In the past few years, we’ve been paying more attention to how cyber crime can be a huge risk for companies as the internet has become ubiquitous in the business world. Whether it’s a multinational manufacturer or a start-up retail store on Main Street, every business that has an internet connection is at risk of being attacked.
And the stakes are incredibly high, as we at Practical Software Solutions learned ever since Greg Lafferty, our senior account executive, gave his presentation “3 Cyber Threats that Will Destroy Your Business” at Cultivate’18. The statistics we found while researching that presentation were astonishing, and so are the updated stats for 2019.
Here are just a few of the staggering predictions, according to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac:
Free Business System Review: Sign up for a free meeting with our Sage Certified Consultants to determine if your current business system meets your future goals. Click here to learn more.
- Cybercrime damages will cost the world $6 trillion annually by 2021, which would be more profitable than the global trade of all major illegal drugs combined
- Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019
- The five-most cyber-attacked industries in the past five years are healthcare, manufacturing, financial services, government and transportation
According to an article on Forbes.com, some manufacturers are heeding the warnings from cybersecurity experts to tighten up their ships as the push for a mobile and digital work environment expands into the industry. This is especially true with 81 percent of manufacturing CEOs saying mobile technologies are strategically important for their businesses, according to a recent PwC CEO survey.
Ransomeware rises to top of cybercrime targeted at manufacturing
While the expansion of mobile devices and the Internet of Things in manufacturing have improved workflow and have kept employees better connected, it also poses a cybersecurity threat by expanding the reach of data from the secure “four walls” of a protected environment.
Making it worse, today’s cybercriminal is no longer a person physically hacking into a business to gain access to bank account numbers in order to electronically steal money. While this has the potential to be lucrative, it’s far beyond the capability of modern-day cybercriminals — and completely unnecessary. That sophisticated first-generation hacker now writes code putting it in the dark recesses of the internet for cybercriminals to purchase and use.
Deputy Attorney General Rod Rosenstein called ransomware a new business model for cybercrime in his address to the Cambridge Cyber Summit in October 2017. According to the 2019 Cyber Security Almanac, “(h)acking tools and kits for cyberattacks, identity theft, malware, ransomware, and other nefarious purposes have been available in online marketplaces for several years — at price points starting as low as $1 — which makes the cost of entry to a life of cybercrime nearly free.”
Ransomware does not need to penetrate far into a company in order to do major damage. That’s because all a cybercriminal has to do is find a small hole into a company to start wreaking havoc. If a manufacturer has its production lines hooked up with IoT data ports, a cybercriminal can lock up that information until a ransom is paid. In the front office, a cybercriminal could penetrate an ERP system and lock down a major portion of the inner workings of a manufacturer.
That’s the new M.O. of the modern-day cybercriminal: Pay me to get your information back. Pay me to get you up and running again. Pay me to stop messing with you.
Greg and I had this conversation when I brought up these new statistics to him. Since Sage Enterprise Management is written in HTML5, it can be used on any mobile device. Greg rightly said if an executive using Sage EM brought up data from the ERP system on his phone, it doesn’t mean someone can hack into the entire program. But I countered: What if someone was using their phone connected to a Starbucks wi-fi portal. A hacker could use the unsecured network to break into the phone, take a screenshot of the data on the screen, forward it to himself, and tell the executive, “I have your data. I will e-mail it to your competitors unless you wire me $50,000 in the next 24 hours.”
The rise of the Zero Trust environment in manufacturing
With these threats in mind, manufacturers must adopt strict policies to prevent cybercriminals from hacking their systems, or more realistically, being invited past security.
We are at an age in the digital workforce where no internet connection or connected device can be considered safe. Manufacturers must realize every phone, every laptop, every sensor, every USB port can be a point of entry into a manufacturing company. This theory is commonly known as the Zero Trust environment, which was conceptualized by John Kindervag while he was a principal analyst at Forrester Research Inc.
Louis Columbus, the author of the Forbes piece, quoted the CIO of an anonymous but well-known manufacturer: “We treat every sensor, real-time monitoring device, employee and company phone, tablet and laptop as a threat surface. The days of trusted and untrusted domains are over. We’re moving so fast that a Zero Trust approach makes the most sense for us; we never trust and always verify.”
On the other hand, any employee who has access to any connected portion of a company, whether by phone, email, laptops or any connected service, must be trained to not allow the bad guys to walk right in the cyber front door.
According to Cybersecurity Ventures, more than 90 percent of successful data breaches originate with phishing scams. As most people know by now, phishing is when an unsuspecting recipient is lured into clicking a link, opening a document or forwarding information to someone they shouldn’t.
While Cybersecurity Ventures’ statistics are devastating, they are still mostly shadows of things that may be (if I may borrow that line from “A Christmas Carol”). As more and more businesses become aware of these all-too-real threats, educating employees from top to bottom has become more common in the business world.
Cybersecurity Ventures reports the fastest-growing categories in the cybersecurity industry is security awareness training for employees. Spending in this area is expected to reach $10 billion by 2027, up from $1 billion in spending in 2014. If this trend continues, we may see a course correction in cyberthreats in the manufacturing world. However, IT professionals and employees alike must buy in to the Zero Trust environment in order to protect their company from potential disaster. The ease of trusted environments must be replaced with secure Zero Trust environments in order for the tide of cybercrime to stop.