An Industry Watch + features a collection of stories, Q+A's, How-To's and more to give readers a 360 degree look at one topic. This month's topic is Cybersecurity — below you will find pieces on cybersecurity in the workplace, assessing risk, cybersecurity by the numbers and more.
Cyber Safety in the Workplace
The more manufacturers get immersed in the digital world, the greater the threat of cyber attacks
By Brian Martucci
As the manufacturing industry continues its transformation from an era of dirty, sweaty assembly lines to one of cutting-edge technology and precision control, it brings along a major new concern: IT security.
Unlike healthcare providers and financial institutions, whose data practices are subject to strict regulation, manufacturers’ data practices aren’t subject to an overarching compliance framework. Accordingly, many have been slow to recognize the threat, let alone plan for it.
“Manufacturers have historically not been as adept around cybersecurity, but that is changing fast as breaches become more common and costly,” says Shane Vinup, CEO and co-founder of Maple Grove-based Cyber Advisors, an IT service provider that specializes in threat detection, prevention and solutions.
Quantifying the cost of a breach
Data breaches are becoming more common because they’re really, really lucrative for their perpetrators. According to The Hidden Data Economy, a recent report from McAfee, stolen U.S. credit card numbers can sell for $5 to $30 apiece on the dark web. More complete personal records with names, addresses and Social Security numbers are even more valuable: “If they have enough information, they can file your taxes and claim your refund,” says Jacob Sheehan, risk advisor at St. Louis Park-based Twin City Group, an independent insurance agency.
In Minnesota’s manufacturing industry, the cost of digital lapses can quickly rise to dizzying heights. “Each stolen personal record will cost you hundreds,” says Sheehan. That’s because Minnesota state law requires companies to disclose data breaches to all potential victims, provided that “personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Beyond notification, other post-breach costs include IT consulting fees (to investigate the breach and address the vulnerabilities that caused it), attorney fees, credit monitoring for victims, and media management (if and when the incident makes news). If any victims sue, all bets are off.
Let’s put that in perspective. A claim scenario from The Hartford assumes the breach of 20,000 personal records on a computer hardware manufacturer’s services would rack up $1.3 million in direct costs for the company. And that’s if the company doesn’t face any third-party damage claims.
The good news: Manufacturers don’t hold huge volumes of super-sensitive personal and financial information: login credentials, account numbers, Social Security numbers, credit card data, health records and the like. For most manufacturers, the risk of a massive release of personal data that adversely impacts millions of lives is remote.
The bad news: Manufacturers have plenty of other vulnerabilities, some of which pose existential risks if left unaddressed.
According to Vinup and Kaspersky Lab VP Mike Canavan (pictured above), who works closely with Cyber Advisors, sophisticated phishing scams pose huge risks for midsize manufacturers. Criminals use addresses that mimic those of company executives, payroll processors or trusted vendors to send phishing emails with seemingly innocuous requests to company finance staff for account information, credentials, or actual money transfers.
“They often change just a single letter or numeral in the source URL,” says Vinup, “and it’s subtle enough to fool some employees.” Larger manufacturers can have dozens of vendors and process hundreds of financial transactions or information transfers per day, so such requests aren’t unusual.
Ransomware is another big threat — perhaps the fastest-growing of all. Spread through malicious websites, apps and emails, ransomware literally holds victims’ files hostage in an encrypted format until they pay the program owner. Ransoms can range from a few hundred to a few thousand dollars or more.
“If you frequently back up your files on external storage media, you may be able to kill the system and walk away without paying the ransom,” says Sheehan. “But most victims don’t, so they pay.”
Legacy Industrial IT
The “Industrial Internet of Things” (IIoT) is the rapidly expanding universe of Internet-connected sensors and equipment in the manufacturing environment. It’s amazing for productivity — and worryingly vulnerable to compromise.
Many IIoT systems run on legacy operating platforms with little to no vendor support. These systems often can’t be upgraded to address new cyber-threats.
According to Matt Hynes, Minneapolis-based advisory services principal for EY, the best way to protect such a vulnerable platform is to “wrap” the entire production space, effectively cutting it off from the global Internet. The platform owner can then control access by “whitelisting” — defining trusted network traffic and monitoring for any anomalies — and keep everyone else out, whether they’re known to be bad or not.
Keeping the bad guys out is especially important for manufacturers with e-commerce portals that sell directly to their customers. According to Cerasis, it’s increasingly common for manufacturers to integrate digital sales and IIoT initiatives. As POS systems are notoriously prone to compromise, and may themselves run on legacy platforms, this creates a host of potential vulnerabilities for already hard-to-protect hardware.
Malicious and/or Compromised Insiders
Some cyber-threats come from within. Employees who’ve fallen victim to phishing scams or visited compromised websites can inadvertently open other employees to outside attack (distinguished from unintentional blunders, such as inadvertently deactivating a firewall or forgetting to update an anti-malware program).
One sign of a compromised employee account is the “Superman problem” — when the same user appears to be in two places at once.
“If you see activity from an employee at 5 p.m. in Minneapolis, and then activity from that same employee one minute later in China, it’s likely that one set of actions is illegitimate,” says Hynes. He encourages manufacturers to set up automated preventive measures that recognize such behavior and block account access until the process owner can investigate further.
Superman problems most often suggest a malicious outsider has successfully compromised an insider’s account. More troubling, and tougher to spot, is malicious activity by trusted insiders. Disgruntled employees can do tremendous harm on their way out the door — and, sometimes, for a long while before they’re shown the door.
Hynes suggests watching for subtle but significant changes in employee behavior. For instance, an employee who suddenly notches a string of 3 a.m. logins could be burning the midnight oil to finish a big project — or surreptitiously stealing files. Some security programs flag such activity for review without blocking the user’s account, prompting IT employees or management to investigate quickly and, hopefully, shorten the interval between compromise and detection.
Your company’s threat profile
“One way to get a clear sense of your digital risk profile, and the risks your business faces in general, is to start the insurance underwriting process,” says Sheehan.
Sheehan obviously has a dog in this fight, but he has a good point too: Many business owners don’t even know where their vulnerabilities lie, let alone what to do about them — especially executives unfamiliar or uncomfortable with IT issues.
Sheehan’s company uses a proprietary risk assessment tool, TCG360™, to thoroughly analyze prospective clients’ risk profiles. TCG360™, which Sheehan describes as “field underwriting,” gathers as much data as possible: business line, building construction and condition, fire prevention systems, HVAC, lease terms, contracts with vendors, employee policies, financial documents, digital assets.
TCG360 has a separate, less common component: confidential interviews with key employees up and down the organization, not just at the top. “We want to talk to people in the trenches,” says Sheehan. At a manufacturer, that may be the plant manager, an overnight shift leader, a front-office employee, and a maintenance person. These interviews assess risk from the employees’ perspectives, revealing problems that upper management might not see — or want to acknowledge. More often than not, those problems are digital in nature.
TCG360 produces a frank and exhaustive assessment of risks large and small, including IT vulnerabilities. “The process builds underwriters’ confidence in the account and makes them more likely to underwrite the policy,” says Sheehan, “because we’ve done a lot of the legwork.”
Sheehan’s team then recommends a comprehensive risk management program that includes insurance coverage. Cyber liability insurance is increasingly common, he says, because general liability insurance doesn’t always cover breach-related losses. The cost of cyber liability policies varies depending on the policyholder’s industry, revenue, digital footprint size and other factors.
An added expense? Sure. But probably a drop in the bucket next to the cost of a serious breach.
Cyber Advisors, Inc.
Headquarters: Maple Grove
Leadership: Shane Vinup CEO and co-owner, Igor Bogachev, CTO and co-owner
Description: An IT service provider that specializes in network solutions, including engineering, data security and uptime maximization.
Twin City Group
Headquarters: St. Louis Park
Leadership: Mark Sheehan, CPCU president
Description: An independent insurance agency specializing in personal, commercial and specialty insurance products, as well as risk management services.
EY (Ernst & Young LLP)
Headquarters: London, United Kingdom (Minnesota location: Minneapolis)
Inception: 1918 (Minneapolis office founded)
Leadership: Mark Weinberger, CEO and global chairman
Employees: 220,000 worldwide, 650+ Minneapolis
Revenue: $28.7 billion (2015)
Description: A “global leader in assurance, tax, transaction and advisory services.”
