Manufacturers are often some of the last companies to embrace new methods in computing and technology, even though they’re often high-value targets for cybercriminals and hackers.
For one thing, they have a lot of intellectual property that unscrupulous manufacturers and competitors would love to get their hands on. For another, manufacturers are often part of a bigger supply chain network that lets them get into the vendor partners’ and customers’ networks as well, and hackers may try to break into a smaller, more vulnerable network to get into a much larger network.
For example, the now-famous Target data breach in 2013 occurred because the hackers were able to get into the network through a compromised third-party vendor. An employee at a refrigeration contractor inadvertently clicked a link in a phishing email that gave the hackers access to the contractor’s network, which was connected to Target’s network.
But the newest risk, according to an IndustryWeek.com article, is:
the convergence of operations technology (OT) and information technology (IT) networks. . . (E)ndpoints on OT networks—such as supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), controllers and sensors—weren’t exposed to the same malware threats that IT network endpoints face, and, therefore, weren’t designed to be patched or run security software.
The issue is, says Industry Week, that manufacturers don’t quite understand hackers and cybercriminals the way other industries do — say, e-commerce, government, banking, and medical/pharmaceutical — which have had to deal with cybersecurity attacks for decades.
Know Yourself to Know Your Enemy
If you want to better thwart cyber attacks, you need to understand what kinds of information and access attackers want and how they would get it. By understanding this, you can create a defense system that can prevent attacks from ever beginning, rather than trying to recover from them.
For example, U.S. utility companies are constantly dealing with threats from outside the country, especially from China and Russia. Companies with a lot of new products and heavy R&D might face threats from competitors, as well as foreign manufacturers looking to steal designs. And of course, organized crime types who are looking for personally-identifiable information will try to hack into employees’ personnel files and financial lives. And still other companies might be dealing with “hacktivists,” people who are politically opposed to a company’s mission and seek to damage it through computer channels.
“If you know your enemy and you know yourself,” said Sun Tzu, “you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
This means, says Industry Week, adopting an Inside-Out Security mindset.
Most organizations follow an “outside-in” approach, which means companies are reactive to the latest type of threat — governmental, organized crime, hacktivist — and the latest method — ransomware, social engineering, unpatched systems — and buy the technology to prevent that.
But an inside-out approach means understanding your specific risks and business objectives. It means you have to know your enemies. Who wants what you have? This means starting with an enterprise risk model and understanding “the ecosystem of likely attackers, the assets they’re most likely to attack, and the techniques they’re most likely to use.”
This lets you decide which methods to prioritize and devote more energy and technology toward. For example, a tool-and-die manufacturer is probably less likely to be the target of hactkivists, but makers of military equipment might be. Similarly, makers of smart appliances could see increased attacks from foreign manufacturers, but not from foreign governments.
So What Can You Do? How Can You Know Your Enemies?
For one thing, cyber security needs buy-in from the highest levels: top executives need to embrace the idea and require it of everyone in the office. This means training, technology, and situational awareness — making sure all your employees understand what is required to keep your networks and IP secure.
According to the Cyware blog, this includes:
applying basic cyber hygiene, up-to-date cyber security awareness, actionable threat intelligence and targeted risk controls across an organization allow personnel to work together as a dynamic force against attack. However, this process can only be effective if properly maintained and regularly updated as a necessary procedure rather than a one-off initiative.
Technology is changing, but crime and criminals have not. The tools are new, but the motives are as old as money and nations.
The idea of keeping your valuables — your IP, your financial data, etc. — locked up inside your doors is no longer the best course of action. Cloud cybersecurity is the safest and best bet to protect your data and IP. Working with a cloud computing company that specializes in cybersecurity for manufacturers can greatly decrease the chances of losing your valuable information, and increase your protection.
If you would like to learn how Value Global can help your company keep its networks, computers, and proprietary data safe from hackers and criminals by teaching you to know your enemies, please visit our website or contact us for a demo with our representatives.
Photo credit: MaxPixel.net (Creative Commons 0)