That cybercrime causes devastating losses to businesses around the world isn’t news. U.S.-based companies suffer between $57 and $109 billion in economic damage due to cyberattacks and related malicious activities each year, with worldwide costs forecast to top $6 trillion by 2021. But you might not be aware that today’s manufacturers are being increasingly and disproportionately affected by system hacks resulting in security breaches and data theft.
In the past, cybercriminals focused many of their efforts on organizations known to hold rich troves of sensitive data, such as financial institutions and healthcare companies. Today, they’re branching out. With the newfound popularity of ransomware, it’s become easier than ever to extort funds from any company that relies on its IT systems to keep the business up and running. Furthermore, criminals are now able to profit from exploiting many different types of data—and smaller companies may not be making the key cybersecurity and IT infrastructure investments necessary to keep their information resources safe. Cybercriminals are well aware of this fact, and thus continue to target companies they think will be ill-prepared to deal with a data security incident, since this makes them easier to victimize.
Even large firms subject to stringent regulatory compliances requirements are suffering devastating losses. Consider the case of Visser Precision, a Colorado-based manufacturer of custom parts for use in the automotive and aeronautical industries. The company makes components used by the likes of Boeing, defense contractor Lockheed Martin, and Tesla’s SpaceX program. Visser was targeted in a new type of ransomware attack in which the malware first exfiltrates the victim’s files and then the criminals threaten to publish stolen sensitive information if the ransom is not paid.
Visser reportedly declined to pay a $2.3 million dollar ransom for the data, so its attackers released data including customer lists, non-disclosure agreements, and product designs and schematics—including one for a missile antenna. Not only has Visser itself suffered catastrophic damage to its reputation and prospects for winning future contracts, but so too have entities in its supply chain, which extends to the U.S. military.
If you’d like to minimize the chances that your company will fall victim to a similarly ruinous crime, it’s critical that you take stock of the value of your data. Some types of information, such as customers’ credit card numbers, are obviously of worth to criminals looking to sell them on the Dark Web. But you may not have considered the importance of other types of data.
Not only should you have systems and business processes in place to protect customers’ financial information, but you should also think about:
Once you’ve identified all the types of data your business stores that may be of value to attackers, you’ll need to create a plan to protect this data. It’s a good idea to begin with a security audit. During a security audit, you’ll evaluate the security of your IT systems by measuring how well they conform to security standards or best practices. You should consider any regulatory compliance requirements to which your business is subject, such as the Payment Card Industry (PCI) Security Standards (if you accept credit card payments), or the California Consumer Privacy Act (CCPA) (if you store the personal data of any California residents). Or, you might use a government-issued standard, such as NIST 800-171, to which defense contractors and their business associates must adhere.
A managed IT service provider with extensive experience with businesses in your industry can help you find or design the security standards that will best protect your data. Personalized recommendations are key, since no two companies’ IT environments are exactly alike. Nor are their business models, security risks, or goals.
At a minimum, your security audit should assess how you handle access controls for your IT systems; your employee cybersecurity education and training programs; how you manage system configuration settings and changes; how you collect and store logs; what procedures you have in place for responding to incidents or dealing with a potential breach; physical security of your facilities; how you perform risk assessment and/or penetration testing; and how you handle routine software patching.
A security audit can help you shore up any areas of weakness or explore the most cost-effective avenues for improvement. As an investment, it’s more than worthwhile.
Interested in learning more about protecting your data from theft? Download our new eBook, “The Definitive Guide to Recovering from IT System Outages” to take a deeper dive into the subject of building resilient systems today.