In our July 12, 2022 Cybersecurity forum, Tim Chase, MGF-ISAC, Program Director (Manufacturing Information Sharing and Analysis Center) shares insight into why U.S. manufacturing was the #1 target of ransomware in '21 and ' 22. He also shares why the financial payout of a ransomware attack is only a fraction of the total cost of the incident. 

Consideration to keep in mind:

Cyber threats continue to expand exponentially not only because of the number of users, but the platforms and programs manufacturers are using are expanding, and therefore the vulnerabilities are also expanding.

The motive of 98% of incidents is money. The more we start thinking about ransomware and its operators as businesspeople and not criminals, the better it is because it starts making the targeting and dollars and cents aspect make sense and easier to understand

The United States is the most targeted country in the world. The U.S. is also the most prominent place where malicious activity originates. Ransomware operators use U.S. IP's and infrastructures because it's less likely to be flagged or banned.

Ransomware offers high profits for operators and manufacturing is a good target for these operators as many businesses are behind in hardening their infostructure against such attacks.

Ransomware business operators have learned lessons about the companies they target.

• They don't want to target critical infostructure and put them in the crosshairs of the national government.

• Ransomware operators are more likely to target operationally centric businesses because their tolerance for downtime is very low.

• Manufacturing is a juicy target, especially the small to medium size because they have relatively flat networks and interconnected networks that are not segmented, which makes it easier to have a ransomware incident that affects the IT and OT space.

The financial payout of a ransomware attack is only a fraction of the total cost of the incident.

Other costs include:

• Operational downtime:  The downtime to the business and the impact on its supply chain can be significant. 
• People hours: Internal and external time spent on the incident response/putting the business back together. It can be costly after the fact because companies will rush to respond to the incident. It's better to plan and think about company needs before an attack. Companies should proactively consider the critical assets they must protect because not all things are created equal.
• Repeats attacks: If a business has an incident, they are much more likely to be reattacked. Even though the company might update its security posture, there is a fair amount of data about the company on the dark web, making it easier for other actors to learn about and research the organization to craft better phishing emails. Because they have data about the company, including technical data such as the type of software and hardware a company is running, it allows ransomware operators easier access if they want to reinfect the business.
• Higher Insurance premiums
• Legal defense and settlements: Settlements are becoming increasingly common. We are beginning to understand the implications of liability and reasonable standards. But increasingly, elements are being written into contracts that companies are writing with their 3rd party vendors. There might be a duty of care clause which implies if the company experiences a breach, it would be liable.
• Loss of reputation: There is a strong consensus about not wanting to work with a business after a significant data breach or ransomware incident.
• Loss of business: If a business is down for any length of time, its customers will have to go elsewhere, and they may not be able to get back into their preferred supplier loop.

View the entire Forum discussion here: