CybersecurityCybercrime has exploded over the past decade. No organization is immune — not even a small, obscure manufacturer of an uninteresting widget based out in the middle of nowhere. If there is data to be hijacked, there is an opportunity for cybercriminals to profit.

In most instances, it is a devastating event that finally prompts a company to start placing increased focus on cybersecurity. But unfortunately, many don’t completely follow through.

According to data from CDW, roughly half of organizations that suffered an attack in recent years did nothing budgetarily to improve cybersecurity. “In fact, just 22% increased their budget,” said Gabriel Whalen, manager of information security services at CDW, a provider of technology solutions to business, government, education and healthcare. Whalen recently served as a speaker at AEM’s recently held member education webinar on cybersecurity.

Whalen said CDW conducts passive assessments of its customers’ vulnerabilities. CDW’s top five findings are:

  • Active crypto-mining
  • Capturing of cleartext credentials
  • Anonymous-browsing VPNs
  • Use of unsanctioned cloud storage
  • Active known malware

CDW then assesses the top five weaknesses in these organizations’ cybersecurity systems. They are:

  • Insufficient malware protection
  • Weak password controls
  • Insufficient logging/monitoring
  • No incident response plan
  • Insufficient network segmentation

AEM is pleased to offer a series of member-only webinars, designed to provide education on industry-related topics like cybersecurity, promote member engagement and highlight association services. Learn more.

Start By Recognizing Fundamental Weaknesses

Whalen pointed out that investing in cybersecurity tools is important, but not enough. There is data from IBM suggesting that many organizations with an overabundance of detection and monitoring tools actually perform less effectively than those with far fewer tools.

“The really interesting thing is that roughly 47% don’t have a cyber incident response plan,” Whalen pointed out. “At the end of the day, it is a lot of these fundamentals that present weaknesses for an organization. Getting wrapped around these fundamentals will help address them directly, or at least help a company develop defense and depth mechanisms.”

Another thing that tends to be missing from an organization’s overall cybersecurity plan is an incident response plan (IR). What systems and processes are in place in the event that a breach takes place? Communication is a big part of this that many organizations miss. Immediate, clear communication with customers, vendors and the media can help save an organization’s reputation.

“Organizations need to think about roles and responsibilities,” Whalen said. “I’m not just talking about the technical response. I’m talking about the overall strategic business response. Once these roles and responsibilities are established, it’s important to test your IR plan. Even mature companies need to regularly test their IR plan.”

Why Cybersecurity Matters So Much

It is somewhat ironic to think that even in today’s increasingly digitized world, human beings continue to be one of the most glaring weak spots in cybersecurity.

“There’s an example a while back where someone called into a company’s help desk,” Whalen said. “The person said he was very important, and he needed to have his multi-factor authentication token disabled immediately because he was in a hurry and had to respond to someone who was also very important. The person on the help desk complied because, after all, it’s the help desk. Well, it turned out to be a bad actor who ended up getting into the system and dumping half of the company’s global address list onto the internet.”

In an instance like this, a well-defined process should be in place so the help desk attendant knows to raise a red flag.

“We have a foundational challenge as companies,” said Ryan Layton, founder and CEO of Secuvant, a cybersecurity and risk management firm. “As long as we have people and employees, we’ll always have a problem with cybersecurity.”

Layton pointed to data from Trend Micro, a leader in enterprise data security and cybersecurity solutions, showing that 91% of cyberattacks begin with a “spear phishing” email. This means that computer users still represent the weak link in IT security, which is why cyber extortion has become a major issue for private companies.

Here is a disturbing example:

One of Secuvant’s clients, an industrial manufacturer, urgently emailed them early one morning. A hacker had breached the company’s IT system and hijacked 959 employee social security numbers. The hacker had also breached some of the company’s proprietary information. To prove what he or she had obtained, the hacker showed the social security numbers of four company executives. The hacker requested payment of $150,000.

After some more back and forth with the hacker, the company ended up paying $150,000 in bitcoin currency. The company also had to legally notify all of its customers about what happened. As a result, the company lost two large government contracts. This company did not have cyber liability insurance. Thus, all expenses had to be paid out of pocket. The total financial impact was estimated at more than $1 million.

The following ransomware attack was even more financially devastating.

A large company in the hospitality industry started receiving an unusually large number of IT system access complaints from users. Ultimately, a regional location was hit with ransomware from a group based in China. The company’s operations were halted. Local and off-site backups were fully encrypted. The hacker requested payment of $4 million.

“This same company had a breach a few years earlier,” said Don Ainslie, executive vice president of risk services and sales at Secuvant. “The damage that time was roughly $150,000. Now it happened again. We had categorized their security as moderate, at best. They had firewalls and antivirus, but that was about it.”

