The Insecurity of Security: Prioritizing Cyber Breaches in Manufacturing

the insecurity of security prioritizing cyber breaches in manufacturing 810x650

The topic of cyber security can be as fundamental as your employee’s utilization of email, but we know that is just the tip of the iceberg.

More information is being:

  • Exchanged with customers and vendors through e-commerce
  • Exposed through remote access capabilities, and
  • Migrated to hosted systems and web-based applications

Thus, with an increase in access to information, there is also an increase in the number of schemes being developed to exploit your data.

In this blog, Phil Keeney, Director of IT Services at Stambaugh Ness TechSolutions, will provide insight into the impact that cyber security has on the manufacturing industry and how companies can protect and minimize their cyber risk.

What is Cyber Security?

Q: Phil, before we get into what we can do about it, can you give us an understanding of what we mean by cyber security?

A: Cyber Security was originally developed to review processes and practices within networks in general and implement policies to protect from unwarranted hacks by unauthorized outside organizations. Today, with the Internet of Things, all modern electrical devices within your home, from your refrigerator to your security system, are connected to the Internet. Which, in turn, makes you and your home vulnerable to a security breach.

There are several different strategies a hacker can use to breach your cyber security. One that we see more often is phishing (sphere phishing) or spoofing, where the hacker disguises themselves as someone you know and sends you an email to download a file (such as  DropBox) or to click a link. The end user performs the action, enters their login credentials, and ultimately provides the hacker with all the information they need to access your data.

Ransomware, also known as crypto wall or request for bitcoin is another way hackers are finding access to your information. End users are often invited to click a link that will redirect them to a known website. However, an underlying or hidden hyperlink takes them to an unknown destination, infects the computer, shuts your systems down, and encrypts your data to extort it for financial gain or sell it off as intellectual property. Industries that are commonly impacted by this type of breach include Governmental Agencies and Manufacturing firms.

To avoid these types of breaches, end user training is the most effective tool. It all comes down to the individual clicking a link. If the link is not accessed, the hacker has no way to penetrate your systems.

The Risk

Q: Phil, as you say, it’s becoming increasingly difficult, if not impossible, to completely eliminate access points. Therefore, proprietary information is going to be vulnerable. From a business standpoint, that could be anything from production processes, product information, employee information, or even customer specifications.  Could you elaborate more on what is at risk?

A: Absolutely. To begin with, no business is safe, regardless of size, and it’s not a matter of if; it’s a matter of when. Many small—to mid-sized businesses mistakenly think, “Why would they want to ‘hack’ a company my size?” It’s not about the information you have but about the bitcoin they can extort from you so that you can acquire your information back.

Studies show that 30% of an organization’s employee base will open a spoofing email. Let’s put that in perspective. At Stambaugh Ness, we have 113 employees; if 30% of our employees opened a spoofing email and a handful clicked the link, that could shut our entire network down. The question was, what’s at risk? Your infrastructure, depending on the type of backup and/or recovery plan you have in place, could take hours, even days, to get your firm up and running again at optimal performance.

Managing Your Risk

Q: Thanks for giving us that perspective, Phil. I’ve heard of small manufacturers maintaining their payroll systems on a standalone desktop that’s not connected to the internet, and we know that many small manufacturers are reluctant to embrace cloud-supported systems and applications. However, it seems to me that tactics like this are just delaying the inevitable and ignoring the risks that need to be addressed. What are some of the recommended first steps to managing their cyber security risk?

A: That’s an excellent question, Darren. Companies must be aware of what they currently have, how they’re managing their intellectual property, and where their data is being housed. However, managing your accounting, payroll, CRM, or enterprise resource planning (ERP) system on a standalone PC that is not connected to the internet is not forward-thinking. You’re not scalable in this capacity and are falling behind your competition.

So, how do you become scalable, compete with your competition, and reduce your cyber security risk while securing your data? I always like using the analogy of a house. Your house has a couple of windows and doors, and you have an outside gate that wraps around your perimeter, with an exit in the front and an exit in the rear. The more ports or gates, windows, or doors you have in your house, the more access points for burglars to intrude on your house or hackers to gain access to your infrastructure. And if you go out the back gate and forget to close the door – for example – some organizations may open portals to provide remote access for certain employees or for a vendor for a short period of time, those gates or portals do not get closed. To correct this, Stambaugh Ness Business Solutions provides vulnerability or penetration tests to find those open portals within that organization and provides a source of remediation. We verify that the ports are valid and whether they should be open, and if not, then we close them up.

All organizations, including manufacturing firms, need to be more vigilant about how to secure their data. Whether you host it in-house or via a cloud-based application, it’s important to remember that less is more, keep it simple. For best practices, we recommend having a single depository for your data; the more dispersed your systems and information are, the greater the chance you will be breached.

When building, managing, and securing your data, you need to take a top-down approach. Think about what’s relevant to your business and how you secure it for the organization and the end users who need access to the data.

Maximize Your Profitability

Q: I would like to add that if you’re avoiding connection and e-commerce opportunities, you’re really missing out on opportunities to streamline your improvement process, maximize your customer service, and ultimately erode profitability.

A: You’re exactly right! Even when you talk about the e-commerce side. Everyone wants information accessible in real time. They want to be able to log in, process payments, and do what they need to – to complete their jobs – right online. It’s about becoming relevant in the industry.

Technology is moving at such a rapid pace; a lot has changed over the past two years, and there is no sign of progress slowing down. Five years ago, our Technology Business Process Assessment contracts would be valid for five years or so. Today, they are only valid for maybe two or three years (depending on the level of security you currently have in place), and it’s because of the rapid growth within the technology industry. Things are changing from day to day, new challenges arise, and new technology to overcome those challenges is created.

It is also important to remember that even though you have a sustainable technology infrastructure, you must regularly perform maintenance and due diligence to ensure your security.

If your data is hosted in a cloud-based infrastructure, we recommend that you consistently consider the following:

  • What is the up-time?
  • What is the disaster recovery plan?
  • What is the backup plan process?
  • What happens if there is a security breach?

For a more in-depth analysis of your cyber security, contact either Darren Welker or Phil Keeney.

 


Darren Welker, CPA, CIA - Stambaugh Ness

Categories: Technology