Cyber attacks targeting businesses, especially manufacturing and the supply chain, have become increasingly complex, increasing the stakes. The average cost is $2.4 million per attack.
Despite this realization, many manufacturers have never conducted a thorough security assessment and taken the necessary steps to ensure adequate network security, according to recent reports showing increases in cyber attack frequency and cost. Today, many organizations display “passive acceptance” towards reported increases in intricate cyber attacks rather than take “positive action” to prevent them, according to BizReport.com.
A 2020 survey of manufacturers provides clarity. “Manufacturers are greatly concerned about cybersecurity and hacking, with more than 60% indicating they fear they are at risk as more operations and supply chains are digitized.” The number of companies indicating cybersecurity is hampering their growth doubled from 2019. (MAGNET 2020 MSDR)
Findings from a separate survey revealed, “Only 42 percent of respondents rate their organizations’ ability to minimize or mitigate IT security risk as high…Their organizations’ approach to dealing with threats is reactive, focusing on the immediate threat or ‘hack du jour.'” — Ponemon Institute: Separating the Truths from the Myths in Cybersecurity.
Based on these conclusions, one of the most effective ways any manufacturer can stay on top of the cyber risk across their organization is to make regular use of what is known as a cybersecurity assessment. This can diminish the danger that lies in what you don’t know can and likely will hurt you and your organization.
Ineffective cybersecurity assessments
The actionable information from cybersecurity assessments varies significantly across providers. That is due to the security knowledge gap between IT service providers, managed service providers, and more skilled companies that solely focus on cybersecurity. There is a big push in the IT market for outsourced IT providers to capture your revenue by talking about cybersecurity. They hope you are naïve and permit a free amateur “security” scan of your network. Then, they present some basic and incomplete reports showing vulnerabilities, highlighting why you need their managed services. This approach is practical because manufacturers don’t know where to start.
This quote originates from an IT channel vendor selling “security in a box” to inexperienced IT service providers that misrepresents the real security risk to companies. “It’s your comprehensive internal cybersecurity service-in-a-box, complete with the technology, tools, software, marketing materials, and instructions for creating and delivering your own branded recurring cybersecurity managed service. This webinar will explain it all. We’ll cover the market opportunity, then show you how to sell and deliver the services.” This approach helps to explain why hackers are breaching increasing numbers of MSPs. To be uninformed is to be at the mercy of others.
Cybersecurity assessments and types of services employed?
According to CERTITUDE SECURITY™, four primary services are employed for practical cybersecurity assessments: risk assessments, vulnerability assessments, network assessments, and application security assessments, including penetration testing and variations of policy and procedure reviews.
Comprehensive assessments include strategy discussions, reviews, tests, audits, and assessments to produce findings and conclusions about the overall cybersecurity level and recommend the prioritized steps to mitigate probable cyber risk.
To be clear: while results from many different services can compile an overall cybersecurity assessment, there are also specific services called assessments that serve other purposes than tests or audits.
Cybersecurity-related assessments such as risk assessments help identify and analyze potential risks facing a manufacturer to allocate resources correctly. The terms cybersecurity risk assessment and cybersecurity assessment are misused to refer to the latter.
Risk assessments determine which assets are most valuable or at-risk of being compromised. Cyber risk assessments are defined by NIST as “risks assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”
An abbreviated list of criteria could include:
- Identify and classify information value
- Identify and prioritize services and assets
- Identify threats that could/likely cause harm
- Identify vulnerabilities associated with probable threats
- Identify controls and processes that are in place to minimize or prevent the likelihood of the threat
- Identify the probability and impact of loss scenarios
- Prioritize risks based upon probability, prevention cost versus data value, and impact
- Ongoing assessment, reporting, planning, and remediation
- Adjustments to policies and procedures
Vulnerability assessments identify, define, quantify, and prioritize the severity of vulnerabilities within your systems. This knowledge output drives awareness of the threats that require remediation to reduce the likelihood of an attacker successfully breaching your systems.
Network assessments focus on potential entry points for cyberattacks from inside and outside your organization. Do open ports or misconfigured permissions increase the likelihood of compromise that could lead to a breach of sensitive data and/or cause downtime?
Application security assessments are the intentional evaluation and attempted exploit of a website, application, or services required by a system or group of systems for core functionality. Discovering exploitable vulnerabilities that may exist in application flaws, configurations, operating systems, missed system patches, and/or risky end-user behaviors. The reported weaknesses are prioritized for remediation to keep data safe and systems online. Reassessing and remediating external-facing or critical business systems by regularly simulating real-world cyberattacks can help improve the capabilities of an organization’s development and information security practices.
Assessments for Compliance
If a manufacturer must comply with regulations or other information security standards and/or privacy restrictions, an audit is another type of service available to use during a cybersecurity assessment. These assessments merely determine whether a network’s practices meet a particular set of standards (internal or government-imposed). A successful audit does not ensure that a network is entirely free from cyber risk.
Continuous assessment services are also available for those who wish to continue their cybersecurity assessment over an extended period, such as CERTITUDE SECURITY™ Inspectionem continuous cyber exposure services for accountability and predictability. The service provides manufacturers with tailored weekly, monthly, quarterly insights and reports that encourage sound security practices to prioritize and remediate the cyber threats with the highest business impact to safeguard critical assets from malicious exploitation.
Successful cybersecurity assessments require different sets of expertise
According to CERTITUDE SECURITY™, there are two other sources of information required to complete cybersecurity assessments: strategic and tactical. Team members handle the assessment services with differing business and technological abilities.
Strategic, executive-level assessment
The board and leadership team set the strategic intentions related to culture, prioritization, risk exposure, and budgets. The executive-level contributors support business functions as opposed to technical operations.
Tactical, hands-on assessment
Typically, application and system reviews are conducted by those with a deep technical understanding of business, such as the internal IT department or outsourced IT provider. The cybersecurity assessments are based on the strategy’s priorities and inform the prioritization of cybersecurity measures and infrastructure investments.
It is common to experience the technical team communicating with the executive team in a technical language that is not easily understood or translated into strategic business language.
“You cannot manage what you fail to measure”: cybersecurity assessments are essential to quantify the unknown.
Whether different assessments are performed individually or in combination, the results from cybersecurity assessment services create a strong foundation for any manufacturer’s cybersecurity strategy. This information supports better-informed cybersecurity policies and procedures protected by advanced response tactics, techniques, and procedures.
CERTITUDE SECURITY™-conducted cybersecurity risk assessments, for example, allow our manufacturing clients to focus on specific threats or threat actors and determine the probability that these factors will result in exposure and/or loss.
Cybersecurity assessments are precious to manufacturers because they allow those in charge to identify and learn about cyber risks, exploits, and other vulnerabilities in systems that they may have never discovered until a successful breach occurred. As CERTITUDE SECURITY puts it, “you cannot manage what you fail to measure.”
As a proud supporter of American manufacturing, Certitude Security is working diligently to inform leaders and facilitate essential asset protection priorities for supply chain businesses throughout the United States. When you are interested in learning about the empowering services that Certitude Security can offer, visit our website or coordinate a time to speak to a team member today.