Mindi GiftosOne of the things that make cybersecurity seem so daunting is the difficulty in understanding the scale of the threat involved. Every day there is a new media report of a major commercial enterprise being victimized by cyber criminals—compromised databases containing customers’ personally identifying information; ransomware viruses that shut down business operations entirely; spyware that steals valuable proprietary information… the list goes on.
Furthermore, the criminals themselves are rarely brought to justice. Indeed, a great many of them seem beyond the reach of our criminal justice system, regardless of whether their attacks originate here in the U.S. or abroad, where criminals often work hand in glove with state-controlled espionage agencies or foreign corporate entities.
Against threats of this magnitude and sophistication, one might wonder whether the cost-benefit of further operationalizing digital information makes sense. However, as the early adopters of our new information-driven technologies can attest, the benefits are simply too great to ignore. Just-in-time production capabilities, for instance, have radically changed the arithmetic of supply chain management and manufacturing, making it possible for manufacturers to bring certain kinds of work and jobs back to the U.S. Similarly, precision agriculture supported by wirelessly networked devices allows farmers to respond to crop threats in real time, substantially raising their per-acre production and lowering their overheads. When assessed against the awesome power of information-based processes, the associated cybersecurity issues seem, if not small, at least manageable.
The main disappointment regarding these new technologies is the realization that their implementation and use will not be cost-free, and unfortunately, protecting against cybercrime constitutes a big part of that cost. Therefore, it is vitally important for all businesses to gain an understanding of the specific threats they are most likely to face.
Manufacturing’s Threat Profile
The cybersecurity threat profile for each industry is a little different. The 2018 Data Breach Investigations Report, conducted and published by Verizon, does a comprehensive job of explaining how different threats manifest themselves across multiple industries. It also has interesting observations about threats to the manufacturing industry. According to the report, manufacturing is unique among industries in one key respect—most of the cyber-attacks are targeted, rather than the crimes of convenience or opportunity more routinely seen across the board. In nearly half the cases involving manufacturing in the Verizon report, stealing intellectual property is the object of the attack, and nine out of ten involved external threats.
In August 2018 Vectra Networks, Inc., a cybersecurity firm, published its 2018 spotlight report on cyberattacks in the manufacturing industry. Consistent with the Verizon report, Vectra’s artificial intelligence-based platforms detected “a higher-than-normal rate of malicious internal reconnaissance behaviors” from attackers inside of manufacturers’ systems and that this “indicates that attackers are mapping-out manufacturing networks in search of critical assets to steal or damage.” Once the attacker has identified the data to be stolen, the Vectra report notes that data smuggling is the preferred exfiltration method, where the attacker uses an internal device he or she controls to send the data to an external system.
Given these circumstances, below are five things manufacturers need to consider in connection with data security:
1. Data Mapping: Because the main cyber-threat for manufacturers often concerns the company’s own proprietary information, we highly recommend that manufacturers take some time to map their systems and understand what data they have. In many data breaches, compromised data is comprised of data that the company did not even know it had. Undertaking data mapping will help manufacturers understand their vulnerabilities (the worst case scenario) and take steps to eliminate needlessly redundant access points to sensitive data. This step will also ensure that companies are more readily able to comply with rapidly emerging privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act.
2. Insurance: It is important to understand your current cyber liability policies (and other policies) that may apply in the event of a breach. We recommend identifying relevant policies before an incident occurs so that applicable coverage can be quickly assessed when needed.
3. Vendor/Third-Party Agreements: It is important to compile a list of vendors and other service providers who could be involved in a potential data breach, along with a summary of key contract provisions. If an incident comes through a vendor or service provider, manufacturers need to quickly determine the nature of the vulnerability.
4. Training: All employees should be trained (and retrained) and the importance of privacy and security. Many breach incidents occur due to human error.
5. Access Regulatory Requirements: While sometimes the threat profile for manufacturers relates primarily to their own proprietary data, often customer and employee data can trigger significant regulatory and legal requirements for companies in the wake of a breach incident. Manufacturers need to access their obligations proactively and to know ahead of time what their specific obligations are with respect to reporting incidents to the government or to key customers.
Attending to these five areas of concern won’t inoculate manufacturers against a data breach, but they can help reduce the severity of an attack, as well as empower enterprises to find their footing after the fact.
Mindi Giftos is a partner with Husch Blackwell LLP. She is the co-head of the firm’s Internet of Things (IoT) and Data Privacy, Cybersecurity & Breach Response teams and is the office managing partner of the firm’s Madison, WI office. This article originally appeared on IBMadison.com.