- Detection Deficit: Time lapse between compromise and detection
- DDoS Attack: Distributed denial-of-service attacks overwhelm online resources with bogus traffic, rendering the resources unavailable to their owners
- Phishing: Attempt to obtain sensitive or valuable information via email by mimicking trusted senders
- Malware: Malicious software that compromises or damages digital resources without owners’ knowledge
- Keylogger Malware: Clandestinely records every keystroke on compromised devices, including login info and account numbers
- Ransomware: Blocks access to critical systems until the victim pays ransom to attacker
- Exploit Kits: “Prepackaged cyberattack for dummies,” often used by criminals with little IT knowledge
Source: Verizon 2016 Data Breach Investigations Report
Cybersecurity Regulation & Compliance in Select Industries
When it comes to cybersecurity, not every industry is as lightly regulated as manufacturing:
Finance: SEC regs require firms to “adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access”; “[outline] a firm’s duties regarding the detection, prevention, and mitigation of identity theft”; and “[require] firms to preserve electronically stored records in a non-rewriteable, non-erasable format.”
Healthcare: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health care companies to “maintain reasonable and appropriate administrative, technical, and physical safeguards” for electronic personal health information. That includes protecting against internal security threats (such as improper disclosures) and external breaches.
Government Defense Contracting: Department of Defense contractor rules specify minimum security requirements for cloud computing resources (DoD Cloud Computing SecurityRequirements Guide); rapid reporting (within 72 hours) of major compromises; and compliance from subcontractors that handle sensitive information.
Cyber Threats and Costs, by the Numbers
Cybercrime terrifies the business community, and for good reason. The threat landscape is complex and ever-evolving. The bad guys and gals are ever more subtle and sophisticated. Weak points grow and multiply in geometric proportion to corporate IT footprints.
It’s a scary world out there. The good news is that some of the IT industry’s brightest minds are on the case. There’s a rapidly expanding cottage industry of “white hat” hackers working independently and in concert with major corporations to probe vulnerabilities and devise protective measures before the real malefactors find them.
There’s also a staggering wealth of data on the threat landscape — and, unfortunately, on the costs and unintended consequences of those inevitable breaches.
Here’s a (very) abbreviated, by-the-numbers look at the current state of cybersecurity.
The State of Cyber-Preparedness
EY’s Global Information Security Survey 2015 reported some disturbing findings about the business community’s readiness to detect and parry digital attacks:
- 67% of respondents did not see controlling growth of digital access points as a security issue in IoT
- 42% say that “knowing all their assets” is a key security challenge
- 54% do not have internal resources focused on emerging technologies
- 36% lack the capability to detect a sophisticated attack
- 47% do not have a Security Operations Center (SOC)
- 36% do not have a threat intelligence program
- 49% say a funding increase of 25% is necessary to bring cyber protection in line with management’s risk tolerance
- 88% say that their information security is not adequate
Yikes. Clearly, there’s work to be done.
Common Cyberattack Sources
Verizon’s 2016 Data Breach Investigations Report identified nine key sources (patterns) that collectively accounted for 95% of breaches and 86% of incidents across all industries:
1. Miscellaneous Errors: 17.7%
2. Insider and Privilege Misuse: 16.3%
3. Physical Theft and Loss: 15.1%
4. Denial of Service (DDoS): 15%
5. Crimeware (including ransomware): 12.4%
6. Web App Attacks: 8.3%
7. Point-of-Sale Intrusions: 0.8%
8. Cyber Espionage: 0.4%
9. Payment Card Skimmers: 0.2%
Note that more sensational attack types, like cyber espionage and card skimming, aren’t actually that common. For every card skimming incident that makes the local news, there are dozens of DDoS attacks and random human errors. That said, cyber espionage is pretty common in manufacturing: According to Verizon, cyber espionage, DDoS attacks, and insider misuse combine to account for 55% of incidents.
