Cybersecurity Saves Dollars & Makes Sense

cybersecurity The article was originally featured in the MiMfg June 2016 issue. It was written by Brett Gerrish, a MMA communications specialist.

Your facility is at risk. A growing threat looms and is costing businesses billions of dollars each year and destroying reputations. It’s a threat that past generations never had to deal with but is becoming all too common today. That threat is cybercrime it’s one of the world’s fastest-growing threats. Glance at any national or statewide newspaper and you’ll see stories of businesses becoming more vulnerable each day to threats they, literally, may never see coming. Manufacturers continue to assume they have the problem under control but more than half of businesses surveyed by CyberArk (55 percent) believed they could detect a breach within a matter of days, while 25 percent believed they could detect it within hours.

The facts simply do not back that up and this creates the ultimate threat to manufacturing over the next decade — an existing problem you thought you already solved.

On average, it takes respondents 256 days to spot a breach caused by malicious attack and an additional 82 days to contain it. Breaches caused due to system glitches took 173 days to spot and 60 days to contain. Breaches due to human error averaged 158 days to be noticed and 57 days to be contained, according to an IBM study. The number of cybercrimes increases as technology advances and the need to interconnect devices and share information grows. In 2015, a PwC study found businesses reported 38 percent more security incidents than a year earlier. More alarming is the fact that manufacturing remains one of the most targeted sectors of such crimes. A recent study by Symantec, a leading security software provider, indicates that nearly 1 in 3 of their customers in the manufacturing sector were targeted at least once in 2013.

All this should be enough to make a small manufacturer worried, but it’s the financial cost of a cyber attack that will cripple a company’s future. Conservative estimates place the cost of an attack on your data in the mid- to high-five figures. The company size, amount of time under attack and the type of data stolen can easily ratchet the costs to a manufacturer into the millions. It’s no wonder a recent Forbes study predicts the cost of data breaches to reach $2.1 trillion globally by 2019.

“Firewall attacks, system penetration, spear phishing attacks and other kinds of malware penetration are becoming increasingly common and manufacturers need to know that these threats exist and they aren’t going away,” said Kevin Bozung, principal and co-founder of Safety Net, Inc., MMA member and IT solutions provider with offices in Farmington Hills and Traverse City.

Every part of a malicious cyber activity (see right) brings its own headaches to a business but it’s the combination of these that makes cybercrime an epidemic your business cannot ignore.

Breaking It Down: These are the six parts of malicious cyber activity according to McAfee. 1. The loss of intellectual property and business confidential information 2. Direct financial loss from cybercrime 3. The loss of sensitive business information, including possible stock market manipulation 4. Opportunity costs, including service and employment disruptions, and reduced trust for online activities 5. The additional cost of securing networks, insurance, and recovery from cyber attacks 6. Reputational damage to the hacked company “Staying ahead of cybercrime requires a lot of planning and a lot of forward thinking,” said Bozung. “Think about what kinds of data you have, the systems you have, how people can access your information and where your people are working. Manufacturing is also an especially competitive industry, so staying mindful of who your competitors are — both large and small — can help reduce the risk of becoming a victim of corporate espionage.”

In 2016, it’s no longer a question of if you’ll be targeted, it’s when. The days of securing your business behind a locked door are gone. Today’s criminal can hurt you without stepping inside.

Everyday Strategies to Halt a Growing, Everyday Crime

Assume It Will Happen

Never assume your business is immune to an attack. More often than not, it is the companies that don’t expect to be hacked that suffer the most. While you always hope it won’t happen — and it’s possible it never will — by assuming it will and planning for it, you’re already one step ahead of the hackers who seek to catch you unaware.

Create a Plan

Simply knowing the threat exists is not enough — make sure you have a proactive strategy that works to stop a breach from happening and also how to contain a breach if it does happen. A study done over five years and covering more than 600 security breaches found that 87 percent could have been avoided if reasonable security controls had been in place in advance. Make sure you have proper firewalls, the ability to back up your data and warning systems so you know of a hacking attempt as soon as possible.

“Manufacturers who only react to crises as they happen will be more likely to face crises than those business leaders who work to keep cyberattacks from happening in the first place,” said Bozung. “Your security plan must have multiple layers to, including how to identify potential threats and ensuring the design and management of your technology addresses those threats.”

Additionally, the reputation of your business is at risk any time your security is compromised. Make sure your public relations team is trained in crisis communication, specifically what to say and what not to do when you’re faced with the unexpected.

Want to know what to do in a crisis? Watch for MMA’s July issue of MiMfg Magazine, focusing on crisis communication strategies and tips from experts.

How Much Does a Cyber Attack Cost? The per-record cost of a data breach is $154 in 2015, up 12% over 2014. Having an incident response team available ahead of time reduced per-record cost by $12.60. Encryption usage reduced per-record costs by $12. Employee training reduced per-record costs by $8. Board involvement lowered per-record costs by $5.50. Cyberinsurance lowered per-record costs by $4.40. The average total cost of a data breach rose 23% in 2015 to $3.79 million. On average, it takes respondents 256 days to spot a breach caused by malicious attack and an additional 82 days to contain it. Breaches caused due to system glitches took 173 days to spot and 60 days to contain. Breaches due to human error averaged 158 days to be noticed, and 57 days to be contained. Train Your Team to Be Accountable

Often the weakest link is not the technology at all but the people trusted to run it. You may have the most top-of-the-line security system in place — and all it takes is one employee handing out their password to make the whole system useless.

“The big, big gap today is the human gap,” said Bozung. “In our own survey of these incidents, half were caused by human error. These can range from where an employee received a phishing e-mail or went to a website that led to a breach to instances of administrative error where someone was let go and credentials were never revoked.”

Start by hiring those with sufficient IT backgrounds to lead the way. You can follow that up by creating a company-wide team with leaders from each department to assist in the development of your Risk Assessment Strategy and communicate important ideas to the full workforce.

Finally, invest in training your full workforce to understand the threat of cybercrime and how their actions can either increase or decrease the likelihood of it happening. “Most security plans are very focused on firewalls, patches, encryption and other technologies to deter attacks — the gap that remains comes from the people,” said Bozung. “Ask yourself how you are training your staff — make sure they know what to look for, what to do and what not to do.”

Limit Security Roles

While your whole team should be aware of cybercrime and actively working to protect your business, not every part of your business should be managed by a lot of people. Select a few trusted employees to have full access to your security systems and the ability to install new software. Make sure they have the skills required for the role and that they are available to anyone who may have questions or concerns.

“This is a step that again requires good communication with your employees and ensuring they are properly trained in basic device security techniques like locking up equipment when not in use,” said Bozung. “Manufacturers can utilize mobile drive encryption, limit the number of employees who access certain devices and use tracking software, if necessary.”

Be Sufficiently Covered

Insurance is just a good business decision in any circumstance. Whether you’re a large or small manufacturer, there are plenty of security options out there that fit your needs and your budget. Have your company’s C-level executives work with your IT department and team leaders to evaluate the insurance coverage that’s right for you. If a cyberattack does happen, having insurance could be the difference between a headache and closing your doors for good.

Seek to Do Better

Technology is constantly advancing and so is the knowledge of cyber criminals seeking to outsmart it. The security you have today could be obsolete next month or next year. Make sure you are regularly working to stay ahead of a potential breach.

Continue to train your employees, update them about potential breaches and test their knowledge to reduce the chances of an attack. As part of your initial risk assessment, look at hiring a trusted third party to perform penetration testing on your systems. In effect, you pay to get hacked so you know where your vulnerabilities are and learn the strategies to patch those holes before a real attack can occur.

Cybercrime is a rapidly growing epidemic. Make sure your business is ready to react if someone starts targeting you.