As businesses embrace technology to deliver their goods and services and achieve their goals, cybersecurity cannot be overlooked in order to succeed. In many cases, security is overlooked due to the lack of understanding and thinking that it is an expensive aspect of information technology.
Cybersecurity is the organization’s capability to safeguard and protect the use of virtual and physical presence from different cyberattacks. This can be achieved by implementing processes to protect data and information using a security framework that can help to prevent, detect and respond to attacks. Implementing these processes will be less expensive than the cost of a data breach.
The future of the cybersecurity market is expected to keep growing. Cybersecurity Ventures predicted global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021. The cybersecurity industry is driven by the number of cybercrimes. As cybercrimes rise, there is more need for cybersecurity measurements. Cybercriminals are eager to get a hold of your intellectual property (IP), personal identifiable information, customer records, any financial information and your network. The harm created by cybercrimes is estimated to reach $6 trillion annually by the next year. By 2022, human attacks surface is expected to reach about 77 percent of the world population. The term “human attack surface” refers to all the exploitable security vulnerabilities or holes generated by human activities like errors, insider threat, vulnerability to social engineering and carelessness.
Cybersecurity should be an important component for all businesses, including the manufacturing industry, as part of their daily operations. According to the National Institute of Standards and Technologies (NIST), manufactures are a significant target of cyberattacks. “Manufacturers are often seen as an easy entry point into larger businesses and government agencies.” Financial (73 percent of attacks) and cyber espionage (27 percent of attacks) are the top reasons why hackers target manufacturers.
The main cyber threats to manufacturers are password dumper malware, stolen credentials, careless users and malicious users.
These threats put systems and data at risk. However, good cybersecurity control can help to manage the risk. The most important element about cybersecurity is how well you adapt to the changes in the industry. The best you can do to reduce your risk is to have a plan. In a lot of situations, those affected by cyberattacks were not prepared due to the lack of having a good security plan. In other situations, some had a plan, but unfortunately the plan was not up to date. It is important to remember that technology changes rapidly and consequently, so do the vulnerabilities. Therefore, good cybersecurity programs are an ongoing process. They need be reviewed and updated regularly.
Some might be wondering what can be done to lower the chances to become a cyberattack victim. You can become educated about what is required to be protected. You must obtain and improve your cybersecurity and avoid the most common cyberthreat vectors in the manufacturing industry. In order to do this, you can start to implement the following security controls:
• Limit IT administrators to use administrator accounts on systems and devices to perform non-administrator tasks.
• Limit regular user accounts to be local administrator accounts or have administrator rights.
• Implement the principle of “least privilege” to only allow employees to have enough access to perform their jobs. They should not have more access than what they need.
• Set up policies to implement segregation of duties.
• Implementing mandatory vacation policies require employees to take time away from their job and responsibilities. These types of policies help to decrease fraud and detect malicious activities by personnel because co-workers take over that individual’s responsibilities for that time. This works as a way to audit their responsibilities.
System and Information Integrity
• Use a good antivirus with regular scans to protect against malicious code.
• Train your workforce regularly on basic cybersecurity principles.
• Make sure your employees know your company security policies and procedures. Also, make sure they are aware of any changes or updates in your policies.
• Train personnel to identify phishing and social engineering attacks. This helps workforce to identify attackers when trying to steel data, credentials and personal information pretending to be a trusted individual through emails, instant messages, social media or text messages.
• Avoid downloading attachments from unknown sources.
Identification and authentication
• Enforce rigorous password policies. NIST recommends that all passwords use at least 12 characters and require a mix of upper- and lower-case letters, numbers and special characters. Also, to take your security to the next level, start thinking about increasing the number of characters to 16.
• Encourage users to use a good password manager where they can safely save all passwords. This will diminish the likelihood of re-using passwords in different systems and platforms.
• Start using multi-factor authentication (MFA).
Implement cryptographic mechanisms
• Encrypt data in transit and at rest.
How Can I Start a Plan?
Cybersecurity does not necessarily need to be expensive. A good starting point for manufacturers (or any type of business) is to understand their business goals and how technology can help them to achieve those goals. With that information in place, you can proceed to analyze your current implemented technologies and utilize them first from the security perspective. This is called “gap analysis.” A security gap analysis can help to identify what security controls you have and your gaps. Once you know your gaps, you can start looking how to fill those gaps with your existing technologies. If you discover that you don’t have a technology to fill those gaps, you can start looking for a new solution. But remember, always try first to utilize your existing technologies.
Select a Security Framework
Once you better understand your internal technologies, you will need a good security framework to follow. The framework will provide you guidance to organize your cybersecurity plan and program. It will provide you direction on the best security practices. NIST Cybersecurity framework has been created specifically for manufacturers, allowing the industry to implement security standards. The framework will help you to identify, protect, detect, respond and recover from cybersecurity events.
Bryant Vásquez is a cybersecurity consultant for the University of Utah Manufacturing Extension Partnership (UUMEP) Center and is the official representative of the MEP National Network in Utah. His focus is to help manufacturers to respond to cyberthreats, perform cybersecurity gap-analysis by understanding their business processes and educating about best practices.