re doing it, these are the business benefits we’re going to get’.

When you over-communicate and explain the ‘why’, then people can get on board. This is what’s worked for us thus far and will hopefully continue to work into the future.

Browse our latest issue

Intelligent CISO

View Magazine Archive