Don't Take the Bait

Ways to address the phishing issue within manufacturing.

Computer Crime Concept 516607038 2125x1416 (1)

The manufacturing sector has quickly turned its attention to cybersecurity in the wake of some harrowing ransomware and phishing attacks that have wreaked havoc within the industry.

For instance, the Simpson Manufacturing Company had to alert the U.S. Securities and Exchange Commission (SEC) when it experienced disruptions to its IT infrastructure after malicious cyber activity was discovered. In the same time period, other major manufacturers suffered cyberattacks including  Volex, a U.K-based company that produces a range of power products for data centers, electric vehicles and more, and building automation giant Johnson Controls who also declared cyberattacks.

These incidents disrupted operations, causing production setbacks, and inflicting financial losses.

Furthermore, IBM revealed the manufacturing sector was the second most targeted industry, with a jump in reported ransomware attacks from 211 in 2021 to 437 in 2022. Some key changes within the sector have played a part - mainly the convergence of IoT/OT and the rise in digital transformation - which have widened the attack surface for enterprises and offered hackers more entry points.

The Social Engineer

Digging deeper into the most prominent cyberattacks that manufacturers face, social engineering stands as the primary catalyst behind many of these attacks, specifically ransomware attacks which are executed through phishing – the go-to tactic for modern cybercriminals. With social engineering,  an organization's employees are bombarded with messages aimed at duping them into clicking malicious attachments, links or messages in the hopes that one will take the bait. In doing so, it provides the criminals with the necessary access and credentials to infiltrate the business.

It's an effective method, as research has shown that 74 percent of data breaches were linked to human error or oversight, underscoring the pivotal role of the human factor in bolstering cybersecurity efforts within the manufacturing sector.

Manufacturers are a natural target for cybercriminals, due to their accumulation of valuable intellectual data, which, if compromised, could be sold on the dark web to competitors or nation-states. Keeping any business disruptions to a minimum is critical as any downtime in production and manufacturing will lead to substantial costs for the business.

However, to avoid being plagued by phishing attacks, manufacturers should avoid the fundamental error of throwing money at the problem and hoping for the best. Investing large sums into the latest cybersecurity technologies on the market may seem like a logical response,  but so much more needs to be considered.

Though technology remains pivotal in an organization's defense strategy, to effectively combat social engineering, security teams within manufacturing need to address the psychological behaviors of the workforce. Implementing change in this aspect will profoundly impact the security culture. Wider education and heightened awareness about cyber risks, safe online practices, and recognizing warning signs among the workforce will foster improved security habits.

Reducing Susceptibility

When it comes to the threats introduced by phishing, research indicates that among various industries, manufacturers – particularly those with over 1,000 employees – demonstrated a 37.4 percent susceptibility to failing for phishing attacks – which is considered high. This highlights a lag in manufacturing workers’ ability to discern cybercriminals’ phishing and social engineering tactics compared to their counterparts in other industries.

While it's uncomfortable to spotlight a specific industry, business, or individual, pinpointing and benchmarking the issue unveils areas that demand reinforcement for enhancing overall security awareness and practices.

Moreover, security and risk management personnel within manufacturing entities should seek to secure full executive support while transparently communicating and aligning existing security protocols. Initiating investment in security awareness and training programs is essential to equip staff in readiness against such threats.

Establishing role models within the company stands as a crucial security element. Irrespective of the organization’s size, active participation from C-level and senior management in advocating and engaging with security awareness is paramount. This fosters a culture of best security practices in the workplace, naturally influencing others to observe and emulate. Along this journey, “security champions” emerge, guiding and shaping the overall security culture of the company.

Moreover, the engagement with security awareness content profoundly impacts the success of any security training program by ensuring a positive learning experience for participants. Positive experiences significantly enhance the likelihood of behavioral change towards security. Diverse security awareness offers training in various formats, mediums, and languages, tailored to fit the audience’s learning styles.

Picking the Right Awareness Training

Utilizing mundane or repetitive material limits the experience and diminishes audience retention. Avoiding a one-size-fits-all approach is crucial, recognizing that different departments, employee groups, and executives possess unique risk factors requiring customized training. Catering to all groups and avoiding a narrow focus ensures the organization’s security-related habits undergo effective and inclusive improvement.

Ultimately, manufacturers need to establish a robust foundation and conducive environment to foster a security culture, enabling the workforce to comprehend their roles and responsibilities in safeguarding the company. Developing the workforce as a formidable last line of defense should be a cornerstone for all manufacturers in bolstering their security posture.

Erich Kron is a Security Awareness Advocate at KnowBe4. 

More in Cybersecurity