When it comes to duty of care, manufacturers and their suppliers are taking data confidentiality and security more seriously, as breaches and financial losses continue to climb. Building a strategy and roadmap for data-based decisions will be imperative for continuous improvement. Early in the process, there are often comments or concerns made regarding cybersecurity that happen to be myths or misconceptions. Much like the tooth fairy, how we see and interpret information influences how we feel and respond to the information. This helps explain why inaccurate conclusions and misconceptions about cybersecurity are common within supply chains. In this article, our goal is to evaluate 15 of the top cybersecurity misconceptions and myths that affect manufacturers and the supply chain.
Myth #1: Our manufacturing business is too small to be targeted by criminal hackers.
When it comes to cyber-attacks, hackers will take any opportunity presented, regardless of the business size. Surprisingly enough, hackers and cyber criminals are increasing their attacks on small and mid-market businesses, who often lack the resources for a sophisticated security infrastructure and pose less risk to the criminal enterprises of being compromised. Large enterprise businesses typically have an internal security team and invest six-figures annually in software and hardware to detect and thwart potential attacks.
An article from HG Legal Resources states: “Hackers will often use cyber-attacks on smaller businesses because there is less sophistication in the cybersecurity of the company and computer system along with a greater ease for hackers to take information or financial resources.” Hackers and cyber criminals take advantage of this misconception, as many small and mid-sized manufacturers do not utilize effective cybersecurity policies and controls, and lack the needed resources, they in turn become viable targets to cybersecurity attacks. According to a 2018 report collaborated from Keeper Security Inc. and Ponemon Institute, only 28% of the companies that were involved with the study were able to rate their stance on mitigating threats, vulnerabilities, and attacks as “highly effective”. While smaller manufacturers don’t have the same amount of resources as larger manufacturing businesses, smaller manufacturing companies should expect the same threats that larger companies experience on a daily basis. For many small manufacturers, they are part of the supply chain for larger manufacturers.
Myth #2: We haven’t had a breach yet, so we are safe.
This is a dangerous mindset for manufacturers, as this often shows that the leadership takes a reactive “wait and see” approach when it comes to cybersecurity. Reactive cybersecurity, as the name implies, is the strategy that is used to react to security incidents after they happen. With a reactive cybersecurity mindset, stakeholders assume that they will be able to quickly recover from unverified backups, and continue manufacturing and shipping quality products on schedule. With a reactive approach, manufacturers are more likely to suffer from catastrophic business disruption, which could result in significant financial losses, and in some cases closing the doors to the business and the family legacy.
According to a 2019 Fortinet article, 67% of small businesses had experienced a cyberattack in 2018, and these breaches had forced 60% percent of small businesses to close within a 6 month period after the attack. In the case that a company is able to recover from a cyberattack, these companies are further impacted by the loss of reputation due to the attack. According to Radware’s 2018-2019 Global Application and Network Security Report, the top impacts of a cyberattack were operational/productivity loss and negative customer experience. While the loss of operation and productivity are expected following a cyberattack, negative customer experience is often an unforeseen impact.
Following a cyberattack, manufacturers experience a decline in the trust from their current customers and shareholders. This loss of trust from customers and shareholders can result in lost customer connections, declining revenue, and can affect the acquisition of future customers and shareholders. Ultimately, well managed manufacturers will take a proactive approach to cybersecurity. A proactive cybersecurity approach will allow manufacturers to anticipate, identify, and remediate vulnerabilities that could lead to probable loss events. When comparing reactive and proactive ideologies for cybersecurity, manufacturers find that it is better strategy to take a proactive approach.
Myth #3: Our anti-virus software and firewall will keep us safe.
Using both a firewall and anti-virus/malware service is a great preventative action that manufacturers can take to prevent or mitigate cyber-attacks. However, many manufacturers have the “set and forget” mindset with firewalls and anti-virus/malware programs, leaving themselves vulnerable to advanced cyber-attacks. An article from Malwarebytes Labs explains why being reliant on an anti-virus service to protect your business is no longer effective for three reasons.
