The 2017 Cisco Midyear Cybersecurity Report recently revealed that a surprising 40 percent of manufacturing security professionals do not have formal training or follow standardized information security policy practices. If not properly addressed, this lack of understanding has the potential to damage the entire industry. As such, it is more important than ever to ensure manufacturers are educated, aware of their vulnerabilities, and prepared for the future cyberattacks they will face.
Why is Manufacturing a Popular Target?
Although not a conventional target like a bank or government institution, manufacturing firms hold a lot of valuable data to warrant an attack. A common challenge is that many do not recognize the value their data holds to cybercriminals. A product prototype or other form of intellectual property (IP) can be worth a fortune in the wrong hands and would pose an incredible loss if stolen, particularly if the files end up in the inbox of a competitor.
The chances for a system to be compromised are also much higher in today’s digital landscape. The boon of increased automation, IoT and globally connected businesses has been a huge enabler for the manufacturing industry. However, this benefit comes with increased vulnerabilities to a business’ internal systems. As more technology becomes incorporated into internal processes, new opportunities are created for cybercriminals to gain access to the company and steal sensitive information.
These threats do not always start out online, however. Hackers can phone, as well as email a manufacturing firm, posing as a customer, colleague or member of the IT department, and the conversation they have with an unsuspecting employee can compromise the entire system. Seemingly useless pieces of information can be all a scammer needs to steal a valuable IP or prototype design. Moreover, if a hacker is posing as a member of the IT department, details such as login credentials and server access can be provided under the guise of a system update.
However, it is not just professional cybercriminals that pose a threat. Attacks can come from inside the business as well. With such a wealth of confidential information available, a disgruntled employee, or one looking for financial gain, can access and leak anything from private designs to patents and processes. Equally, due to the competitive nature of the industry, there is also the risk of attacks from others across the globe, including rival businesses and state-sponsored attacks, who seek to steal valuable IP. These challenges make it vital for manufacturers to have a strong awareness of the security dangers facing their industry as a whole.
Getting up to Scratch
By recognizing these challenges, practical changes can be made that will improve the overall security of the business. For example, using the recognized industry accreditation ISO 27001 can ensure the business is able to understand the risks to its assets, in the form of IP, staff, or even its reputation. Additionally, manufacturers should also consider introducing a classification policy to their documents so that staff instantly know which items are more sensitive. Initial steps can be as low-tech as color coding documents, but can easily prevent employees from accidentally sharing sensitive information with the wrong people.
For those wishing to go one step further, a security permissions program can be installed to help defend against valuable IP and other documentation. This program will only allow approved members of staff to access the most sensitive information, thereby preventing data leaks and limiting the pool of suspects should an internal attack occur.
Improving the IT security of a business can defend against many dangers. However, this understanding should not be kept secret. Security professionals need to address these issues with the entire company, raising awareness and encouraging communication throughout the whole business.
A Business-Wide Approach
The chances are that a hacker is more likely to target the average employee, rather than an IT specialist. As such, every member of the company needs to recognize how these dangers present themselves and what to do should an attack occur. While it may be the IT department’s job to protect the manufacturer, it is the responsibility of every team member to recognize and highlight anything suspicious.
As such, staff training needs to be high on the agenda for both the security professionals and the wider manufacturing firm. Even recognizing a false email is something every employee needs to know. Scammers are constantly improving their approach, developing more authentic looking emails that can fool even the most conscientious member of staff. Ensuring employees are looking for subtle changes to the company name, an unusually urgent or threatening tone in the body of the message, or peculiar greetings will help to keep the manufacturer’s cyber boarders secure.
At the same time, employees also need to be educated in the ways internal breaches can occur. A member of staff on the ground will be more likely to witness something suspicious before the security professionals, so it is vital that they know how to address their concerns with the team. If senior management can establish a self-regulating culture — one where every member of staff is aware of the potential threats to the business — this will not only highlight a rogue employee ahead of any breach but also dissuade disgruntled staff from compromising any sensitive data.
As shown in Cisco’s cybersecurity report, security specialists at manufacturing firms are underprepared for the threats that face the industry. While improving IT training is a natural first step, businesses need to prepare the entire company in order to offset the potential damage that an attack can cause. If all employees are given the resources they need to recognise, address and help resolve a potential attack, the industry can continue to thrive.
Robert Rutherford is CEO of QuoStar.