More on the Threat Landscape
The cyber threat landscape changes by the day, and the numbers usually move in the wrong direction. Data courtesy of Kaspersky Lab:
- 44.5% of Kaspersky users faced a malicious threat in Q1 2016, a 0.8% rise from Q4 2015
- Adware, software that automatically displays unwanted ads, accounted for 42.7% of mobile cyber threats in Q1 2016, up 13% from Q4 2015
- 4,146 new mobile Trojans were detected in Q1 2016, up 1.7x from Q4 2015
- 2,895 instances of new mobile ransomware were detected in Q1 2016, up 1.4x from Q4 2015
- China is the global hotspot for mobile security threats, with 40% of Chinese Kaspersky users affected
Consequences of Attacks & Breaches
Every successful breach has consequences and costs. Some distressing numbers, courtesy of United States Liability Insurance Group (USLI) and Kaspersky Lab:
90% of businesses admitted to experiencing a security incident
- 46% lost sensitive data due to an internal or external compromise
- 85% of data breaches occur at small businesses (USLI)
- 60% of victimized businesses shut down with six months of compromise (USLI)
- Repairing a breach involving identity theft requires 400 hours of work, on average (USLI)
- The average cost of a breach involving identity theft is $188 per record (USLI)
- SMBs pay an average of $38,000 to recover from a breach (Kaspersky)
- Enterprises pay an average of $551,000 to recover from a breach (Kaspersky)
Assessing Digital Risk in Any Industry
Okay, you’ve decided you need protection in the great digital unknown. Where do you start?
Try the feds. (Seriously.)
In 2014, the National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity, along with a companion Roadmap that updated and clarified some of its recommendations.
NIST’s advice exists outside any existing, industry-specific cybersecurity framework, so it’s broadly applicable to sectors with looser digital regulations, such as manufacturing.
“[These] are not mandatory by any means,” says Jacob Sheehan, risk advisor at St. Louis Park-based Twin City Group. However, they’re useful guidelines for business leaders who haven’t previously devoted much thought to cybersecurity issues, and don’t have an agenda behind them. “This information comes from the federal government, so it’s unbiased and not motivated by commercial considerations,” adds Sheehan.
Matt Hynes, Minneapolis-based advisory services principal for EY, concurs. “NIST’s Framework is a basis for good [digital security] control within organizations,” he says. “Use it to evaluate your own cybersecurity posture and needs.”
Are These Cybersecurity Elements on Your Radar?
Like many government publications (hello, IRS!), NIST’s Roadmap is a dry, technical read. But its “Areas for Development, Alignment, and Collaboration” section is a reasonably clear dive into key elements of effective digital security.
Future NIST publications will likely refine and tighten these elements, and some or all (and others not included) may form the basis of future cybersecurity regulations or enforced standards.
“Regardless of future regulation or legislation that may or may not emerge in the cybersecurity realm, it’s in your best interest to get out ahead and assess your risk now,” says Hynes.
Authentication: Multi-factor authentication (MFA) lowers the stakes around compromised passwords. MFA combines traditional passwords with tough-to-replicate digital “tokens” or biometric data. Without all factors, attackers can’t break in.
Automated Indicator Sharing: “Indicators,” meaning evidence of recent or ongoing breaches. Automated indicator sharing helps leaders take action against in-progress attacks and creates a pool of data that can help other companies recognize and repel attacks. NIST is working on a “global competitive marketplace” to facilitate seamless automated indicator sharing within and between organizations.
Conformity Assessment: “Can be used to show that a given product, service or system meets specified requirements for managing cybersecurity risk,” per NIST. Basically, does it pass the cybersecurity smell test? NIST is working on standards to make conformity assessments less time- and resource-consuming.
Cybersecurity Workforce: Access to competent IT professionals is crucial for security-minded companies. Build an internal IT team as soon as you have the resources, or work closely with an external partner. NIST’s National Initiative for Cybersecurity Education (NICE) aims to grow the IT security workforce in the medium term.
Federal Agency Cybersecurity Alignment: Under the Federal Information Security Management Act (FISMA), federal agencies must follow a host of cybersecurity protocols. These aren’t mandatory for private companies, but NIST touts the “flexible, risk-based, cost-effective approach they offer” and encourages interested business leaders to implement some or all.
If the NIST guidelines leave you confused, consider a self-guided or managed risk assessment process instead. Many insurance companies offer self-guided risk assessments — for instance, The Travelers Indemnity Company makes a five-minute Cyber Risk Pressure Test available to the public. For a professionally guided assessment, ask Sheehan about his TCG360™ approach.