1. The first reason why relying on anti-virus is not enough to protect your business is due to the change in nature of attacks. In many cases, malware and viruses are accidentally downloaded through attachments in emails or programs from the internet. These tactics have changed as the introduction of drive-by downloads allow malicious code to infect a computer without the user knowingly downloading anything. These attacks can allow malicious attackers to compromise your devices, while not alerting the anti-virus software.
2. The second given reason why relying on anti-virus solutions alone are ineffective is because of the effectiveness of stopping and preventing new threats. Anti-virus solutions use either the digital signature or known behavior of known malware threats. As new malware threats and variations are created and discovered, anti-virus solutions will require time for detection methods to be implemented, which result in many devices being compromised by malware utilizing zero-day exploits.
3. The final reason why anti-virus solutions should not be used as a stand-alone solution is due to the vast availability of exploits. Instead of relying on downloading files and programs to initially infect a machine, hackers can use publicly available exploits to interact with devices that have vulnerable operating systems or processes. Some anti-virus software solutions offer anti-exploit detection as a security suite option, but are often not included in the anti-virus product itself.
Anti-virus solutions should be used with other security products to create a layered security plan, also known as defense in depth. Implementing defense in depth includes using multiple technologies that work together to identify, prevent, and warn manufacturers of current threats and attacks. A defense in depth approach to cybersecurity should include an anti-virus/malware solution, a properly configured firewall, and an intrusion detection and prevention system.
Additionally, firewalls alone do not ensure that a manufacturer’s network is safe from cyber criminals. While the implementation of a firewall greatly decreases the possibility of external attacks compromising your network, improperly configured firewalls will still allow compromised devices to communicate to attackers outside the network. Primarily, firewalls are configured to filter what incoming traffic is allowed into the network. However, when firewalls are configured in this manner, internally compromised machines may be allowed to exfiltrate data, without creating vital logs or producing alerts that could help you stop the attack. For example, an employee opens an email containing a malicious attachment, compromising their machine. While normally this employee’s machine couldn’t be attacked directly from a hacker outside of the network because of the firewall, the infected machine can now communicate with the hacker’s server because there are no rules for outbound traffic. Files from the employee’s computer can be pulled out of the network without raising alarms as the firewall is configured to prevent certain traffic from entering the network and allowing all traffic to leave the network.
An article from The Security Skeptic provides insight on some of the firewall best practices for egress traffic filtering. The first best practice that is given in the article is to create an egress traffic enforcement policy. Similar to an acceptable use policy, an egress traffic enforcement policy is designed with identifying what devices should have access to the internet, and what services and protocols should be allowed to communicate outside of the manufacturers’ network. To briefly summarize the role of creating an egress traffic enforcement policy, it is a document that is used to define what machines have access to the internet, what protocols are allowed for data leaving the network, and what ports are allowed to be used during external network communication.
The second firewall best practice given from the article is to execute and enforce the policy by configuring the firewall rules that follow the egress traffic enforcement policy. A simple method of enforcing this policy is to enforce a DENY All policy, then edit the policy to allow services, devices, and protocols that can access the internet that are in line with what is allowed with the egress enforcement policy. These two best practices can help manufacturers not only protect the devices on their network from external attacks, but prevent potentially compromised machines from allowing data exfiltration to occur.
Myth #4: We outsource our security to a third party, so they are responsible.
Having a dedicated third-party cybersecurity provider can be a great option, as many business owners do not have the extensive resources that would normally require an in-house IT security team. However, using a Managed Service Provider (MSP) offers attackers a new vector to access your network and data.
In 2019 and into 2020, Beazley Breach Response Services recorded an increase in reported attacks by policyholders whose systems were breached via cyber attacks against their IT managed service providers. In some cases, these attacks stopped the operations of hundreds of customers downstream from the IT provider.
In an article from SmarterMSP, nine MSP’s were targeted in cybersecurity attacks during 2018. According to Datto’s Global State of the Channel Ransomware Report, “4 in 5 MSPs agree that their own businesses are being increasingly targeted by ransomware attacks.” If an attack against an MSP is successful, attackers can then use trusted software meant to monitor and interact with the devices across multiple networks to launch attacks. In these situations, both the MSP and the business are critically impacted by the attack. The business that is affected will experience unplanned disruption and loss of productivity, while the MSP not only has to deal with lose of reputation, but also to cover the cost of the damages for all of the customers affected.
