How Manufacturing CEOs Can Protect Their Organizations from Ransomware
September 6, 2017
What if ransomware took your manufacturing operations offline for a day? Or a week? What would be the financial and reputational impact?
Perhaps Nissan and Honda could give us some insight. The WannaCry ransomware virus that made its way around the globe in one weekend in mid-May led to multi-day shut-downs of several Renault and Nissan car manufacturing plants in Europe, Japan and India. More than a month later, the WannaCry worm re-emerged at a Honda plant near Tokyo, disrupting production for a day and decreasing output by about 1,000 units.
These giant automakers likely can absorb such a financial hit with only moderate damage. But WannaCry (and its sibling NotPetya) seem to be harbingers of what’s to come. The motivation of the perpetrators of these attacks likely is more disruptive than a mere financial “smash and grab.” Despite the global reach of the WannaCry epidemic, the total payout so far is only about $140,000.
The frightening truth is that there are people who are willing to wreak havoc on an organization (ostensibly) for the sake of a few hundred dollars. And that ransom payment is far from the true financial cost for the victim of such a cybersecurity breach.
As shipping giant Maersk recently revealed, despite there being “no data breach or data loss,” the fallout of terminals in four countries being infected by NotPetya in June led to a $264 million loss last quarter.
Questions a Manufacturing CEO Needs to Ask
Unfortunately, many manufacturing CEOs consider information security the domain of the IT department. Cybersecurity, though, is no different from any other type of business risk in that the buck must ultimately stop with the CEO. Cyber threats will become more sophisticated, with increasing impact, until organizational leaders accept responsibility and stop thinking of cybersecurity as someone else’s job.
Here are a few questions that you need to pose to your leadership team:
“Do we know what is at risk?”
The greater the potential payout, the more sophisticated the potential threat. The reason that cybersecurity is not more top-of-mind for mid-sized manufacturers is that they typically do not store the type of data (such as credit card numbers and medical records) that can be easily monetized on the black market. But with ransomware, cyber criminals have learned that they can hold operations hostage and collect payouts of anywhere from a few hundred to tens of thousands of dollars—or even more, in some instances.
“What is the value at risk?”
For a manufacturing plant, one of the biggest inherent risks is the potential disruption of operations. What would be the financial and reputational impact, including lost relationships with customers and suppliers, if operations were offline for hours or days? This is a conversation that needs to happen at the highest levels of your organization, and it needs to include the C-suite as well as IT and business line leaders.
“How do we know that our vital assets are protected?”
The WannaCry and NotPetya ransomware strains both leveraged vulnerabilities in out-of-date versions of Windows. While it might be easy to blame the victims for failing to upgrade and patch their software, it’s not such an easy problem to solve. Unfortunately, many IT departments are hard pressed to keep track of all the hardware that makes up their information systems—desktops, laptops, mobile devices, servers and so on. Maintaining up-to-date inventories of software versions that are deployed on those components adds significantly more complexity to the problem.
Managing Cybersecurity Risk
These are manageable problems, if you take ownership of them and lead your organization with a logical and rational approach to assessing and mitigating the risks.
In the short term, your organization can mitigate these with a few simple and inexpensive tactics, such as:
- Maintain current licenses of hardware and software.
- Establish a vulnerability assessment and software patch management program
- Conduct cyber awareness training. Everyone in the organization should have a healthy dose of skepticism about attachments and links in emails. And they should be encouraged to have face-to-face or phone conversations to verify anything suspicious.
- Knowing that some phishing attempts will be successful, implement advanced email protection tools, such as those available from Microsoft Office 365.
- Conduct regular and frequent system backups.
From a more long-term perspective, you must lead your organization in an assessment of the actual cyber risks that it faces. Information security frameworks such as ISO 27001 and the NIST Cybersecurity Framework for Small Businesses can facilitate this discussion.
Armed with a realistic assessment of risks to your manufacturing production facilities and other vital assets, your organization can better assess your cybersecurity preparedness and prioritize steps you must take to remediate gaps. Finally, independent and objective assurance reporting can give you and your shareholders the peace of mind you need that these controls are operating effectively.
Sooner or later, ransomware will hit your organization. As leader of your organization, how you prepare for and react to a cybersecurity event will determine the extent of the impact and the trajectory of your organization’s growth thereafter.
The first step is a realistic and meaningful assessment of what is at risk. We can help walk you through that assessment.