Cybersecurity and cyber hygiene have long been on the rise, especially since many companies have switched to remote work due to the pandemic, which has raised more questions about staying protected in this space.
The information below is a recap of our Cybersecurity Forum for manufacturers featuring Dave Henderson from Cyberstreams, Rosemary Brester from Hobart Machined Products Inc., and Shannon F from Evergreen Fire and Security, where they discuss best practices among manufacturers and how you can use them to decide your next step. You can listen to the entire Forum HERE
Do you have a routine and practice for cyber hygiene?
CYBER HYGIENE BEST PRACTICES FOR MANUFACTURERS
#1 Focusing on The Tech Instead of the Employee
One of the most common issues among companies is that they tend to prioritize technology over employees. While many CEOs initially consider the technology and how they may improve it, they frequently overlook the employee and culture, which are more often than not responsible for the security breach.
One of the most common Venn diagrams shows the culture, process, and technology of the 100 controls for CMMC level 2, with about 40% focusing on culture and procedures and the rest on technology. However, research has revealed that approximately 80–90% of cyberattacks begin with a human, with clicking on a spearfish being the most common reason. As a result, businesses focus on training rather than changing employees' mindsets, particularly when multitasking while working, such as checking emails while simultaneously doing other activities — thus decreasing the attention on the presence.
#2 Relying on Training Instead of The Attitude
Researchers discovered that when employees attend annual cyber security training, many admit to checking emails and conducting other tasks, showcasing that it's more of an attitude problem than training. Mr. Henderson of Cyberstreams, explains that rather than a one-time event per year, having numerous dialogues about cybersecurity keeps it in people's minds – given that spearfishing is the leading cause of human-caused breaches.
David H. illustrates a company's "five strike system" for employees who frequently fall for spearfishing, a type of scam in which the victim receives an email from someone claiming to be someone they know and asking for money in the form of gift cards to help out. Employees are sent to training after the first strike, and subsequent strikes require them to meet with their supervisors to discuss disciplinary action if they fall for the ploy again. On the other hand, if the employee falls victim to it a fourth time, they are summoned to a meeting with HR and given a warning that they will be fired on the fifth occasion – showcasing that it's not about the consequences or the training, but about the attitude.
The entrepreneur continues to elaborate on the significance of cybersecurity in protecting the company's data and reputation and how it is integral to the company's culture, whereas most of it depends on the culture.
#3 Leaders That Don't Set the Example
Mr. Henderson notes that many companies have a safety policy that contains points concerning preventative measures for cyberattacks. Though, with recent changes, the leadership has also started discussing cyber security during meetings. In addition, he has noticed that more and more organizations, particularly those with revenues of $25 million or more, have begun to demand reporting from all levels of management to the board on cybersecurity initiatives and their success.
#4 How Small Businesses Are Impacted by Cybersecurity
While SSL certifications for websites are part of the baseline for cyber security, they are only effective if they are regularly monitored and updated in case of attack. David refers to a recent Wall Street Journal article in which a company's failure to renew the SSL certificate resulted in its expiration for a more extended period, leading to a loss of hundreds of thousands of dollars due to breaches – which could've been prevented.
This demonstrates how crucial it is for businesses to have a process for making modifications as they hire new vendors and staff and how it ultimately affects their security profile.
#5 The Importance of Prevention and Cost of Recovery in Cyber Hygiene
Mr. Henderson explains two types of businesses whose security has been compromised: those unaware of the breach and those aware of the breach and their susceptibility to it, as well as the immediate steps to take after a breach.
Cyber resilience assumes that there will be breaches and an understanding of what will happen afterward. Much of the effort taken after an attack or security breach is critical; the steps taken to prevent them are even more crucial, which is where backups come into play. While the number one thing is to protect the data, topics such as business continuity and disaster recovery your backup are also crucial to keep in mind.
Here are the critical points of the disaster recovery:
- The importance of backups
- The significance of knowing what data to back up
- Performing regular test restores
However, business continuity and disaster recovery strategies aren't just about backing up your data; they're also about:
- Knowing what you should back up
- How you should back up your data
- What you're doing to ensure success in cases of ransomware attacking the backup as well as the live data
#6 Missing the Competitive Advantage
Many IT services are analogous to commodities like electricity; hence, it can be challenging to distinguish between providers and shine among the competition. Companies routinely inquire as to the security of their suppliers, but if those suppliers aren't up to par on their CMMC ratings in the state of NIST 100-171, they're losing out on a competitive advantage.
Importance of Cyber Insurance
An article claims that in 2021, cyberattacks on small businesses climbed by 152%, while attacks on large corporations increased by 75%. Mr. Henderson recounts a conversation with FBI officials, discussing the recurring, monthly ransomware attacks on Seattle area businesses. Yet small businesses are more at risk because they either need to take the issue more seriously or have fewer stringent measures than the major players.
A Wall Street Journal article says that many business owners think their property and liability insurance will cover the costs of getting back on their feet after a cyber-attack. Yet most policies only cover a small portion of the costs of getting back on your feet after a breach. In the article, Mr. Henderson discusses an example of a company that had a recovery cost of $250,000 and whose standard liability policy only covered a small fraction of it, while another company that had cyber security insurance provided:
- An entire team of forensic experts
- A recovery cost of $218,000 to get the business back on track.
