A gang of cybercriminals launched a successful ransomware attack earlier this month against Colonial Pipeline, the largest refined products pipeline in the United States, with $15 billion in annual revenue.
Another multi-billion-dollar company, Molson Coors Beverage Co., was targeted earlier this year in a cyberattack that disrupted brewery operations, production and shipments.
How can a small to mid-size manufacturer defend against a criminal enterprise with an ability to disrupt the country’s largest companies?
The truth is that all companies, big or small, will be the subject of a cyberattack. However, larger companies with a more complex network may be more vulnerable; they carry the allure of a six- or seven-figure payout if the attack is successful, cybersecurity experts say.
If you would like to develop and maintain a mature security posture despite the challenges can more easily be achieved via
mssp (Managed Security Services Provider).
“It’s not a losing battle for smaller companies,” said Kevin Bong, senior manager of the technology division and penetration testing lead for Sikich.
Small manufacturers typically have simple and straight-forward networks, which offer a lot of opportunity to defend against and recover from attacks.
“If you make the effort to do the basics and do a vulnerability assessment, you actually get yourself in a good security posture,” Bong said. “You don’t have the complexity of those large organizations where one little gap will allow someone in.”
Attackers are finding that the manufacturing industry lacks the security posture of heavily audited industries like banking and health care, which has led to increased cyberextortion among manufacturers of all sizes, Bong said.
In fact, more than 50% of manufacturing companies experienced two or more information security events during 2020, according to a Sikich survey conducted in March of over 125 manufacturing and distribution executives. Of the cybersecurity incidents that executives reported, 81% were email phishing scams, 42% were unemployment fraud and 9% were ransomware events.
Organizations like Microsoft and the National Institute for Standards and Technology are pushing companies to take a more holistic approach to cybersecurity. Firewalls and anti-virus software are great, but companies need to develop management and structure around cybersecurity, said Todd Streicher, vice president of CyberNINES, a cybersecurity services firm.
More than 5,000 manufacturing companies in Wisconsin have contracts with the U.S. Department of Defense, which means they must comply with cybersecurity frameworks developed by NIST. These frameworks help companies assess and improve their ability to prevent, detect and respond to cyber-attacks.
What is the process when an employee leaves the company? When should a company disable an employee’s account and network access?
“All these things are identified through this framework,” Streicher said. “It’s not just throwing technology at it. It’s looking at things in a fully comprehensive manner.”
Companies without DOD contracts are adopting NIST framework strategies because it’s the gold standard, and it provides a business with a competitive advantage, Streicher said. In fact, some companies will give prospective partners a security questionnaire to gauge whether that relationship would pose a risk for their own organization.
“From a business maturity perspective, you need to contend with these things to put yourself in a better position,” Streicher said.
NIST frameworks promote practices like quarterly vulnerability assessments, where a third-party organization evaluates if a company’s information system is susceptible to any known weaknesses.
Other security best practices include multi-factor authentication, especially for employees accessing a company’s servers remotely and for passwords associated with backup files.
If a hacker accesses a password for backup files, they will encrypt data and delete the backups, leaving a company with no choice but to pay a ransom.
“Every manufacturer needs to stop what they’re doing and ask their IT guy, ‘can someone who has stolen our password delete our backups?’” Bong said.
If the answer is “yes,” then those files need to either be stored offline or placed on a cloud that requires multi-factor authentication to access.
Companies with modern cybersecurity are changing eight-character passwords to pass phrases like “staple battery horse 27” – simple enough for a human to remember, but far more difficult for a hacker to guess or for a computer to crack because of its ambiguity and length, Bong said.
Manufacturers are also purchasing cybersecurity insurance, which covers ransomware payment and other expenses associated with an attack including legal counsel or resources to recover lost data.
Steps to bolster cybersecurity
- Use pass phrases instead of eight-character passwords.
- Ensure remote access by employees requires multi-factor authentication.
- Regularly update anti-virus software and firewalls.
- Develop company-wide or department-specific cybersecurity practices and a management structure for employees to follow.
- Understand what is covered under a cybersecurity insurance policy.