COVID-19 has changed how manufacturers work. Many employees began to work remotely when the pandemic hit the United States in earnest — and many continue to do so, even after businesses in some states have tried to reopen their facilities with modified working conditions.
While this forced move toward a distributed workforce has prompted many changes in how businesses operate, one that should be of particular concern is the way corporate data is now being trafficked across home networks, which businesses don’t control and manage — and which don’t necessarily conform to company cybersecurity standards.
This inevitable outcome of working from home means that all manufacturers need to revisit and heighten their cybersecurity protocols to account for remote working conditions. Not doing so could leave them vulnerable to forms of cyberattack that are already emerging in response to the changing landscape of how we work.
How Have Conditions Changed?
Chances are, your remote workers handle sensitive information of one form or another — e.g., financial records, employee records, or restricted materials such as Controlled Unclassified Information (CUI) covered by the Department of Defense’s DFARS cybersecurity standards.
Hackers are well aware that this sort of information is being accessed via computers and other devices, such as mobile phones, that are connected to home networks. Chances are, these networks abide by much less stringent cybersecurity standards than corporate workplaces with mature IT policies. This has produced some significant changes in the patterns governing corporate cyberattacks over the last few months.
First and foremost, the focus of the attacks has shifted from corporate networks to home networks, which increasingly provide access points to corporate data centers, despite the fact that they are often shared with family members who operate non-secure equipment. During late March/early April, one of Maryland MEP’s partners, Epoch, Inc., observed an 800% increase in cyberattacks to IP addresses associated with client home offices.
Epoch also noted a resurgence in PDF and Visual Basic Script (VBS) viruses, which are often shared as bogus Microsoft Word documents with the .doc or .docx file extension. This is likely in response to the rise in online commerce and communications during this time. As we increasingly go online to handle day-to-day needs like shopping and schooling, we expect to receive tracking documents related to online orders or policy documents from schools or summer camps, making us more inclined to open documents that we shouldn’t.
Similarly, new channels are being used to circulate malicious links. While 91% of all cyberattacks originate via email according to Epoch, bad links are increasingly shared via text, false LinkedIn network invites, QR codes, and Zoombombing.
Lastly, there have been significant changes in the timing of the attacks. Traditionally, social engineering–based cyberattacks would happen during normal business hours as cybercriminals sought to catch people at their workstations. In late March/early April, the timing of these attacks shifted to include all hours of the day, as well as weekends. As the patterns of our working hours have shifted, so have the attacks. This means that businesses are facing nearly constant threats from external sources.
How to Respond to These New Conditions
The most important thing you can do to adapt to these changing cybersecurity conditions is to make a plan. For many, the root cause of vulnerability is simply that they weren’t prepared. Either they don’t have plans to deal with present conditions or their plans are outdated.
Questions you should ask yourself as you go about making a plan include:
- Does your company have an acceptable use policy for remote access to company servers and systems? This will give employees clear protocols for accessing information, as well as limit their access to the data they need to do their job, helping to protect your entire system from infiltration should something go wrong.
- Is your employee cyber-awareness training effective? Employees are your first line of defense and need to be educated about company cybersecurity policies. These sessions don't have to be boring or drawn out.
- Do you tag data to track logins and usage? It may seem cumbersome, but implementing systems to track data will lay the foundation for you to monitor usage going forward, allowing you to identify unusual occurrences that could indicate you are under attack.
- If you have to recover from a cyberattack, do you have the means to do it? If you prepare up front, including rehearsing scenarios through tabletop exercises, you can manage the risk in the event something happens.
But developing a plan — and subsequently implementing it — takes time, which may be time you feel like you don’t have at the moment. Many businesses are, understandably, asking, “What can I do right now?”
Fortunately, there are several easy-to-implement tactics that you can execute to improve the cyber health of your newly distributed company right now:
- Update your antivirus software and make sure all software patches are current.
- Use the most enhanced security features available for your business software (e.g., Microsoft 365).
- Encrypt data by using a virtual private network (VPN) for remote access and encrypt any company hard drives.
- Turn your spam filter up. (If you don’t have one, get one!)
- Share documents via secure cloud-based platforms vs. emailing them directly to coworkers.
- Implement dual-factor authentication.
- Have your employees update their home routers so that they are not using default network names, logins, and passwords.
Where to Turn for Cybersecurity Help as Conditions Persist
Current headlines indicate that remote work is expected to continue for the foreseeable future at many companies. In other words, distributed working conditions are our “new normal.”
Manufacturers, like all businesses, have to begin to adapt to these conditions in a deliberate, strategic fashion. There’s no magic solution that is going to make cyberthreats go away; cybersecurity is an ongoing process of risk mitigation that all companies have to take seriously.
A good starting place, which has been designed specifically with manufacturers and small businesses in mind, is the NIST cybersecurity framework. It includes five steps in a revolving process designed to help companies institute a level of security that will reduce risk so that you can confidently do business using the IT systems modern manufacturers rely on.
The NIST cybersecurity framework is also a way to address the cybersecurity requirements for participating in an increasing number of supply chains, including defense and automotive.
Maryland MEP and other Manufacturing Extension Partnership Centers in the MEP National Network, led by NIST MEP, are uniquely positioned to help manufacturers get a handle on cybersecurity. If you have questions about this increasingly important and urgent area, I encourage you to connect with your local MEP Center.
Mike Kelleher
Michael Kelleher has 20 years of experience in providing leadership, consulting, and advisory services to both public and private sector clients with a focus on manufacturing and industry. He has been instrumental in building the new Maryland MEP Center, integrating best practices, lessons learned and operational programs from throughout the MEP National Network with a focus on operational excellence, long-term growth and workforce development.
