U.S. manufacturing produces nearly 20 percent of the world’s goods. It’s one of the largest and most influential sectors in the nation, contributing to the rapid rise of innovation, productivity and trade among all industries. And, it’s expected to grow at a rate faster than the nation’s general economy next year. With so much growth and success, cyber criminals have zeroed in on the powerful industry, attacking the supply chain at unprecedented rates.
Manufacturing is already the second most attacked industry in the nation, right behind healthcare, according to IBM X-Force’s 2016 Cyber Security Intelligence Report. Despite the rising risk, however, the industry is still seen as lagging in cyber programs behind other sectors, such as financial services and retail. In fact, a 2016 Delloite survey of top manufacturing executives found that one-third of manufacturers indicated their cybersecurity budgets have remained flat or decreased over the past three years. This news is unnerving, especially as the industry continues to shift toward mobilization, further increasing the risks of cyber-attacks and breaches.
Short of air-gapping all of your sensitive assets, there is no way to fully protect your organization from a hack. While it may sound cliché, an assault on your network is not a matter of if, but when. So, what can you do to protect yourself while staying competitive in this ever-changing industry?
Here’s a closer look at a few ways your organization can better protect itself from a cyberattack:
Make Cybersecurity a Business Risk Decision
The first step toward a successful cybersecurity plan is understanding that it cannot be performed effectively inside the bounds of the IT department. Instead, all cybersecurity initiatives must be shifted from the IT department to the front lines where it supports the larger function of managing enterprise risk. This will ensure your organization doesn’t put IT and security at odds with each other. Beefing up security at the expense of innovative, new technologies, or vice versa, is counterproductive to companies striving to stay safe and competitive in an ever-changing industry like manufacturing.
Once cybersecurity has been given its own seat at the table, managing enterprise risk can be achieved by understanding which company assets are worth protecting and knowing where that information is stored, how it flows and who has access to it. Then, just as all business risk decisions are made, calculate how much it will cost to protect that data. If it doesn’t make sense fiscally, perhaps the information needs to be handled differently. This will force your team to come up with a solution that not only protects your most valuable assets but ensures you’re not going to lose momentum in manufacturing’s fast-changing environment.
Don’t Forget About Availability
Headlines across the globe focus on eye-catching breaches and data leaks, but a bigger problem exists for manufactures that often gets lost in the shadows: compromised availability.
While protecting confidentiality and integrity should remain a top concern for manufacturers, it can’t be overstated how important it is to protect the availability of the products manufacturers churn out daily. With the advent of ransomwares like Petya and Wannacry, both of which take control of a computer system and block access until a ransom is paid, attacks on availability are more prevalent than ever. Anyone with basic knowledge of hacking can deploy these types of malware and completely shut down an organization’s operations.
Worse yet, hackers who truly have a vendetta against your organization could change the parameters of your output without your knowledge, causing a mass distribution of a faulty product. For medical device or drug manufacturers, this could go beyond financial losses and have fatal consequences. Even the largest and most prolific drug manufacturers are not immune to tainted drugs getting through their quality control checks. In 2010, GlaxoSmithKline was outed for reportedly mislabeling drugs and producing medications that were “too strong” or “not strong enough.” If it can happen to the fourth largest drug manufacturer in the world at that time, it can happen to any organization.
And, the digital adversaries are getting smarter. Simply backing up files on the cloud or another network is not enough. Many of today’s hackers do their homework before they launch an attack to ensure their assault has maximum impact. They’ll monitor your networks, get to know how your information flows and find out where all backups are stored, so when they do finally breach your network, you have no option but to pay the ransom. Even then, you may never see that data again. It’s important to understand that this is simply business, even to the criminals, and organized criminals will spend their time where the most impact, to both your systems and to their bottom line, can be obtained.
Garner Complete Buy-in
One of the biggest misnomers of cybersecurity is that it is a function of the IT department. That couldn’t be further from the truth. In fact, cybersecurity has no more to do with IT than it does with human resources or any other department. Cybersecurity shouldn’t be limited to a single department but rather the responsibility of the entire company, from the mail room to the C-suite. Every single employee must know that they play an integral role in protecting the company and its assets. Their online behavior and how they manage personal and company-issued electronics can be the difference between a failed attack and the loss of millions of dollars in damages.
Complete buy-in among all employees, however, cannot be achieved through an annual cybersecurity training seminar. It must become part of the company culture, alongside integrity, philanthropy or any other core values your company has embraced. This is achieved through a multi-pronged approach that includes year-round awareness campaigns, enticing incentives, fun and engaging education opportunities, and regular tests to evaluate whether your employees are buying in. Until this happens, your organization will not succeed in the long run.
Ultimately, the cloud of fog that surrounds cybersecurity has to be removed. The only way to do this is to simplify the way we measure, discuss and apply reasonable solutions to what truly is a business issue.
Dan Didier is VP of Services at GreyCastle Security.