The number of cyber attacks continues to rise, and cyber criminals are getting more determined. Companies are left trying to navigate confusing technical guidance in a rapidly changing digital landscape. Small manufacturers often don’t think their companies are at risk. After all, why would someone want to target a small, rural manufacturer when there are bigger businesses to target?
To understand what’s going on and to find out what manufacturers really need to know about cybersecurity, I sat down with Pat Toth. Pat is a Computer Scientist at the NIST Manufacturing Extension Partnership who has more than 30 years of cybersecurity experience and has worked on numerous NIST cybersecurity guidance documents.
Question: Are manufacturers really at risk for cyber attacks when compared to other industries? If so, why?
Pat: According to the U.S. Department of Homeland Security, the manufacturing industry is the second most targeted industry based on the number of reported cyber attacks.
I think small manufacturers are especially vulnerable because they are seen as easy entry points into larger supply chains. Think of it this way: If you are a criminal and are planning to break into a building and rob it, are you going to try to break into a building with surveillance equipment, an alarm system and guards, or are you more likely to target a building that does not have any of these security features in place? It’s typically the latter, which is why cyber criminals specifically target manufacturers. Unfortunately, many small businesses don’t have proper security measures in place because these companies don’t think they are targets.
Cyber criminals may be interested in your intellectual property (IP) or they may want to access information about who you work with or who you employ. Target’s 2013 customer data breach is one of the most well-known instances of this. Their HVAC system provider was purposely targeted by cyber criminals because the hackers knew they could gain access into Target’s systems through this HVAC provider. The data breach resulted in millions of people’s credit card information being stolen.
Question: Given that small and medium-sized manufacturers (SMMs) are often prime targets, yet also often have limited resources, what can these SMMs do?
Pat: It may seem complicated and probably a little overwhelming, but there are things that SMMs can do that are low- to no-cost and easy to implement.
What it really comes down to is putting policies in place and educating employees. Various studies have found that employees are one of the most vulnerable points in every company’s security. Most employees are simply unaware of what they need to watch out for and how to identify a potential or actual cyber incident until it’s too late. Companies need to communicate on a regular basis to help employees understand cyber criminals tactics and the critical role they play in preventing cyber incidents.
For example, your company should have a policy in place for the use of social media in the workplace. Some employees will expect to access social media during the workday. There is a balancing act that companies face – allowing employees to access social media and protecting their systems. So how do you go about doing that? You put a policy in place. The policy might be that you don’t allow the use of social media on company systems. Perhaps you provide a separate, semi-public network for people to access social media throughout the day that doesn’t expose your company to risks. Whatever your policy is, make sure your employees are aware of it, understand why it exists and the potential consequences if the policy is violated.
Question: It’s good to hear there are no- and low-cost solutions that manufacturers can implement. If a company is ready to improve its cybersecurity, where should they start?
Pat: Start by looking at the NIST Cybersecurity Framework and NISTIR 7621 Small Business Information Security: The Fundamentals. The Cybersecurity Framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. It provides a prioritized, flexible and cost-effective approach to protecting systems. Small Business Information Security: The Fundamentals is based on the Cybersecurity Framework and provides a more manageable overview for company decision-makers who may not have technical backgrounds. It also focuses on how to assess and prioritize security functions.
To get you started, here’s a brief summary of what you will find in the Framework.
The first step is Identify. Identify the most valuable information to your company. This is the information that if lost or modified, would bring your operations to a halt. For instance, let’s say you’re a food manufacturer and you make chocolate chip cookies using your grandmother’s recipe. That recipe is vital to your business and should be protected against theft or modification so that your business can continue.
The second step is Protect. You’ve talked with managers and staff and used this feedback to identify the most important information to your company. Now it’s time to decide what needs to be done to properly protect that information. This step is largely dependent on the threats and vulnerabilities that are specific to your business. Small companies that simply work with customers through face-to-face interaction or over the phone won’t have as much to protect as companies that conduct business through email and web portals. It really depends on your operating environment as to what protection you need to put in place.
The third step is Detect. You need to be able to detect when a cyber incident has occurred. You should have up-to-date anti-spyware, anti-virus and intrusion detection systems in place. You should also consider your physical space. Consider things like whether you need to be alerted when people access areas they shouldn’t. Whether an incident is digital or physical, it’s important to know when the incident happened and what the person(s) gained access to.
The fourth step is Respond. When a cyber incident occurs, your company will need to respond quickly to mitigate potential damage. You need to have a plan in place before something happens. The plan should include who is responsible and who should be contacted when something occurs. Also, employees must know how to access the plan during and after business hours.
Remember back to grade school when we practiced fire drills a few times a year? Just like those fire drills, your company should regularly practice its cyber incident response so employees know exactly what to do if a cyber incident occurs.
The fifth and final step is Recover. You should perform regular backups so you can recover your systems. These backups should be stored in a separate location or in the Cloud. You need to test your backups. If you don’t test your backup information, you can’t be sure that you will be able to fully recover from an event. How often you decide to test your backups should be based on how vital the information is to the company’s operations.
This is not a “one size fits all” situation, and you must decide what works for your company and its culture. For one company, testing once per year might suffice. For another company, it might need to test once per week. It’s not an easy answer to hear, but it really requires looking at your systems to see where you are vulnerable, knowing the threats you face and how you are going to counteract them.
Question: Let’s say my company has put proper safety measures in place and we’ve created a response plan: What comes next?
Pat: This isn’t a “one and done” activity. You can’t write a response plan and put it on a shelf. This should be a living document. Everyone needs to know your cybersecurity posture and how you can continue to improve it.
Every time you buy a new piece of equipment or you hire a new employee, you need to think about how these activities impact your security. For smaller companies, this can be hard. All too often, I see instances in which a company has quickly grown and forgets that not everyone needs access to every bit of information. It can take some time, but management needs to go through a list of employees and see what they should and shouldn’t have access to. Someone on the shop floor doesn’t need access to payroll information. Defining roles and implementing the separation of those roles can be difficult, but is necessary when looking to protect your company from cyber threats.
I think cybersecurity and quality have many similarities in terms of adoption. Many companies were slow to adopt quality systems like ISO 9000. A major component of quality is the mindset in a company. Cybersecurity isn’t relegated to just the IT person or person in charge of cyber — every employee at every level of the company has some form of responsibility. Cybersecurity needs to be part of a company’s culture – just like quality – in order to be effective.
Questions: Where can I find information to educate my workers on things they can do to reduce the company’s cyber risk?
Pat: Go to the NIST MEP Cybersecurity Resource web page. On this page you will find a number of resources including a simple self-assessment tool that you can use (based on NIST’s Cybersecurity Framework) to self-evaluate your company’s level of cyber risk. The self-assessment can help you determine where your company’s weaknesses are and where to focus resources toward improving them. We don’t track your information or keep the results. After taking the assessment, you will receive a score so you know where your weaknesses are with regards to your cybersecurity efforts. You can also reach out to one of the 51 MEP Centers, located in all 50 states and Puerto Rico, that are part of the MEP National NetworkTM for questions or assistance.