A 2019 article from MSSP Alert described how an MSP provider fell victim to a cybersecurity attack, resulting in the MSP having to pay over $150,000 in bitcoin in order to purchase the decryption keys for their clients. If you decide to use an MSP to help implement and monitor cybersecurity, remember that the MSP also becomes another point where hackers can gain access to your systems. Validate how your MSP is enforcing security for your business, as well as how they adhere to security standards within their own business.
Myth #5: We are not a billion-dollar company, so we have no need to follow a recognized framework.
While your company may have not yet attained the benchmark to be considered a billion-dollar company, having a framework to reference can help any manufacturer prioritize the essential cybersecurity needs to be fulfilled. In many cases, manufacturers use these guidelines to follow federal compliance requirements needed based on whom they serve. Frameworks are beneficial for manufacturers of all sizes for two reasons. First, frameworks help provide a foundation of identifying and addressing security issues within an organization. For example, frameworks such as the National Institute of Standards and Technology (NIST) cybersecurity framework opens the concept of using a framework by focusing on three components of the framework, the Core, Implementation Tiers, and Profiles. The NIST Framework Core is used to help manufacturers and suppliers achieve the cybersecurity outcomes they desire, while providing areas of reference during the need for review. The Implementation Tiers help by providing context to how an organization should view cyber related risk, and the processes that are in places to manage it. Finally, the NIST Framework Profiles are used to align items identified in the NIST Core to the requirements, risk tolerance, and resources identified by the business or manufacturer.
Through the use of frameworks such as the one provided by NIST, manufacturers can continually evolve and monitor their cybersecurity progress based on the needs and resources available at the time, while effectively cataloging what is currently in place in the case of future review. Frameworks are also helpful in the means of helping manufacturers meet regulations. Manufacturers that wish to work with federal organizations, such as the DOD, are required to implement and follow specific framework requirements. For example, if a manufacturer wishes to work with DOD, they may be required to become DFARS compliant. DFARS compliance requires that companies and manufactures follow NIST SP 800-171 as a guideline or framework in order to protect Controlled Unclassified Information (CUI). If a manufacturer is found during the time of an audit to not be DFARS complaint, the company can face fines and penalties including termination of their contract, and suspension or debarment from future work with the DOD. Starting in September of 2020, new compliance requirements go into effect for Cybersecurity Maturity Model Certification (CMMC) for DOD contractors.
Myth #6: Improving our security will hurt our productivity.
A major myth that is common with manufacturers is that improving cybersecurity will affect their productivity. Cybersecurity can at some points cause strain on productivity, such as requiring heavy changes to corporate culture, information access, and can hinder operational processes needed for day-to-day operations. However, if your business relaxes its stance against cyber risks, you increase the likelihood of become a victim to a cyberattack and suffering the financial losses.
As a member of the leadership team, you have to ask yourself what should be done, and whether you should value productivity over the security of your data. One method that can help manufacturers balance both information security and productivity is through Business Process Management (BPM). Business process management is defined by OutSystems as “the practice of designing, executing, monitoring and optimizing business processes.”. It is important that when manufacturers and business owners model the business processes that are needed on a day-to-day basis, the processes follow the security policy that is in place. Modeling the necessary business processes through the established security policy allows process managers the opportunity to understand what are the limitations of this process, while also setting the expectations of how to maximize those processes in a secure manner.
Myth #7: We pay for backup, so we’re covered.
While paying someone to backup your data is a step in the right direction, this by no means guarantees you that they can recover your data after an incident occurs. In many cases, manufacturers discover that data was not backed up or that the data is not recoverable. This is causing business disruption and financial losses for those manufacturers who never verify the service they are paying for each month. Effective backup policies include regular test restores to validate functionality and dispel hearsay. During the instance of ransomware attack, having a recent backup to recover from is the best method to recover operations quickly. However, new ransomware strands not only target machines on the local networks, but also local backup services as well. An article from Security Intelligence revealed that attackers have now incorporated methods of encrypting local Network Attached Storage devices in their ransomware attacks. Often, NAS devices are used as an onsite backup solution, and are also used to allow shared access to information needed for day-to-day operations amongst multiple users on a network. Once attackers are able to identify these NAS devices on the network, vulnerabilities for the NAS devices are included in the ransomware attack to ensure the backup data is also affected. In these cases, manufacturers have the option of either paying the ransom and hope that they are given a key to decrypt their data, or try to rebuild the company from salvaged data that was not affected in the ransomware attack. This reason alone is why relying on backups alone is not a sound strategy to use.
Another reason why relying solely on backups is not a recommended plan is that many companies that utilize backups don’t test if their backups are effective. Without regular backup testing, you may not know if your backups are effective enough to recover from in the event when you will need to restore from backups. A 2016 article from Pivotal IT provided a shocking statistic that 34% of companies fail to test their tape backups, and of those that do, 77% have found tape backup failures. Tape backups are the only data protection system, still in use today, that have a 100% guarantee that failure to protect data will occur.
In the case of restoring data from backups that aren’t tested, manufacturers and business owners often find that there are errors within the backup data, find that the wrong data was being pulled for backups, or discover issues when trying to restore data to their devices. It is important to regularly test your backups to identify and remediate problems in a controlled test before discovering the issues when you really need to restore from backups.
Myth #8: Only the healthcare and banking industries are targeted by cybercriminal enterprises.
While cyber-attacks against the healthcare and banking industries are common, many other industries are also targeted from cybercriminal organization attacks. According to the 2019 X-Force Threat Intelligence Index from IBM, the top ten most frequently targeted industries in 2018 included Finance and Insurance, Transportation, Professional Services, Retail, Manufacturing, Media, Government, Healthcare, Education, and Energy. The Financial and Insurance industry had the most cybersecurity attacks, having the highest percentage of attacks (19%) out of the ten industries in 2018. The manufacturing industry was the 5th most attacked industry in 2018, having experienced 10% of the total cybersecurity attacks and incidents in 2018. Ironically, the healthcare industry was ranked the 8th top industry to experience cybersecurity attacks and incidents in 2018, and was tied for experiencing 6% of the total attacks along with the Education and Energy industries.
Myth #9: Cybersecurity is too expensive.
While many manufacturers within the supply chain may think that cybersecurity can become an expensive purchase, there are scalable alternatives that can fit within your budget. Instead of looking strictly at the cost of implementing cybersecurity tools for their business, manufacturers and small business owners should also consider the cost of incidents and data breaches allowed from not implementing cybersecurity. First, manufacturers that do not implement any form of cyber security are at risk of losing sensitive proprietary information that is needed for day to day operations, and for the production of goods. Manufacturers that do not invest into cybersecurity for their organization can suffer from data loss or data exfiltration, resulting in rival companies gaining access to proprietary data that is invaluable to your business. Second, manufacturers and small business owners should also consider the cost of fines in the case of data breaches involving sensitive information. According to the 2019 Cost of Data breach report from IBM, the average total cost for an organization that had less than 500 employees was $2.74 million per incident. When comparing the costs of implementing a stance on cybersecurity and not taking a stance against cyber-attacks, the costs associated with fines and recovery from a cyber incident far outweigh the cost of implementing cybersecurity for your business.
Myth #10: Our cyber liability policy will cover our losses.
Having a cyber liability policy is a great method to cover the various costs encountered after experiencing a cybersecurity incident. Cyber liability policies are similar to insurance policies, where in the case that certain events occur, the insured policy holder would receive compensation that can be used to cover the incurred expenses. However, manufacturers should be cautious of what type of cyber liability insurance they are purchasing, and what is covered in each policy. For example, Cyber security insurance covers first party damage to the insurer, including loss or damage to electronic data, loss of income, cyber extortion, notification costs for affected individuals, and cost of damage to your organization’s reputation. Cyber liability insurance covers third party liability costs, or costs associated from claims made from a third party against your business. Items covered by cyber liability insurance can include claims of security negligence, coverage against copyright infringement, invasion of privacy, and costs incurred for fines due to the involvement of regulated sensitive data. When considering your cyber liability policy, make sure that you understand what is and what is not covered in the policy that you decide to choose.
Manufacturers should also understand what is not covered in their cyber liability policy. In some cases, while a manufacturer or supplier may have a cyber liability policy, the provider can deny your claim. According to an article from Hewlett Packard Enterprise, the insuring party “may reject claims from covered cybersecurity clients because of poor security practices.” In some cases, it is also known that cyber security insurance providers may deny coverage for damages caused by social engineering attacks, nor cover paying for ransomware attacks and the damages caused by ransomware. It is important that you not only understand that an insurer can deny your claim based on the type of attack that you experience, but also due to the current precautions and preventative measures your company has taken to protect your business from cyber attacks.
Myth #11: We don’t store any information that would make us a target.
Manufacturers, producers, and their suppliers are targets of cyberattacks, even if the organization may think that the data they process and store does not have value. This mindset of believing that this will never happen to us, leads to decisions that almost guarantee that it will. The goal of a ransomware attacks is not to potentially steal sensitive files from the victim organization, but to cause an interruption to a manufactures’ productivity that will force the manufacturer to pay for access to their systems.
Additionally, hackers and cyber criminals may target a manufacturer for their intellectual property. In these cases, hackers and cybercriminal organizations can sell intellectual property to foreign competitors for profit. From 2006 and 2018, a Chinese hacker group named APT10 carried out multiple cyberattacks against numerous American companies and government agencies to steal intellectual property and confidential business data. Given an opportunity, hackers and cyber criminals will continue to take advantage of potential vulnerabilities.
Myth #12: External attackers are the only threat to our business.
While many cyber attacks come from external attackers, there are also threats that exist within manufacturers organization. Insider threats are defined by Virtru as “malicious insiders willfully stealing, damaging or exposing internal data or systems, but employees motivated by grievances or profit are only one small part of the total threat.” Insider threats can also consist of previous employees that have knowledge or access to internal processes of an organization. An insider threat is serious security concern, as attacks can be carried out without much difficulty, and insider threats can easily access sensitive information due to lax restrictions of company data access. Netwrix provides a list of best practices that can help minimize the risk of insider threats.
1. Perform enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Establish physical security in your work environment.
4. Implement security software and appliances.
5. Implement strict password and account management policies and practices.
6. Monitor and control remote access from all endpoints, including mobile devices.
7. Harden network perimeter.
8. Enable surveillance.
9. Enforce separations of duties and least privilege.
10. Recycle your old hardware and documentation properly.
11. Use a log correlation engine or security information and event management system (SIEM) to log, monitor, and audit employee actions.
12. Implement secure backup, archiving, and recovery processes.
13. Identify risky actors and respond promptly to suspicious behavior.
14. Define explicit security agreements for any cloud services, especially access restriction and monitoring capabilities.
15. Develop a comprehensive employee termination procedure.
16. Include insider threats awareness training for all employees.
Myth #13: Cybersecurity is an IT issue.
If your organization operates with only paper and doesn’t use the Internet, then we might agree with you. The unplugged approach was deemed inefficient 25 years ago. That is why your business is so dependent upon applications and systems. These IT systems are vital for day to day operations, which includes producing and shipping quality products accurately and on-time. When acceptable levels of financial loss are not defined by the leadership team, each person is left to interpret what that means. This would be similar to allowing each person in the factory to determine quality or safety. Bad things will happen to the business when acceptable risk is not defined. Cyber risk is no different and places the duty of care on the leadership team. Cybersecurity impacts all business units, departments and team members. Once information is digitized, your business then relies on the accuracy, privacy and availability to be protected. Cybersecurity requirements are fundamental to the supply chain, data center, branch office, to the desktop and the mobile devices.
Myth #14: Protecting ourselves within the supply chain is good enough.
A supply chain is a network between a company and its suppliers to produce and distribute a specific product to the final buyer. We can likely agree that all manufacturers have customers and suppliers in which information is exchanged. Many supply chain participants are unaware of the potential risks that affect their connected supply chains. Supply chains are often considered the weakest link for manufacturers and their suppliers, as a relationship or connection to another company can impact the security of your business. Supply chain cyber attacks often target the third-party vendors and suppliers of a targeted business, as each company within a supply chain often adheres to their own standards, policies, and regulations.
