Cyberattacks targeting businesses, especially manufacturing and the supply chain, have become increasingly complex and the stakes have never been higher. The average cost is $2.4 million per attack.
Despite this realization, many manufacturers have never conducted a thorough security assessment and taken the necessary steps to ensure adequate network security, according to recent reports showing increases in cyberattack frequency and cost. Today, many organizations display "passive acceptance" towards reported increases in intricate cyberattacks, rather than take "positive action" to prevent them, according to BizReport.com.
A 2020 survey of manufacturers provides clarity. "Manufacturers are greatly concerned about cybersecurity and hacking, with more than 60% indicating they fear they are at risk as more operations and supply chains are digitized." The number of companies indicating cybersecurity is hampering their growth doubled from 2019. (MAGNET 2020 MSDR)
Findings from a separate survey revealed, "Only 42 percent of respondents rate their organizations' ability to minimize or mitigate IT security risk as high…Their organizations' approach to dealing with threats is reactive, focusing on the immediate threat or 'hack du jour.'" — Ponemon Institute: Separating the Truths from the Myths in Cybersecurity.
Based on these conclusions, one of the most effective ways in which any manufacturer can stay on top of the cyber risk across their organization is to make periodic use of what is known as a cybersecurity assessment. This can diminish the danger that lies in the fact that what you don't know can and likely will hurt you and your organization.
Ineffective cybersecurity assessments
The actionable information from cybersecurity assessments vary greatly across providers. That is due to the security knowledge gap between IT service providers, also known as managed service providers, and more skilled companies that solely focus on cybersecurity. There is a big push in the IT market for outsourced IT providers to capture your revenue by talking about cybersecurity. They hope you are naïve and will permit a free amateur "security" scan of your network. Then, they present some basic and incomplete report showing vulnerabilities, highlighting why you need their managed services. This approach is effective, because manufacturers don't know where to start.
This quote originates from an IT channel vendor selling "security in a box" to inexperienced IT service providers that misrepresents the real security risk to companies. "It's your comprehensive internal cybersecurity service-in-a-box, complete with the technology, tools, software, marketing materials and instructions for creating and delivering your own, branded recurring cybersecurity managed service. This webinar will explain it all. We'll cover the market opportunity, then show you how to sell and deliver the services." This helps to explain why increasing numbers of MSPs are being breached by hackers. To be uninformed, is to be at the mercy of others.
Cybersecurity assessments and types of services employed?
According to CERTITUDE SECURITY™, there are four main types of services employed for effective cybersecurity assessments, which are risk assessments, vulnerability assessments, network assessments, application security assessments, which includes penetration testing and variations of policy and procedure reviews.
Comprehensive assessments include strategy discussions, reviews, tests, audits and assessments to produce findings and conclusions about the overall level of cybersecurity within a manufacturer and recommend the prioritized steps needed to mitigate probable cyber risk.
To be clear: while results from many different services can be used to compile an overall cybersecurity assessment, there are also specific services called assessments that serve different purposes than tests or audits.
Cybersecurity-related assessments such as risk assessments are carried out to identify and analyze potential risks facing a manufacturer so that resources are properly allocated. The terms cybersecurity risk assessment and cybersecurity assessment are often used interchangeably to refer to the latter.
Risk assessments determine which assets are most valuable or at-risk of being compromised. Cyber risk assessments are defined by NIST as "risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems."
An abbreviated list of criteria could include:
- Identify and classify information value
- Identify and prioritize services and assets
- Identify threats that could/likely cause harm
- Identify vulnerabilities associated with probable threats
- Identify controls and processes that are in place to minimize or prevent the likelihood of the threat
- Identify the likelihood and impact of loss scenarios
- Prioritize risks based upon probability, prevention cost versus data value and impact
- Ongoing assessment, reporting, planning and remediation
- Adjustments to policies and procedures
Vulnerability assessments identify, define, quantify, and prioritize the severity of vulnerabilities within your systems. This output of knowledge, drives awareness as to the threats that require remediation, to reduce the likelihood of an attacker successfully breaching your systems.
Network assessments tend to focus on potential entry points for cyber attacks from inside and outside your organization. Do open ports or misconfigured permissions increase the likelihood of compromise that could lead to a breach of sensitive data and/or cause downtime?
Application security assessments are the intentional evaluation and attempted exploit of a website, application, or services that a system or group of systems require for core functionality. Discovering exploitable vulnerabilities that may exist in application flaws, configurations, operating systems, missed system patches, and/or risky end user behaviors. The weaknesses are reported and prioritized for remediation to keep data safe and systems on-line. Reassessing and remediation of external facing or critical business systems by regularly simulating real-world cyberattacks can be helpful in improving the capabilities of an organization's development and information security practices.
Assessments for Compliance
In the event that a manufacturer must be compliant with regulations or other information security standards and/or privacy restrictions, an audit is another type of service available to use during a cybersecurity assessment. These assessments merely determine whether a network's practices are meeting a particular set of standards (whether they be internal or government-imposed), a successful audit does not ensure that a network is completely free from cyber risk.
Continuous assessment services are also available for those who wish to continue their cybersecurity assessment over an extended period of time, such as CERTITUDE SECURITY™ Inspectionem continuous cyber exposure services for accountability and predictability. The service provides manufacturers with tailored weekly, monthly, quarterly insights and reports that encourage sound security practices to prioritize and remediate the cyber threats with the highest business impact, ensuring your critical assets are safeguarded from malicious exploitation.
Successful cybersecurity assessments require different sets of expertise
According to CERTITUDE SECURITY™, there are two different sources of information required to complete cybersecurity assessments: strategic and tactical. The assessment services are handled by team members with differing levels of business and technological abilities.
Strategic, executive-level assessment
Strategic intentions are made at the boardroom and/or by the leadership team, related to culture, prioritization, risk exposure and budgets. The executive level contributors support business functions as opposed to technical functions.
Tactical, hands on assessment
Typically, application and system reviews are conducted by those with a deep technical understanding of business, such as the internal IT department or outsourced IT provider. The cybersecurity assessments are based on the priorities of the strategy, and inform the actual prioritization of cybersecurity measures and infrastructure investments.
It is common to experience the technical team communicate with the executive team in a technical language that is not easily understood nor translated easily into the strategic, executive language.
"You cannot manage what you fail to measure": cybersecurity assessments are essential to quantify the unknown.
Whether different assessments are performed individually or in combination, the results produced from cybersecurity assessment services can be used to create a strong foundation for any manufacturer's cybersecurity strategy. This will bring about better informed cybersecurity policies and procedures protected by advanced response tactics, techniques and procedures.
CERTITUDE SECURITY™-conducted cybersecurity risk assessments, for example, allow our manufacturing clients to focus on specific threats or threat actors and determine the probability that these factors will result in exposure and/or loss.
Cybersecurity assessments are especially valuable to manufacturers because they allow for those in charge to both identify and learn about cyber risks, exploits, and other vulnerabilities in systems that they may have never discovered until a successful breach occurred. As CERTITUDE SECURITY™ puts it, "you cannot manage what you fail to measure."