An indoor blaze can double in size within seconds and become difficult to control within minutes. That’s why the most important thing about firefighting is to prevent fires from breaking out. The same proactive principle applies to prompt cybersecurity incident response.
The rapid digitalization and increased connectivity of systems are creating new cybersecurity demands for businesses. At KONE, connectivity is crucial for enhancing customer value and delivering smarter services and it requires a heightened emphasis on cybersecurity.
Besides high-class cybersecurity talents, KONE has a multi-level safety architecture with a series of preventive and detective controls to protect critical systems. These include automated defenses and dedicated teams, all working 24/7 to detect and analyze possible threats.
“On a day-to-day basis, we deal with business-as-usual incidents which may be of concern, but they’re not like a fire. They’re things that need to be dealt with so that we don’t have a fire,” says KONE’s Head of Cybersecurity Operations Thomas – who only uses his first name for security reasons like some of his other cyber colleagues.
Thomas heads KONE’s small but effective cybersecurity incident response team that includes fewer than 10 people but works with two large service providers. One of the providers, based in Europe, takes the first look at events that come out of automated systems and other sources. When they find something, such as malware, they do initial assessment to limit the potential impact. This can involve isolating an affected computer or a compromised account from the network.
“Our incident response team in India collaborates with a local service provider and another provider based in Europe. Together, they process a huge number of cybersecurity incidents. Complex cases are referred to KONE’s engineering team in Finland,” Thomas explains.
The vital role of human expertise
Information about possible threats may come from the automated systems, KONE employees or from outside counterparties and authorities. The system first checks and sorts the threats. As attackers now rely heavily on automation, KONE’s automated defenses are also designed to rapidly minimize or mitigate the threat as much as possible.
“We use automation to support the incident response process and make more informed decisions. Automation helps us mitigate high-severity issues faster. However, not everything can be resolved through automation. We need people who understand the business to analyze cases and take the necessary action,” Thomas says.
This structured approach allows the team to respond and manage incidents efficiently.
“We talk with the team that owns the system, service or capability and find out whether we need to take further action. Those are cases that I’d consider to be normal business-as-usual, non-emergency cases, where the risk is relatively low, and the fix is relatively simple. Emergencies are cases that might stop people from working or stop us from delivering services or products to our customers.”
From alert to action
When the out-of-normal situation is recognized, that’s where Niklas, KONE’s lead cybersecurity operations engineer, launches into action.
“We’ve seen attacks with different level of capabilities and objectives, such as ransomware or Business Email Compromise, and successfully stopped them.”
He stresses that the top priority is to gather accurate information and plan a strategy before tackling a malicious incident.
“From the firefighting perspective, you come to the scene, evaluate the situation and the potential damage and decide how you’ll approach resolving it,” he says.
Initial steps include looking for identifying evidence related to the cybercriminal, as well as the user account that may have been compromised. Logs are analyzed to determine the attacker’s activities – all before any action is taken against the attacker to contain the intrusion.
Seconds or minutes can be crucial.
“But usually, rushing things leads to bad results,” Niklas points out.
Building collective security awareness and fireproofing skillset
Just like fire department visits to school and workplaces, KONE’s cybersecurity team educates others how to prevent virtual fires. That's because employees are one of the strongest defenses against cyber threats.
“As part of security awareness training within KONE, we provide our employees with information about recent incidents and how they might have impacted KONE, or the users being targeted. We also share easy ways to identify and report if something similar happens to them. We are here to help,” Niklas says.
The response team stays ahead of the threats by constantly updating their capabilities, technologies and technical skills, for example by doing attack simulation exercises.
“Things can be quite routine…until they’re not. And the ‘not’ is exciting. We as professionals live for it. It’s challenging, but in a good way,” Thomas says.
Keeping products and people safe
For Niklas, a typical day revolves around building and improving detection and preventative capabilities.
“What drives me most is detection capability and threat hunting, where we do proactive hunts and searches for potential threats and try to discover and mitigate them,” he says. “And when you notice that the automation missed something, you look to see how it could be improved.”
KONE customers are after digital solutions that enable real-time information, immediate responses, and full transparency. Digitalization has opened the attack surface of all interfaces that are connected and remotely operable, so defending against that in the product space is the team’s primary focus. It’s a continuous process.
“It’s like painting a bridge: you start at one end and by the time you finish, you need to paint the beginning again,” Thomas says with a grin. “After all, safety is one of KONE’s core principles that we never compromise on, and in the digital dimension that means protecting all things connected.”