With the price of cyber security insurance increasing by up to 10-15% this year alone and the underwriting standards becoming more stringent, many small business owners are being denied coverage. While the underwriting process is designed to protect the insurance company from losses, you gain a comprehensive checklist of things you must do to prepare for the process, which will not only harden but also strengthen your business and enhance the threat profile.
Number 1 Most Important Tip for Cybersecurity
While fostering a cyber-secure company culture is crucial, two seemingly simple things can often lead to breaches: poor password management and not using multi-factor authentication.
How to Create a Safe Cybersecurity System
Mr. Henderson said he frequently hears stories of people who develop algorithms or creative methods to generate passwords. This causes people to have 25–30 unique passwords, which become challenging to manage, so they try to keep track of them by writing them down or keeping a spreadsheet, both of which open new doors for breaches – and something to pay attention to for manufacturers.
The solution could be password managers, such as LastPass, that store encrypted passwords, so your passwords stay encrypted even if they have a breach. Next to passwords, multi-factor authentication is a powerful method to prevent breaches. David explains how when people click on these fraudulent links; they land on the Microsoft login page to input their username and password, which usually won't go through and only gives hackers access to it. However, if you have multi-factor authentication, such as a text to your phone, they will have a more challenging time logging in despite having the login details.
This ultimately demonstrates how breaches were caused by human errors, which could have been avoided with simple changes in the business and leadership.
Another possibility to increase cyber safety is to encrypt any device you use, as it can be stolen and the data could be copied; however, if it's encrypted, no one will be able to do it.
Ways to Make Your Business More Cyber-Secure
Rosemary, the president of Hobart Machined Products Inc., and Shannon, ITPSO Evergreen Fire and Security Compliance Officer, explain ways to make your business more cyber-secure.
Here are the changes they made in their companies:
- No cellphone policy – Many younger generations had difficulty learning to use only their computer equipment, allowing management to track what employees are doing and visiting sites.
- Extensive training – To keep everyone on the same page, it is imperative that each employee undergoes rigorous training programs on cyber security and safety regularly and attends CMMC-related zoom meetings.
- Culture management – With everyone from a different background coming together into one culture, they recommend Webroot sending information for everyone to review to combine technology and humans as it also provides many manual tools.
- Improve threat profile – Having a basic antivirus software firewall is imperative.
Cyber Hygiene and Remote Work
During the pandemic, many businesses have shifted to remote work, which has raised cybersecurity concerns. Shannon explains that one of the first questions they ask when an employee switches to remote work is what kind of internet connection he will use. Default usernames and passwords are the most prevalent issue they encounter; they need to be periodically updated to protect against the vulnerability.
Cyber Hygiene and Outsourcing Work
Along with the rise of remote work, the use of freelancers and contractors whose physical locations are sometimes unpredictable has also increased. According to Shannon, they always ensure a potential contractor is a US citizen or permanent resident before allowing them access to sensitive information. In these cases, preventing them from entering the system is essential to preventing data breaches, as in the past, "so-called" experts have misled business owners into taking a particular course for the wrong reasons. Shannon noted that price often plays a role, and "you get what you pay for."
Lastly, it shows how important it is to be careful about sharing or giving access to sensitive information.
Cyber Hygiene Practices
David explains there is a 14-point checklist with different cyber hygiene measures, but some are more important than others, like malware for spam and encryption, because technology has so many layers. An excellent investment, according to Shannon, was the Microsoft Office 365 Enterprise license, which includes not only a plethora of options for configuring the software, such as
- Notifications about logins
- Tracking of exact steps of employees
- Encrypt the data at sensitive device endpoints
- Auto-classify with sensitive labels
- Produce reports
- Introduce machine learning to track and monitor sensitive content and pull reports
Common Mistakes from Cybersecurity Manufacturers
Finally, David, Shannon, and Rosemary give you a peek into the most common mistakes they made early in their careers so that you can learn from their experiences and avoid making the same ones.
- Spending too much money on things you don’t need
- Choice of companies that are supportive and helpful, as many may have other objectives and only focus on the dollar sign
- Focus on the goal of getting certified and showcasing compliance that takes a lot of work
- When cleaning up anything related to CMMC, analyze the type of tools used and where they're based; Rosemary explained a case in her past when she discovered a company had a PII tool installed based out of Israel, which caused a major security violation.
- Continue down a project path that wasn't the right fit in the long run involving tools, licensing, and other companies.
- Make use of the power of the environment and culture and reach out to others for feedback and better skillsets to progress faster.
- Keeping track of costs of the CMMC journey through separate GL codes to pass it on to new contracts
- Lack of awareness of the documentation of the national institute standards and technologies, specifically the publication NIST 800-171 that lists 110 checkboxes to be compliant in an environment (programs like FutureFeed provides guidelines in the dashboard on compliance)
Cybersecurity and Privacy Laws and Regulations
Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. If your company sells products to the U.S. government, you may be required to comply with the minimum cybersecurity standards set by FAR and DFARS. Learn more about complying with Cybersecurity and Privacy Laws and Regulations.
Unsure how where you are with securing your data? Need a third-party review of your cyber hygiene practices? One size does not fit all, which is why it’s crucial to have a partner you can trust - we invite you to contact us to schedule a call with one of our highly trained information security experts who is equipped to meet you where you are in the process.
We also invite you to watch our whole Cybersecurity Forum Series Here