How Energy Firm Rebuilt Its Information Security Program

Rising cyberattacks have forced utilities organizations to change their security postures in recent years. In addition to shoring up their own cybersecurity detection and prevention capabilities, organizations have sought greater protection from their vendors and other third parties they work with.

That was the situation that Energy Solutions, an environmental consulting firm based in Oakland, Calif., found itself in. Energy Solutions helps utility and government customers transition to cleaner technology. About 80% of the company’s revenue comes from its work with utilities companies.

“The work we do for utilities often requires us to exchange personally identifiable information and location information, so [these clients] began to care more deeply about things like access control and encryption,” explained Energy Solutions CIO David Weisong. “They kept asking us for more evidence that we were doing things securely, including third-party validation. Every year, the requirements increased significantly.”

The questions started piling up: What is your mobile device management strategy? What software do you use? How do you train your staff? What do you use for encryption? Weisong and his team decided to take stock of their systems, which they quickly determined hadn’t kept up with the growing list of security requirements.

Related:How Kroger Consolidated Its IAM Tools

To deliver the protection that utilities clients asked for, Weisong knew he had to build out an effective information security program.

A Stronger Information Security Program

Energy Solutions got started by pursuing SOC-2 Type 2 certification.

SOC 2 provides services organizations with a framework for managing customer data. To get SOC-2 Type 2 certified, a company must implement controls for guarding against unauthorized physical and logical access, along with controls around availability, processing integrity, confidentiality, and privacy.

Energy Solution’s next step was to replace its existing encryption technology to manage the deployment and restoration keys for Microsoft’s BitLocker and Apple’s FileVault. The existing Mac version of the encryption system had been poorly implemented and eventually didn’t work at all.

The staff initially thought it could get by with BitLocker and FileVault, which protected data on the machines itself when data was at rest. However, there were few management options and many settings were manual. The team wanted more automated processes, along with the ability to generate SOC 2-level evidence reports.

Energy Solutions solved the issue by implementing BeachheadSecure, a managed PC and Mac device security platform that enforces zero trust. 

“[BeachheadSecure] really upped the game and gave us the ability to do more than we were doing -- things that were in line with what our clients were requesting,” Weisong said. “It gave us full support across both our desktop operating systems and mobile devices.”

Through the BeachheadSecure console, the IT staff can set up automated scripts to flag a specified number of failed login attempts. It also allows the staff to remotely wipe data when a threat is detected.

Next up for its revamped information security program, Energy Solutions expanded its endpoint security through Webroot Endpoint Protection. The Webroot system uses its patented “evasion shield” to protect against file-based and fileless script attacks; whitelist legitimate scripts; detect scripts running in the environment; and block malicious JavaScript, VBScript, PowerShell, macros threats, and more.

In addition, Energy Solutions deployed Webroot’s DNS protection, which automates filtering and uses threat intelligence to block requests to malicious domains. Energy Solutions also added Webroot’s onlinesecurity awareness trainingfor its employees.

To finish off the upgrade, the company adopted Datto’s remote monitoring and management (RMM) software. The cloud-based platform is designed to remotely secure, monitor, manage, and support endpoints. For Energy Systems, it was critical to have the ability to conduct remote sessions, set thresholds, and perform other RMM functions, Weisong said.

Security Upgrade Leads to Business Growth

After Energy Solutions overhauled its information security program, utilities companies took note.

“Utilities don’t want to work with a lot of small companies,” Weisong said. “They would much rather have a handful they can trust, and this puts us into that category.

Energy Solutions’ improved security program has unlocked customer opportunities it otherwise wouldn’t not have had, Weisong added. “It’s becoming a competitive advantage for us,” he said.