Cybersecurity: What manufacturing CEOs Need to Know
By Dan Schroeder, partner-in-charge of Information Assurance Services
Just a few years ago, cybersecurity was something most CEOs considered the domain of the chief information officer, if they even knew the term at all. Today, it has emerged as a top-of-mind issue for chief executives in just about every type and size of organization. Manufacturing CEOs should be no exception.
Manufacturers are becoming increasingly attractive targets for attackers whose motives range from short-term financial gain to espionage. In fact, manufacturing companies represent more than 27 percent of cyber-espionage attacks, making them the most-targeted industry for that particular attack pattern, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).
In the vast majority of cyber-espionage cases (roughly 86 percent), the attacker is seeking intellectual property and other secrets. Sometimes those secrets are the manufacturer’s own IP, but in other cases the true target is someone else entirely. The hackers use the manufacturer (or another vendor) as a gateway to a larger organization’s secrets.
Hackers also target manufacturers to take over corporate financial accounts and make unauthorized transactions. Steven Darnell, president and CEO of Atlanta-based Storage Products Group (SPG), is particularly alert to the vulnerability of the company’s financial transactions. SPG sources and manufactures about half its products from facilities in Mexico and Asia. “Any time you have international exposure, you become more vulnerable,” he says.
The potential financial and reputational costs of these breaches can be devastating. How much money could a determined adversary drain from your organization’s bank accounts? Would your business be able to recover if your trade secrets, or your customers’ trade secrets, were leaked to the competition?
While CEOs must be aware of these potential threats, they shouldn’t let themselves get swept away in the hype and paranoia created by the latest headlines. The truth is that the vast majority of data breaches would have been easily preventable through application of fundamental security risk management practices, which begin with a thorough understanding of the organization’s most valuable assets and the potential risks to those assets.
This means that cybersecurity isn’t something a manufacturing CEO can “throw over the fence” to the CIO, Darnell says. “Ultimately, as the CEO, it is my responsibility to make sure our data is protected. It is not just a check-the-box event.”
How Traditional Information Security Approaches Fall Short
Unfortunately, a “check-the-box event” is just how many executives historically have viewed information security – and that’s a huge problem.
A compliance-oriented approach, by definition, achieves a baseline level of security. The problem is that the technical standards often used as that baseline may fail to address the most significant risks to your business. For example, a typical example of a baseline security control is a vulnerability management program that regularly scans for known technical vulnerabilities and applies patches and updates. But when a high percentage of malware avoids detection, vulnerability management programs are not nearly enough to protect critical data.
Remember those cyber-espionage attacks that manufacturers are falling victim to? Most of these attacks are through vectors such as employees who click on email attachments and embedded links that install malware on the duped employee’s computer.
So, is a compliance-oriented and technical approach to information security enough to protect your organization’s most valuable data and systems? Increasingly, it is not. Since money spent on security is only effective if it protects what is truly at risk, improving the overall information security program may or may not protect the most critical assets.
Cybersecurity is a more nuanced view of information security and is built on the premise that the nature of the emerging cyber risks are such that they warrant particular focus on digital assets to understand risks that could warrant risk management incremental to the organization’s base information security program.
Which Digital Assets Are at Risk?
The value and vulnerability of digital assets and the sophistication of the cyber threat landscape make cybersecurity an issue that must be owned by the CEO and not delegated to the IT department. As businesses have become more automated and data driven, they are creating more valuable digital assets. These are groupings of data that, if compromised, could have serious negative financial, reputational, legal or compliance implications.
Consider the Internet of Things (IoT). Manufacturers increasingly are harnessing sensors embedded into equipment and combined with powerful analytical software to improve efficiency, drive down costs, reduce accidents and more. Verizon data shows 204 percent year-over-year growth in the number of manufacturing IoT connections.
Target Security Spending
This asset-based approach allows organizations to target information security, money and resources in the most cost-effective way. Here’s how it works: Focusing on the relative value of assets means that we can selectively apply advanced security measures to higher value information systems and data, while maintaining a set of baseline controls that secure the majority of data.
For example, SPG sources and manufactures about half its products from facilities in Mexico and Asia. Because these cross-border financial transactions represent both high value and significant inherent risks, the company has strict policies and controls regarding how those transactions are conducted. “Our financial people who have access to international bank accounts, that computer is never used to go outside of our network,” Darnell says. “If we travel abroad, we carry separate phones and separate computers from the ones we use day to day.”
IoT devices also might warrant advanced security measures. Although no significant IoT device breaches have become public yet, Verizon warns in its latest DBIR that connected devices could potentially serve as pathways for cyber attacks into a company’s broader network.
Take Control of Cybersecurity
Most importantly, by understanding the relative value of digital assets and the actual risks they face, CEOs are in a position to take control of cyber security and make intelligent business decisions about the most appropriate and cost-effective ways to treat those risks.
And what are the implications for CEOs who don’t assume this responsibility? “You are at risk financially, you are at risk of not protecting your employees, you are at risk of not protecting your customers,” Darnell says. “You are at risk of not protecting your assets.”