IT security is a growing threat for businesses of every type, and the manufacturing industry is no exception.
Last year, U.S. consumer cyber-attacks came at a price of $38 billion, according to the 2013 Norton Cybercrime Report by ZDNet and USA TODAY.
That number has undoubtedly risen in 2014, with The Home Depot, Best Buy, and most recently JP Morgan Chase as some of the biggest headliners.
While millions of consumers have been affected by larger data breaches, there are countless other small and medium-sized manufacturing and retail businesses that are going through the very same breaches, just on a smaller scale.
Hackers today have become savvier, learning new ways to infiltrate networks. As technology has advanced to increase protection, cyber criminals have learned to prey on the weakest security link: people.
Employees ready have access to company information and are often ignorant about how to detect and prevent breaches because of a general lack of training.
That means a cyber-attack at your company is no longer a question of if, but when.
A data breach doesn’t necessarily mean money is stolen.
As technology has advanced to increase protection, cyber criminals have learned to prey on the weakest security link: people."
It is the compromise of valuable information, and each company defines that value differently. In the manufacturing industry, it could be access to designs, specifications, or research and development information.
It could be classified client information, account history, or employee personal information. It is critical that manufacturing businesses have a breach preparedness plan in place.
Preparing for a Data Security Breach
The starting point in planning for cyber-attacks is implementing an incident response plan (IRP) to ensure appropriate action if security is breached.
An effective IRP will address preventative controls, timely detection of potential problems and rapid response to data security breaches.
According to the 2014 “Cost of Data Breach Study: United States” conducted by the Ponemon Institute, the appointment of a Chief Information Security Officer and involvement of business continuity management in the incident response process decreased the costs of breaches per compromised record by $10 and $13, respectively.
However, the most significant cost reductions for organizations came from having a strong security posture, which reduced the average cost of a data breach by $21 per compromised record, and an incident response plan, which shrunk the cost by $17 per compromised record.
These findings emphasize the importance of being prepared for a breach in data security.
The key components of a well-defined IRP include:
Incident Response Team – Select individuals from departments that will be involved when a data security breach occurs, such as Executive Management, Information Technology, Human Resources, Public Relations, Legal, and Operations.
Identify the roles each Incident Response Team member will play and ensure they have the authority to execute.
Data Classification – The organization’s incident response strategy takes into account the type of data compromised by the breach in determining its response efforts and activities. Categorize data so employees know how to handle various types of information. Levels can include “public/non-classified,” “internal use only” and “confidential.”
Then, focus on protecting the most confidential data.
Communication Plan – A comprehensive communication plan involves more than maintaining a current contact list of Incident Response Team members, system support personnel and external service providers.
The organization should also plan what message it wants to convey and to whom it will communicate internally and externally after a security breach. Include an alternative plan when the normal notification process is pre-empted.
Training – Incident preparedness training ensures that all company personnel are ready to handle data breaches before they occur.
Incident Response Team members should be well versed in how to appropriately evaluate, respond and manage security incidents.
Even if not directly involved in the incident management process, all staff should understand the company’s overall breach response plan so that their actions support, not hinder, breach response efforts.
- Testing – The IRP should be thoroughly and continuously tested in advance of an actual data breach to help identify process gaps and provide assurance that the plan will be effective in responding to incidents.
Strengthening the Weakest Link
Without a doubt, employees are the weakest link in the security chain. Cyber criminals not only understand this, but exploit it. The curious and fallible nature of humans demands that companies train and reinforce their employees on these matters. This is an area that companies cannot afford to overlook.
As long as hackers can infiltrate just one point in the perimeter of the security field, they can then explore and access layers and layers of the information that is of most value to that business.
Losing a company laptop, inputting improper credentials or failing to work on a secure network all compromise a company’s IT security.
“Bring Your Own Device” (BYOD) complicates matters as employees create new risk by accessing company data with their own technological devices including laptops, smartphones and tablets. Employees must be motivated to think about and understand the security risks and consequences associated with their actions.
The Bottom Line
It is critical that manufacturers are aware of the new risks and new ways to address them, allocating time regularly to exploring new threats and new controls. The average cost of a data breach is $5 – 6 million, according to Experian. Your company must manage to this risk.
Even though companies may properly prepare, data breaches will continue to happen.
We will always be vulnerable, but how we prepare can help ease the pain when an attack hits.
Preventative measures will minimize disruption to customers, operations and productivity, and aggressively managing through the security breach will yield a much more desirable outcome.
|David Barton is a Managing Director at UHY Advisors, and leads the Internal Audit, Risk and Compliance practice. He is an expert in information security and technology risk and controls.|