The Insecurity of Security: Prioritizing Cyber Breaches in Manufacturing

March 16 2017 | by Darren Welker, CPA, CIA

The topic of cyber security can be as fundamental as your employee’s utilization of email, but we know that is just the tip of the iceberg.

More information is being:

  • Exchanged with customers and vendors through e-commerce
  • Exposed through remote access capabilities, and
  • Migrated to hosted systems and web based applications

Thus, with an increase in access to information, there is also an increase in the number of schemes being developed to exploit your data.

In this blog, Phil Keeney, Director of IT Services at Stambaugh Ness TechSolutions, will provide insight into the impact that cyber security has on the manufacturing industry, and how companies can protect and minimize their cyber risk.

What is Cyber Security?

Q: Phil, before we get into what we can do about it, can you give us an understanding of what we mean by cyber security?

A: Cyber Security was originally developed to review processes and practices within networks in general, and implement policies to protect from unwarranted hacks from unauthorized outside organizations. Today, with the internet of things, all modern electrical devices within your home from your refrigerator to your security system is connected to the internet. Which in turn, makes you and your home vulnerable to a security breach.

There are several different strategies a hacker can use to breach your cyber security. One that we see more often is phishing (sphere phishing) or spoofing, where the hacker disguises themselves as someone you know and sends you an email to download a file (such as DropBox) or to click a link. The end user performs the action, enters their login credentials and ultimately provides the hacker with all the information they need to access your data.

Ransomware, also known as crypto wall or request for bitcoin is another way hackers are finding access to your information. End users are often invited to click a link that will redirect them to a known website. However, an underlying or hidden hyperlink takes them to an unknown destination, infects the computer, shuts your systems down, and encrypts your data to extort it for financial gain or sell it off as intellectual property. Industries that are commonly impacted by this type of breach include Governmental Agencies and Manufacturing firms.

To avoid these types of breaches, end user training is the most effective tool. It all comes down to the individual clicking a link. If the link is not accessed, the hacker has no way to penetrate your systems.

The Risk

Q: Phil, as you say it’s becoming increasingly difficult, if not impossible, to completely eliminate access points. Therefore, proprietary information is going to be vulnerable. From a business stand point, that could be anything from production processes, product information, employee information or even customer specifications.  Could you elaborate more on what is at risk?

A: Absolutely. To begin, no business is safe, regardless of size and it’s not a matter of if, it’s a matter of when. Many small- to mid-sized businesses mistakenly think “Why would they want to ‘hack’ a company my size?” It’s not about the information you have but about the bitcoin they can extort out of you, so that you can acquire your information back.

Studies show that 30% of an organization’s employee base will open a spoofing email. Let’s put that in perspective. At Stambaugh Ness, we have 113 employees, if 30% of our employees opened a spoofing email and a handful click the link, that could shut our entire network down. The question was, what’s at risk? Your infrastructure, depending on the type of back-up and/or recovery plan you have in place it could take hours, even days to get your firm up and running again at optimal performance.

Managing Your Risk

Q: Thanks for giving us that perspective Phil. I’ve heard of small manufacturers maintaining their payroll systems on a standalone desktop that’s not connected to the internet, and we know that a lot of small manufacturers are reluctant to embrace cloud supported systems and applications. However, it seems to me that tactics like this are just delaying the inevitable and ignoring the risks that need to be addressed. What are some of the recommended first steps to managing their cyber security risk?

A: That’s an excellent question, Darren. Companies must be aware of what they currently have, how they’re managing their intellectual property, and where their data is being housed. However, managing your accounting, payroll, CRM or enterprise resource planning (ERP) system on a standalone PC, that is not connected to the internet, is not forward-thinking. You’re not scalable in this capacity, and falling behind your competition.

So, how do you become scalable, compete with your competition and reduce your cyber security risk, while securing your data? I always like using the analogy of a house. Your house has a couple windows, doors and you have an outside gate that wraps around your perimeter, with an exit in the front and an exit in the rear. The more ports or the gates, windows or doors you have in your house, that provides more access points for burglars to intrude your house, or hackers to gain access to your infrastructure. And if you go out the back gate and forget to close the door – for example – some organizations may open portals to provide remote access for certain employees, or for a vendor for a short period of time, those gates or portals do not get closed. To correct this, Stambaugh Ness Business Solutions provides vulnerability or penetration tests to find those open portals within that organization and provides a source of remediation. We verify that the ports are valid, whether they should be open and if not then we close them up.

All organizations including Manufacturing firms need to be more vigilant on how to secure their data. Whether you host it in-house or via a cloud-based application, it’s important to remember that less is more, keep it simple. For best practices, we recommend having a single depository for your data; the more dispersed your systems and information are, the greater chance you will be breached.

When thinking about building, managing and securing your data you need to take a top-down approach. Think about what’s relevant to your business, and how do you secure it for the organization and the end users that need access to the data.

Maximize Your Profitability

Q: And I would like to add to that, if your avoiding connection and e-commerce opportunities, you’re really missing out on opportunities to streamline your improvement process, maximizing your customer service and ultimately eroding profitability.

A: You’re exactly right! Even when you talk about the e-commerce side. Everyone wants information accessible in real-time. They want to be able to login, process payment, do what they need to – to complete their jobs – right online. It’s about becoming relevant in the industry.

Technology is moving at such a rapid pace, a lot has changed over the past two years and there is no sign of the progress slowing down. Five years ago, our Technology Business Process Assessment contracts would be valid for five years or so. Today, they are only valid for maybe two or three years (depending on the level of security you currently have in place), and it’s because of the rapid growth within the technology industry. Things are changing from day-to-day, new challenges arise and new technology to overcome those challenges are created.

It is also important to remember that even though you have a sustainable technology infrastructure, you must regularly perform maintenance and due diligence to ensure your security.

If your data is hosted in a cloud-based infrastructure, we recommend that you consistently consider the following:

  • What is the up-time?
  • What is the disaster recovery plan?
  • What is the back-up plan process?
  • What happens if there is a security breach?

For a more in-depth analysis of your cyber security contact either Darren Welker or Phil Keeney.

We also invite you to download our digital brochure titled Security as a Service, and discover how you can begin to protect your company from cyber threats.

Leave a Reply

Your email address will not be published. Required fields are marked *