Manufacturing | Distribution | Retail Practice
11.01.2016 | Hauppauge Reporter
The manufacturing industry lags behind other industries in its adoption of best practices to protect itself against cyberattacks. Companies who fail to put appropriate IT security measures in place – many of which are preventative in nature – run the risk of falling prey to a cyberattack, which is occurring with greater frequency within the industry.
According to the Verizon 2015 Data Breach Investigations Report, 525 separate incidents of cyberattack, often in the form of cyber-espionage, were reported in the manufacturing segment. That number is more than double the 251 incidents reported in 2014. It only takes a single data breach to damage the trust you have developed with your customers and investors or to lose vital information about your own processes or proprietary information you have developed.
The manufacturing industry has been slower to protect itself than other industries, such as healthcare and financial services, because it has not been regulated when it comes to information security practices. The healthcare industry must abide by the rules of the Health Insurance Portability and Accountability Act (HIPAA). The financial services industry must abide by the Payment Card Industry Data Security Standards and the Graham-Leach-Bliley Act.
What is the subject of these cyberattacks in manufacturing?
The Federal Bureau of Investigation (FBI) estimates that hundreds of billions of dollars of US-based intellectual property is leaving the US through computer-based attacks each year. These attacks are often done in the name of competition, and in some instances, are perceived as standard business practice in other countries and cultures.
Why the spike in cyberattacks?
For any number of reasons, including the desire to steal ideas, proprietary processes, patents, designs, and formulas as well as an increasingly competitive global marketplace. Changes in the way we work make our networks more vulnerable, if preventative steps are not taken.
Research from Dell Computer reveals that changes in our work habits open the door to cyberattacks:
- More than 50% of employees around the world use their personal devices for work, or expect to do so in the future.
- Approximately two thirds of employees globally conduct at least some business from home.
- Almost 80% of employees working in highly regulated industries use file-sharing websites.
You want your people to have ready access to critical data, and they often need that access from their own devices. At the same time, your customers want to know that their data is safe, and your investors want to know that your network is secure.
Those who conduct cyberattacks generally look for the easiest, most vulnerable access point to your network, much like a home invader will look for an unlocked door or window. All of these reasons are the “why” you need to protect yourself as a manufacturer.
How to protect your business?
On an individual basis, take these measures:
- Match the appropriate employees to appropriate devices.
- Put the right security and access levels in place.
- Implement multiple levels of authentication.
- Set firm rules as to the nature of passwords: insist that they be better and longer.
You also have the ability to restrict mobility and cloud access in order to improve your data security.
On the company level, implement these steps if they are not already in place:
- Update your hardware and software on a regular basis.
- Educate/train your employees. Employees are the best first line of defense, but are often the most clueless. They need to understand what to look for (don’t just trust everything!) and why it is so important to be prudent.
- Encrypt your data so that it is protected, whether accessed on your own servers, thumb drives, personal devices, or the cloud.
- Conduct an annual IT risk assessment. This process will help you understand the origins of the threats against your network.
- Perform annual penetration tests. Either someone on your internal IT staff or an outside consultant tries to penetrate your network.
- Conduct ongoing vulnerability scanning throughout the year.
IT security must be seen as an ongoing process, not an annual event. If you approach this practice as an annual event, an attack could have occurred months before it is detected and comes at a very high cost. You could lose proprietary information, the identification of product locations (which opens the door to product theft), loss of inventory, and loss of market share. Each loss implies an increase in the ultimate cost of the product to consumers and raises the profile of cyber security in the consumer’s mind. It is a vicious, costly circle.
It is true that none of these steps can guarantee that your company will never be the target of a cyberattack. But if implemented and monitored, you will have taken steps to make sure that such an attack will be more difficult and less likely to occur. Cybersecurity should become a priority across your manufacturing organization.
Questions? Contact your Berdon advisor. Berdon LLP, New York Accountants
This article was first published in Client Alert 10.18.16