U.S. President-Elect Donald Trump has made it his primary mission to protect manufacturing jobs from leaving America. While nobody can argue with his intent, one can argue that globalization and corporate relocation are not the most significant challenges manufacturers face. Instead, the proliferation of cyberattacks targeting manufacturers, not just in the United States, but also across the globe, may be the industry’s biggest threat.
In 2016, manufacturing became the No. 2 most frequently targeted industry, behind healthcare, according to Dark Reading. Reportedly, automotive and chemical manufacturers are targeted the most; however no manufacturing sector is immune, as hackers and nation states are motivated by financial gain, reputational harm and in some circumstances, the ability to cause physical damage and destruction.
Further, a recent study by Deloitte’s Center for Industry Insights concluded that, “the manufacturing industry is particularly vulnerable to cyber risk.” What’s most concerning about the study perhaps is the finding that 50 percent of those surveyed are “not confident they have the technology and know-how to protect their companies from threats.” This revelation comes despite manufacturers investing cybersecurity, as a recent IDC study revealed that both discrete and process manufacturers ranked within the top 5 in cybersecurity spend.
Phishing: The Origination of Attacks Against Manufacturers
No matter the intended outcome, 95 percent of successful cyber attacks against manufacturers, according to the recent IBM Security Officer Assessment, originate the same way — as the result of a successful phishing campaign.
Phishing attacks have grown in sophistication and frequency since they first originated in the 1990s. The first recorded mention of the term ‘phishing’ was found in AOHell, a tool released in 1995 to hack Windows America Online (AOL) users by allowing the attacker to pose as a company representative and steal passwords and credit card information. AOHell influenced many future phishing scams and, over the years, phishers transitioned from amateur hackers to professional cyber criminals.
Fast-forward to 2016, and phishing has evolved from a mere nuisance into a global epidemic in which sophisticated campaigns, such as spear-phishing and ransomware, have introduced unprecedented risk. More effective than traditional phishing scams, spear-phishing attacks are carefully targeted with emails crafted to appear to be from a colleague at the recipient’s company. The attackers are most often professional criminals that study the companies and their current projects, in addition to the technical savvy of its employees. According to InfoWorld’s Robert A. Grimes, phishing emails went pro:
“Today’s professional internet criminals work 9-to-5 days, pay taxes, and get weekends and holidays off. The companies they work for often have dozens to hundreds of employees; pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Working for companies that break into companies in other countries is often proudly worn as a patriotic badge.”
The sophistication of phishing has paid dividends for hackers. The InfoSec Institute projects that spear-phishing emails, often crafted by professional hackers, are opened 70 percent of the time and provide ten times the return on investment (ROI) compared to lower-quality phishing emails sent en masse.
Phishing Mitigation Today: A False Sense of Security
Today, many companies, including manufacturers, invest heavily in employee education and training, recognizing the human factor as the weakest link in security. However, employee training alone is costly and time consuming, and it’s difficult to keep up with the latest method of phishing attack. In addition, the average 1000-person company saves only 10 percent of attack losses as a result of “substantial training and security awareness activities,” according to the Ponemon Institute.
Research suggests that no matter how many training sessions an employee goes to, he or she is bound to open a bad email eventually. According to a study published in Ars Technica, despite claiming to be aware of the risks of unknown links, 56 percent of messages that addressed the targets by name scored clicks. In other words, some employees will simply never learn the consequences of opening a malicious email or downloading a suspicious attachment — and hackers have the time and motivation to wait for a person to make a bad decision.
If an employee is savvy enough to identify a phishing attempt and immediately reports it to the Special Operations Center (SOC) team, it simply goes in the pile — the SOC team still must manually tend to each report as it’s received, regardless of potential severity. However, with phishing mitigation, time is of the essence, so any delay in remediation adds to the inherent risk that manufacturers already face.
How Manufacturers Can Reduce Phishing
There are many reasons why even educated employees fall for phishing campaigns. Not paying attention, multitasking or giving in to curiosity, confusion, fear, gullibility and implausibility are some of the most common motives. For manufacturers, especially those involved with critical processes and hazardous materials, reducing risk from cyberattack must be a primary goal.
A defense-in-depth strategy in which various security tools are used to harden the perimeter and maintain the integrity of devices is still advisable. However, phishing mitigation is the only safeguard that can truly reduce risk to an acceptable level across the entire organization. But manufacturers must go further than employee education to truly make a dent in the phishing epidemic.
Here are Four Tips to Consider:
- Create organization-wide cybersecurity standards that hold employees accountable for proper IT usage and incentivize advanced training.
- Work with the manufacturing industry to create enforceable cybersecurity standards that penalize organizations for non-compliance.
- Seek cybersecurity solutions that can automatically remediate attacks with or without human intervention.
- Share intelligence between manufacturers so that companies worldwide can protect their digital assets from attacks that are trending.
President-Elect Trump is right to want to save manufacturing jobs, but his thinking that globalization is the biggest challenge is overtly simplistic at best. Cybersecurity is the manufacturing industry’s biggest concern. And it all begins, and ends, with phishing.
Eyal Benishti is the founder and CEO of IRONSCALES.
