Feature Story: Cybersecurity

January 4, 2018 No Comments
Print Friendly

Manufacturers Are At Risk

by Nancy Huddleston



“WannaCry ransomware attack shuts down a Honda plant in Japan.”

“Equifax data breach exposes personal information of millions.”

“Hack attack causes major damage at German steel works.”

Minnesota manufacturers who think these types of cybersecurity problems don’t impact them should think again, according to experts in the risk management business.

“The internet connects businesses of all sizes to data networks and computer systems around the world,” according to the experts at Federated Insurance, “It also exposes companies to hackers, viruses, and other computer attacks. And, let’s face it, there’s no such thing as perfect computer security. Whether by hacker, glitch, or employee error, many businesses will experience a data breach incident at some time.”

So, what’s a business owner to do?

“Be proactive rather than reactive,” advises Michael Hannan, CISA, Senior Manager, at CBIZ MHM, LLC. He also recommends that manufacturers need to understand that taking appropriate cybersecurity measures is not just something that should be done by big companies. Every manufacturer—no matter how small—is at risk.

For instance, according to the U.S. National Center for Manufacturing Sciences (NCMS), 39 percent of all cyberattacks in 2016 were against the manufacturing sector, up from 33 percent the year before, with breaches costing between $1 million and $10 million.

Furthermore, the report attributes “the increase in cyberattacks targeting manufacturing to fierce competition in a sector where intellectual property is at a premium, to the fact that industrial control systems (ICS) are often left unguarded, and to a lack of investment in cybersecurity due to a focus on productivity and efficiency.”

When deciding on what steps to take, Michael Nicholas, MBA, CLCS, Business Risk Consultant for Associated Benefits and Risk Consulting, said it is important for business owners to set aside the notion that they can take care of cybersecurity themselves.

“It is constantly evolving and hackers are becoming more and more sophisticated in their approaches, so to be honest, unless a business owner is contributing a substantial amount of time to monitoring cyber threats, it is very important to have someone—outsourced or within the company walls—managing and minimizing threats,” he said.

When assessing what to do to enact a cybersecurity program, experts suggest starting with the basics.

Most companies that offer risk management services deal with two kinds of products – cyber liability insurance (reactive) and cybersecurity assessments and services (proactive). Both are important, but a thorough evaluation of a company’s needs is necessary before any decisions can be made, he pointed out.

An evaluation should include looking at all aspects of the business – from the size, customers served, employees, and organizational systems. “Get an outline of what you have, find the gaps and then look at how to remediate those,” Hannan said. “The key thing to remember is that you want to do what best fits your business.”

The cost for this type of service varies – anywhere from $5,000 to $20,000, and then once a cybersecurity plan is put in place, most risk management service providers charge an hourly rate. Although the price tag might cause sticker shock for most business owners, the experts point out that the average cost of a data breach in 2016 was $70 million per compromised customer record, according to “Annual Study: Cost of a Data Breach,” by Ponemon Institute LLC.

An extra layer of protection is cyber liability insurance, which is triggered when a breach occurs, but it’s not a “one size fits all” solution, according to the experts.

“The most recent attack of Equifax impacted over 143 million records, both individual or organizations. Most stand-alone cyber insurance policies offer some form of inclusive consult/hotline to handle questions that arise from an event such as that or something as simple as how to pay a bitcoin,” Nicholas said.

Typically, the motivation behind a cyberattack can be:

  • Cyber Crime: Continuous threat activity against consumers and enterprises; criminals seeking personal information for financial gain.
  • Cyber Espionage: Government-sponsored or affiliated actors and groups seeking intelligence and intellectual property.
  • Hackitivism: Actors motivated by ideology, reputation, and ego. Attacks often triggered by corporate and political actions, major news events, etc.

Cyber criminals find their way in through traditional hacking, denial of service, and social engineering. According to the “2017 Data Breach Investigations Report,” by Verizon, the top three tactics include:

  • 62 percent of breaches featured hacking.
  • 51 percent of breaches included malware.
  • 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords.

When the Verizon report drills down into manufacturing, it shows that cyber espionage is the top pattern, because “when you make stuff, there is always someone else who wants to make it better, or at least cheaper. A great way to make something cheaper is to let someone else pay for all of the R&D and then simply steal their intellectual property.”

“For a manufacturer, the intellectual property it possesses is of the utmost importance – whether it is a secret recipe, a creative new concept, or a less expensive way to make a widget, it makes a tempting target for thieves,” the report continues, “Unlike the more run of the mill, “grab-the-loot-and-scram” attacks we see … espionage attacks are typically aimed at more long-term results.”

How can this happen? “In many cases these attacks begin with a move against the carbon layer. An employee of the organization receives a phishing email, and clicks on the malicious link or attachment it contains. Then malware is installed in the form of a backdoor or C2, and the bad guys return at their leisure to footprint the network and take what they need.”

The good news to all of this is that Minnesota manufacturers have access to a wide variety of companies that offer cybersecurity services right in their own backyard. A good place to start is with your own insurance company as many offer cybersecurity services.

Cyber insurance is more reasonable than most business owners think, according to Nicholas. “The supply has outpaced the demand, which has kept pricing very reasonable,” he said, “Cyber insurance policies include, but are not limited to, lost stolen devices, rogue employee and, of course, hacks.”

There are a variety of coverage options available for organizations of all types and sizes, and some options include:

  • Business income loss.
  • Notification and credit monitoring.
  • Data asset restoration.
  • Cyber extortion/ransomware.
  • Network security/privacy liability.
  • Media liability.
  • Outsourced service provider interruptions.
  • Crisis management.
  • Forensics investigation.

The U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) is another resource that provides information about best practices to follow (www.ics-cert.us-cert.gov), as does NIST’s Computer Security Resource Center (CERT) (www.csrc.nist.gov). pm_endmarkblue-e1320337140493

NANCY HUDDLESTON is the editor and publications manager of Precision Manufacturing Journal. She can be reached at nancy@mpma.com or 952-564-3041.

Copyright © 2018 Minnesota Precision Manufacturing Association. For permission to use or reprint this article please contact Nancy Huddleston, publications manager for Precision Manufacturing Journal.


Sorry, the comment form is closed at this time.

E-clusive: Enhancing the Image of Manufacturing

By Nancy Huddleston Let’s face it – we’re humans and it’s in our nature to care about our looks...

E-clusive: It’s Time to Evangelize Manufacturing

By Nancy Huddleston It’s not every day that you hear someone say, “we need to evangelize manufacturing as a...