How Manufacturers Can Manage Growing Cybersecurity Risks
With a heavy reliance on technology and the advent of Industry 4.0, today’s manufacturing companies are particularly vulnerable to cyberattacks. From design and supply chain to component manufacturing, assembly and shipping, manufacturers are increasingly reliant on enterprise resource planning systems (ERP) and other company-wide technology to manage the product lifecycle. Any disruption to those systems, or compromise of data, could disrupt company operations – with significant costs.
Imagine, for instance, how much damage a competitor could do if it got its hands on your intellectual property – if it got the schematics for your product, then turned around and manufactured it at a lower cost. That could drive you out of business. Imagine how many hours, or days, production might be halted by the disruption of just a single system. In a Cisco survey this year, participants reported that 53 percent of cyberattacks led to more than $500,000 in damages, from lost revenue, lost customers, out-of-pocket costs and more.
More than 30 percent of data breaches at manufacturing companies last year involved the theft of intellectual property, according to Verizon’s 2018 Data Breach Investigations Report. The report found that corporate espionage specifically was the motivation for 47 percent of cyberattacks on manufacturing companies, with financial gain the motive for the remaining 53 percent.
Phishing Risks
While there are many ways a system might be compromised in the age of smart factories, one simple way is through phishing: legitimate-looking emails sent to your employees, encouraging them to click on a link, Google Doc or Sheet, or masquerading as an attachment that then triggers a cyber attack.
Think your employees know better than to click on suspicious-looking emails? They may, but these increasingly sophisticated phishing attacks may appear to contain an invoice from a real supplier or a message from the company CEO, or require an employee to update an important online account.
Once the link is clicked or attachment opened, the attack can take many forms:
- Malware is installed on the employee’s computer, or on your network, that allows an intruder to access data or log keystrokes, thereby stealing sensitive data, such as passwords, intellectual property, customer information or bank accounts.
- Malware is installed that locks up your data — or your entire system — and holds it for financial ransom (ransomware).
- Malware takes over the computer and makes it part of a botnet, a network of computers that have been compromised and taken over by cybercriminals.
- A link sends the employee to a fake website that, while appearing legitimate, captures the employee’s credentials when he or she attempts to log in, thus giving the attacker access to the account.
Phishing and other forms of social engineering are just some of the many ways companies are vulnerable to cyberattacks, but it is possible to minimize the risks and mitigate damage. Doing so requires a clear understanding of the specific risks your company faces (i.e., risk assessment), a plan to reduce those risks and an investment in implementing a plan. Larger companies may have the resources to do this in-house, while others may need to hire an external firm.
Cybersecurity Framework and Planning
You can approach your cybersecurity planning as you would other business investments, considering ROI and potential impact on the organization. In this case, you’ll balance the level of risk that is acceptable to your organization for each of type of cyber threat against the cost of mitigating or responding to them, keeping in mind that it’s impossible to completely eliminate the risk of cyber threats.
The Cybersecurity Framework created by The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) offers an excellent map for cyber protection, citing five functions that organizations should be continually and concurrently practicing:
- Identify
- Protect
- Detect
- Respond
- Recover
Identify – The first step is to identify existing threats for your industry and your company on an annual basis, and rank their likelihood. Then, quantify the risk from each of these threats. For instance, what is the potential cost in time, money and/or reputation were someone to gain access to your latest product design? What would be the fallout should ransomware lock up your entire ERP?
Protect and Detect – Next, explore ways to detect, and protect against, potential threats, including the costs of various levels of protection, both in money and inconvenience. You’ll need a layered strategy for detecting and preventing cyberattacks – one that includes everything from data backup, network access controls and firewalls, to updated anti-virus software, email filtering and the training of employees to identify and avoid risks.
Respond – No matter how good your protection and detection systems are, some cyberattacks may succeed, which is why it’s essential to have a response plan in place. This begins with clear reporting guidelines and systems for all employees. Whether they accidentally click on a phishing link, see something strange in a financial log or simply receive a suspicious phone call, employees need a clear understanding of how to immediately alert IT. The next phases of your response plan should focus on actions that contain the impact of any cybersecurity incident. This includes communicating to internal and external stakeholders, and possibly law enforcement; determining and mitigating the impact of the incident; and incorporating what you learned into detection and prevention for future threats.
Recover – Finally, you’ll need a recovery plan that outlines how to efficiently restore normal operations and reduce the impact of any cybersecurity incident. This will include system restoration, asset recovery and continuing communications.
The key takeaway is to never be caught off guard. While technology is essential to evolving the manufacturing process and increasing profitability, it also presents new cybersecurity concerns. Being aware of these challenges and creating a plan to address them before an incident occurs is an integral part of managing a manufacturing company in the digital age.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.