The business impact this time would prove to be much more devastating than a few years earlier. An operational outage persisted for two-and-a-half weeks. The company was forced to pay $2.55 million in ransomware and $350,000 for external forensic services. Most was paid by the company’s insurance provider, aside from the $100,000 deductible. The indirect damage is where things got excruciatingly painful. The cost for labor, loss of clients, legal liability, remediation and lost opportunity was estimated at roughly $25 million.

Each of these incidents share several commonalities that other companies can learn from:

  • Common entry point was a targeted spear phishing attack
  • No dedicated Security IT (IT ops and security were a shared role)
  • Networks were designed with function in mind as opposed to security
  • Over-investment in certain security areas, under-investment in others
  • IR plan hadn’t been recently tested and/or updated

 

Layton

 

 “We have a foundational challenge as companies. As long as we have people and employees, we’ll always have a problem with cybersecurity.” -- Ryan Layton, founder and CEO of Secuvant

 

 

Cybersecurity and the Equipment Manufacturing Industry

Secuvant has specialized expertise in the agriculture and construction equipment industries. According to Layton, today’s machinery is becoming more digitized with GPS, Internet of things (IoT), telematics, machine learning, artificial intelligence and 5G connectivity. As a result, the potential exists for the creation of a heightened cybersecurity risk. Furthermore, as equipment users become more informed about technology, their expectation of how their data is stored and protected is intensified.

All of this evolution requires a change in thought from equipment providers.

“The industry’s past experiences with cybersecurity risk cannot be representative of the future,” Layton pointed out. “We can’t make future decisions on how we invest and protect our businesses based on what has happened in the past.”

To begin gaining a better understanding of the industry’s current and future states, Secuvant undertook an extensive research study of both ag and construction equipment manufacturers and dealers.

On the manufacturer side, roughly 60% of survey respondents said it is likely that cybersecurity is addressed in executive-level meetings. Roughly 66% said their company had a past cyber incident. Layton said this is a pretty good sign because past incidents should always trigger increased dialogue among company leaders.

Another series of questions was also interrelated. The results are less encouraging.

A solid 78% of manufacturers said there was a high level of cybersecurity in their companies. But only 69% said they were confident in their cybersecurity preparation, and just 62% said there was a capable IR plan in place. This data shines light on a gap that exists between what manufacturers think exists and what actually exists.

“These percentages should be nearly identical,” Layton pointed out. “The deeper we get into the questioning, the deeper we get to the truth. And the truth is, a lot of things need to be in place to truly be protected in cybersecurity. When we do risk assessments of any company, we generally find that the security readiness is only half of what the executives think it is.”

A similar gap exists on the dealer side of the industry. But when it comes to dealers, the percentages are much lower. “Smaller dealers in particular, meaning those with sales under $150 million, are about 50% less secure,” Layton added.

Layton stresses the importance of having a cybersecurity plan that is in alignment with business goals. To that point, he said the following items are typically the most important for AG/CE companies:

  • Guard against data and IP theft
  • Minimize business disruption
  • Protect brand and reputation

Questions Companies Must Ask Themselves

Cybersecurity in ManufacturingCompanies must gain a clear understanding of their current state. They must look at their risks and prioritize them. What role should the executive team play? Where should money be invested to beef up the cybersecurity plan?

Whatever the order of priorities, creating a culture of cybersecurity must start with executive leadership. Layton said company leaders should ask themselves these questions:

  • Do we understand the cyberthreats and risks in our company and industry?
  • Which security framework should we base our cybersecurity program on?
  • Does our cybersecurity strategy align with our business strategy?
  • Are we prepared to detect and respond to cyberattacks?
  • How do we prepare our employees to play their respective security roles?

In many cases, a cyber-related incident ends up serving as a catalyst for companies to start placing increased focus on cybersecurity. Even worse, many do not have a sound understanding of where to begin once they do determine they want to make significant strides and improvements and provide a greater level of organizational protection. That doesn’t have to be the case. However, in committing to cybersecurity – and, perhaps more importantly, taking the necessary steps to follow through on that commitment – companies can provide themselves with a greater level of organizational protection and protect both their valued assets and their bottom lines.

To engage in a conversation with AEM and its members on the topic of cybersecurity, please reach out to AEM's John Somers at jsomers@aem.org. For more information on AEM’s Member Education Webinar Series, visit https://www.aem.org/education-and-events  or contact AEM's Helen Horner at hhorner@aem.org.

For more coverage of industry trends, subscribe to the AEM Industry Advisor

×