Before the Great Recession, many corporate giants — banks, energy companies, insurers and the like — thought they were "too big to fail."
Sadly, they found out the hard way that they were not immune to failure — and we all felt the repercussions.
Today, many small-to-medium sized businesses are operating under a similarly faulty assumption. They believe they are too small to be affected by cyberattacks and data breaches. This includes manufacturing businesses that view themselves as unlikely targets for cyber thieves, either due to their size or industry segment. Consequently, they don't bother to incorporate protections into their systems.
Cyberattacks can (and do) happen to all companies, irrespective of size or business focus. Whether it's a major bank, national retailer or a lumber yard in a rural area, cyber thieves are looking for vulnerabilities. They don't target businesses of a particular size or with specific goods; they fish for weaknesses and reel in their victims quickly, as soon as they feel a tug on the line.
Odds are in the cyber thieves' favor
A recent survey found that more than 50% of polled small businesses with fewer than 1,000 employees experienced a cyberattack during the 12 months leading up to the 2016 survey. The survey, by the Ponemon Institute, also found that only 14% of small business respondents considered their ability to mitigate against cyber-attacks "highly effective."
According to the survey, the most common type of attack on small businesses was a web-based attack, which affected 49% of polled businesses. This was followed by phishing scams (43%), malware (35%), code injection (26%), and compromised or stolen equipment (25%).
So, how are these thieves finding these small businesses to target? Many are using publicly available scanning tools like Nmap or Shodan to find a company's technical weaknesses. Google hacking — also known as Google dorking — is another searching technique that allows hackers to gain access to vulnerable private databases and open servers. They scan vast amounts of data with no particular target in mind with the goal of detecting a vulnerability.
Recently, a building products manufacturer was affected by ransomware. The hackers encrypted their design files and demanded a ransom for their return. Though the company did not pay the hefty ransom, they were forced to rebuild their design files and eat the cost. The company did not have cyber liability coverage.
Soft targets
One of the most serious vulnerabilities for all businesses is an employee's email account. If a suspicious email comes through, and the employee clicks on it and opens the link or attachment included, the employee could allow ransomware to compromise the entire network. This is where protections like anti-virus are helpful. Thieves use ransomware to lock systems so users can't get to their data unless they pay the thieves a certain amount of money to restore the network.
Another quickly growing vulnerability for these businesses is the Internet of Things, which consists of any computing device that connects to other devices over the internet. A recent article in Inc. explained that small businesses can use the Internet of Things to connect operations, logistics and suppliers to remotely manage them. Yet these intertwined devices can increase security risks as personally owned and maintained — and possibly unprotected devices like phones, tablets and activity trackers — co-mingle with company networks.
Smaller manufacturing businesses may not have the data that banks or healthcare companies do, but they store plenty of confidential information, such as financial statements, sales data, employee Social Security numbers, customer credit card numbers and sensitive human resources information. In many cases, it's not just sensitive company information at stake, it's also customer information — risking the business' and its customers' identities and reputations.
Education: Key to protection
Protection requires knowledge. As an agent or broker to these small-to-medium sized manufacturing businesses, you can play a role in helping them understand that they can deter a cyberattack. They are not helpless.
Proper risk mitigation involves four courses of action:
- Data classification.
- Risk assessment.
- Incident response.
- Business continuity.
First, these businesses need to classify their data into three categories: public information, private information, and confidential information to which only essential employees or board members should have access. How the data is classified determines what happens if the data is stolen or deleted.
Second, companies should look at any risks that they face (for example, employee theft, out-of-date servers, or building security) and assess them accordingly.
Third, they should prepare an incident response plan that details the steps they need to take right after an attack.
And fourth, they need to think about business continuity. If this data were to be leaked or stolen, what is the plan to restore the data and get the business back up and running? Protecting themselves is not just about money; budget restrictions should be supplemented with resources of time and skill.
Regardless of a company's size, financial position, or focus, here are some steps manufacturers can take to protect themselves from cyber risk:
- Teach employees about hacker tactics (for example, phishing).
- Include anti-virus and software protections on all computers and update them regularly.
- Use spam protection on all email accounts.
- Keep all servers updated.
- Work with vendors who take security seriously.
With this said, finding a trusted IT security advisor is a vital protection. Advisers should understand not only the current technologies available, but also new products and services coming out.
In your back pocket: Good cyber coverage
Cyber insurance is another critical protection against the effects of cyberattacks. A comprehensive policy from a specialty insurer that focuses on the business' industry segment is always helpful, as that insurer's expertise can be invaluable in assessing risk. Not only does it protect insureds in the event of an incident, the underwriting process reminds the business owners to be vigilant and take care.
Asking your insureds such key questions as, "Do you back up your data?" and "Do you have a firewall in place?" forces them to think about their position. Though cyber insurance should be purchased, keep in mind that insurance is not protection; it only helps the business after the attack has already happened. Helping policyholders protect their business on the front-end will be key to thwarting future cyberattacks and keeping a small to mid-size manufacturing business operational, healthy and profitable.
Ross Moore is the security analyst for Pennsylvania Lumbermens Mutual Insurance Company and carries the following designations: CompTIA Security+, Network+, A+; AINS, AIT.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.