Preventing a Data Breach from an IT Systems Hack
That cybercrime causes devastating losses to businesses around the world isn’t news. U.S.-based companies suffer between $57 and $109 billion in economic damage due to cyberattacks and related malicious activities each year, with worldwide costs forecast to top $6 trillion by 2021. But you might not be aware that today’s manufacturers are being increasingly and disproportionately affected by system hacks resulting in security breaches and data theft.
According to one recent industry report, manufacturing businesses are in one of the top eight economic sectors that reported the largest number of data breaches in 2019, alongside perennially vulnerable areas like healthcare, local government and retail. Another survey found that as many as 50% of manufacturing firms had experienced a data breach incident within the last 12 months, with 11% of these describing the incident as “major.”
In the past, cybercriminals focused many of their efforts on organizations known to hold rich troves of sensitive data, such as financial institutions and healthcare companies. Today, they’re branching out. With the newfound popularity of ransomware, it’s become easier than ever to extort funds from any company that relies on its IT systems to keep the business up and running. Furthermore, criminals are now able to profit from exploiting many different types of data—and smaller companies may not be making the key cybersecurity and IT infrastructure investments necessary to keep their information resources safe. Cybercriminals are well aware of this fact, and thus continue to target companies they think will be ill-prepared to deal with a data security incident, since this makes them easier to victimize.
Even large firms subject to stringent regulatory compliances requirements are suffering devastating losses. Consider the case of Visser Precision, a Colorado-based manufacturer of custom parts for use in the automotive and aeronautical industries. The company makes components used by the likes of Boeing, defense contractor Lockheed Martin, and Tesla’s SpaceX program. Visser was targeted in a new type of ransomware attack in which the malware first exfiltrates the victim’s files and then the criminals threaten to publish stolen sensitive information if the ransom is not paid.
Visser reportedly declined to pay a $2.3 million dollar ransom for the data, so its attackers released data including customer lists, non-disclosure agreements, and product designs and schematics—including one for a missile antenna. Not only has Visser itself suffered catastrophic damage to its reputation and prospects for winning future contracts, but so too have entities in its supply chain, which extends to the U.S. military.
Where's the value (and risk) in your data?
If you’d like to minimize the chances that your company will fall victim to a similarly ruinous crime, it’s critical that you take stock of the value of your data. Some types of information, such as customers’ credit card numbers, are obviously of worth to criminals looking to sell them on the Dark Web. But you may not have considered the importance of other types of data.
Not only should you have systems and business processes in place to protect customers’ financial information, but you should also think about:
- trade secrets and intellectual property. Nation-state level attackers in other countries have stolen numerous types of product information, including designs, schematics, and chemical formulas, in order to enable competing suppliers to create knockoffs without needing to make investments in product development.
- employee data. Whether it’s their Social Security numbers or other types of protected information that’s taken, be aware that your employees may be able to win a class-action lawsuit against your business if you don’t take adequate measures to secure their data.
- customer records. Not only can lost or corrupted customer data interfere with the sales process, but it can shatter the trust of other vendors in your supply chain.
- product standards and specifications. In several recent incidents, attackers have slightly altered designs of hardware components in an attempt to damage the functionality or reliability of downstream products within their supply chain.
- company financial data. Once attackers understand how profitable your business is, they’ll be able to attack you using ransomware or other forms of extortion, calibrating the amount of the ransom they’re requesting so that it’s the maximum you’re able (or are likely) to pay.
Hardening your systems to protect valuable data
Once you’ve identified all the types of data your business stores that may be of value to attackers, you’ll need to create a plan to protect this data. It’s a good idea to begin with a security audit. During a security audit, you’ll evaluate the security of your IT systems by measuring how well they conform to security standards or best practices. You should consider any regulatory compliance requirements to which your business is subject, such as the Payment Card Industry (PCI) Security Standards (if you accept credit card payments), or the California Consumer Privacy Act (CCPA) (if you store the personal data of any California residents). Or, you might use a government-issued standard, such as NIST 800-171, to which defense contractors and their business associates must adhere.
A managed IT service provider with extensive experience with businesses in your industry can help you find or design the security standards that will best protect your data. Personalized recommendations are key, since no two companies’ IT environments are exactly alike. Nor are their business models, security risks, or goals.
At a minimum, your security audit should assess how you handle access controls for your IT systems; your employee cybersecurity education and training programs; how you manage system configuration settings and changes; how you collect and store logs; what procedures you have in place for responding to incidents or dealing with a potential breach; physical security of your facilities; how you perform risk assessment and/or penetration testing; and how you handle routine software patching.
A security audit can help you shore up any areas of weakness or explore the most cost-effective avenues for improvement. As an investment, it’s more than worthwhile.
Interested in learning more about protecting your data from theft? Download our new eBook, “The Definitive Guide to Recovering from IT System Outages” to take a deeper dive into the subject of building resilient systems today.