Oct. 30, 2019

This paid piece is sponsored by Eide Bailly LLP.

Manufacturing and distribution are industries built on momentum. But what happens when maintaining the necessary speed puts you at risk of grinding to a halt completely?

Manufacturing often can be a business of thin margins and shifting priorities. An area that often gets pushed down on the priority list is updating technology, mostly because systems are functioning properly so there appears to be no reason to update them.

The result of this decision is that there is an alarming number of manufacturing companies using old technology on their floors that makes them a prime target for hackers and a huge cyber risk.

The cyber risk in a technology debt

Keep technology at the bottom of the priority list too long, and you end up with a “technology debt” — systems that are way behind on necessary security patches and updates or, worse, not supported with those updates at all.

“Manufacturing is behind the times when it comes to IT in general,” said Todd Neilson, chief technology officer for cybersecurity and risk management firm Secuvant.

“It’s not uncommon to see a Windows XP or Windows Server 2003 machine being used because it works. Security updates for XP ended in 2014 and in 2015 for Windows Server 2003.”

Technology that is no longer being supported with security patches is a magnet for cyberthieves, Neilson said, because hackers generally hit the lowest-risk targets first.

How cyberthieves work

Many manufacturers may think that because this technology is often tied to machines on the floor, the threat is minimal. But as long as those machines are connected to a network, the threat is too big to ignore, said Anders Erickson, director of cybersecurity for Eide Bailly.

“Many manufacturers are unaware of just how much cyber risk they are carrying,” Erickson said.

“Cyberthieves don’t announce their presence. They may sit in your system for months just monitoring to see what kind of sensitive information they can get. For example, they may wait to see how your organization handles wire transfers, who approves and who is in the chain. Then, they’ll wait for the right time to act, get what they want and move on.”

There are several types of cyberattacks. Thieves will take anything with perceived value: IP data, customer data, credit card numbers. Some may even enact ransomware schemes or take down floor machinery simply because they can.

Think broadly about your cyber risk

You might think updating your technology is the solution, but that’s only a part of the puzzle in today’s cybersecurity landscape. Protecting your organization from a breach is more than just setting up a firewall. Cyberthieves are sophisticated, and it takes a comprehensive approach to cybersecurity awareness to ensure you are protected.

“You have to take a risk-based approach,” Erickson said. “Ensure you have the security policies and controls that focus on the greatest risk to your unique way of doing business.”

While more manufacturers are understanding this, there are still many who are behind in this critical area. In one recent survey, 40 percent of manufacturing cybersecurity professionals said they do not have a formal cybersecurity strategy nor do they follow standardized information security policy practices.

“That’s very typical,” Neilson said.

“We find a majority of the businesses we talk to say they have a cybersecurity strategy, but they don’t understand what that strategy should actually encompass. They may think they are doing well because they have a firewall and anti-virus protection or even people who are watching to react when they get hit. That’s not a strategy. They don’t consider things like disaster recovery, business continuity or crisis planning and incident response as portions of their cybersecurity strategy.

“Everyone is struggling to put the controls in place to address current threats. You have to continually move forward with different options and controls to keep pace with today’s threats.”

Three ways manufacturers can improve their cybersecurity awareness

For some, the first hurdle may simply be not knowing where to start. True cybersecurity awareness takes a comprehensive approach, but there are areas you can look at now to get on the right track to protecting your organization.

1. Update your technology. A large number of manufacturers are using technology that is out of date and extremely vulnerable to attacks. Staying current on your technology, and helping your OT teams and IT teams work together will increase your cybersecurity by leaps and bounds.
2. Utilize a cybersecurity framework. There are already cybersecurity frameworks such as ISO/IEC 27001 that can provide a good basis for how to protect your organization. They can offer best practices and save time when you don’t have the resources to devote more fully to cybersecurity.
3. Choose the right vendors and cyber professionals. Defense in depth is always a good strategy, but it’s important your cybersecurity team understands a risk-based approach is the best way to achieve comprehensive cybersecurity for your organization. They can help you choose the right tools for your unique circumstances.

Protect your manufacturing entity from cyber risk

Ensure your technology and security are top areas of discussion within your organization. Each time you update a system or process, consider the implications that process will have. Also, ask for help. There are several trained cybersecurity firms that can help ensure your technology debt won’t cause problems at your manufacturing entity.

Want to learn more about your cyber risk?

• Learn five tips to reduce cyber risk.
• Check out our manufacturing and cybersecurity infographic.
• Read more about how one manufacturing client was affected.
• Check out ways Eide Bailly can help.