Successful attacks commonly originate within the subsidiaries of a larger business, vendors that work with the manufacturer or producer, and external service providers such as accounting firms or data analytics specialists. These third-party partners are often the target of supply chain attacks due to the type of information that the partner has with the manufacturer or producer, or the internal access that the third-party partner has to the network and systems of the manufacturer. In addition to this, CSO Online reported that “misuse or unauthorized sharing of confidential data by third parties was the second biggest security worry for 2019 among IT professionals with 64 percent of the tally.”. Without proper management of the information a third-party has and what the third-party does with that information, the risk of a data breach due to the connection between the manufacturer and the members of the supply chain can increase substantially.
The Resilience360 Annual Risk Report 2020 indicated that, “Most companies are not adequately prepared to foresee or manage supply chain disruptions. Research shows companies with limited network visibility to dynamic risks experience significant challenges in planning and execution, resulting in high economic and reputational cost.”
According to Business Wire, there are 5 best practices that manufacturers and business owners can use to help reduce the chances of a third-party data breach from occurring:
1. To help minimize the chances of third-party data breaches, evaluate the security and privacy practices all the third-party provider. Conducting an evaluation of the security and privacy practices should also include performing and evaluating the results from regular audits. Conducting and evaluating these audits not only helps the third-party provider improve their security, but can also help you better understand what data should and shouldn’t be trusted to the third-party.
2. The next best practice is to create an inventory of what data is shared or provided to third-party providers and vendors. Having an inventory of which third-party entities that you work with and provide information to can help the manufacturer or business owner where a breach has occurred from, and understand what data is at risk. Manufacturers and business owners should also keep an inventory of any other entities that the third-party share data with, and what data is shared.
3. The third best practice that can help minimize the possibility of a third-party data breach is to review the third-party management policies and programs. This is to include conducting a review of these policies and programs in the case that any policies have been changed, or if any new systems or technologies are implemented by the third-party. As new technologies are introduced to various sections of the supply chain, misconfigurations can allow cybercriminal new opportunities for affecting everyone in the supply chain.
4. Another best practice that can be used to minimize the possibility of a third-party data breach is require third-party businesses to notify you when they share data with another business. This transparency can help you keep track of what parties have access to sensitive information, and can also help in identifying which party is at fault in the case that a data breach should occur.
5. The final best practice that you can use to help minimize the occurrence of third-party data breaches is to involve senior leadership and the board of directors in third-party risk management programs. Involving the senior leader and those that are in charge of the businesses involved in third-party entities can help provide more information about the risks associated with third-party involvement, and can also lead to increasing the budget given to address these risks.
Myth #15: There are no reliable resources to help us get started.
The desire to grow is requiring manufacturers to reevaluate how they operate their business. Industry 4.0 initiatives such as factory floor automation, IoT, 5G connectivity, and data analytics require investments. Other growth initiatives could include pursuing new contracts with the Department of Defense (DoD), which will require investments related to the Cybersecurity Maturity Model Certification (CMMC).
Industry 4.0 initiatives have created a lot of confusion, along with misinformation, and poor recommendations being communicated to executives and leadership team members. Developing a better understanding of your needs and where to begin focusing resources does not require a bank loan, although many companies are trying to sell you big ticket systems. Business owners lament about the proposals they receive to begin securing their data. Some companies require a $100,000 guarantee before they even show up to talk with you. These technology companies are leveraging your lack of understanding and manipulating the unknown to capitalize on your desire to grow and protect your business. What is more embarrassing, getting taken to the cleaners by an IT company or being hacked? Both require you to squander capital, but you should know that you have the freedom of choice.
Because of these cybersecurity myths and misconceptions, many manufacturers and their supply chains are left vulnerable to attacks from hackers and criminal organizations. If you think that the security of your business is affected by any of these myths, visit the Certitude Security™ website to speak to a member of our team today about the steps to prevent business and supply chain disruption.