From the Association of Equipment Manufacturers —
Cybercrime has exploded over the past decade. No organization is immune – not even a small, obscure manufacturer of an uninteresting widget based out in the middle of nowhere. If there is data to be hijacked, there is an opportunity for cybercriminals to profit.
In most instances, it is a devastating event that finally prompts a company to start placing increased focus on cybersecurity. But unfortunately, many don’t completely follow through.
According to data from the CDW Corporation, roughly half of organizations that suffered an attack in recent years did nothing budgetarily to improve cybersecurity. “In fact, just 22% increased their budget,” said Gabriel Whalen, manager of information security services at CDW, a provider of technology solutions to business, government, education, and healthcare. Whalen recently spoke at an AEM member education webinar on cybersecurity.
Whalen said CDW conducts passive assessments of its customers’ vulnerabilities. CDW’s top five findings are:
CDW then assesses the top five weaknesses in these organizations’ cybersecurity systems. They are:
Whalen pointed out that investing in cybersecurity tools is important but not enough. There is data from IBM suggesting that many organizations with an overabundance of detection and monitoring tools actually perform less effectively than those with far fewer tools.
“The really interesting thing is that roughly 47% don’t have a cyber incident response plan,” Whalen pointed out. “At the end of the day, it is a lot of these fundamentals that present weaknesses for an organization. Getting wrapped around these fundamentals will help address them directly, or at least help a company develop defense and depth mechanisms.”
Another thing that tends to be missing from an organization’s overall cybersecurity plan is an incident response plan (IR). What systems and processes are in place in the event that a breach takes place? Communication is a big part of this that many organizations miss. Immediate, clear communication with customers, vendors, and the media can help save an organization’s reputation.
“Organizations need to think about roles and responsibilities,” Whalen said. “I’m not just talking about the technical response. I’m talking about the overall strategic business response. Once these roles and responsibilities are established, it’s important to test your IR plan. Even mature companies need to regularly test their IR plan.”
It is somewhat ironic to think that even in today’s increasingly digitized world, human beings continue to be one of the most glaring weak spots in cybersecurity.
“There’s an example a while back where someone called into a company’s help desk,” Whalen said. “The person said he was very important, and he needed to have his multifactor authentication token disabled immediately because he was in a hurry and had to respond to someone who was also very important. The person on the help desk complied because, after all, it’s the help desk. Well, it turned out to be a bad actor who ended up getting into the system and dumping half of the company’s global address list onto the internet.”
In an instance like this, a well-defined process should be in place so the help-desk attendant knows to raise a red flag.
“We have a foundational challenge as companies,” said Ryan Layton, founder and CEO of Secuvant, a cybersecurity and risk management firm. “As long as we have people and employees, we’ll always have a problem with cybersecurity.”
Layton pointed to data from Trend Micro, a leader in enterprise data security and cybersecurity solutions, showing that 91% of cyberattacks begin with a “spear phishing” email. This means that computer users still represent the weak link in IT security, which is why cyber extortion has become a major issue for private companies.
Here is a disturbing example.
One of Secuvant’s clients, an industrial manufacturer, urgently emailed them early one morning. A hacker had breached the company’s IT system and hijacked 959 employee social security numbers. The hacker had also breached some of the company’s proprietary information. To prove what he or she had obtained, the hacker showed the social security numbers of four company executives. The hacker requested payment of $150,000.
After some more back and forth with the hacker, the company ended up paying $150,000 in bitcoin currency. The company also had to legally notify all of its customers about what happened. As a result, the company lost two large government contracts. This company did not have cyber liability insurance. Thus, all expenses had to be paid out of pocket. The total financial impact was estimated at more than $1 million.
The following ransomware attack was even more financially devastating.
A large company in the hospitality industry started receiving an unusually large number of IT system access complaints from users. Ultimately, a regional location was hit with ransomware from a group based in China. The company’s operations were halted. Local and off-site backups were fully encrypted. The hacker requested payment of $4 million.
“This same company had a breach a few years earlier,” said Don Ainslie, executive vice president of risk services and sales at Secuvant. “The damage that time was roughly $150,000. Now it happened again. We had categorized their security as moderate, at best. They had firewalls and antivirus, but that was about it.”
The business impact this time would prove to be much more devastating than a few years earlier. An operational outage persisted for two-and-a-half weeks. The company was forced to pay $2.55 million in ransomware and $350,000 for external forensic services. Most was paid by the company’s insurance provider, aside from the $100,000 deductible. The indirect damage is where things got excruciatingly painful. The cost for labor, loss of clients, legal liability, remediation, and lost opportunity was estimated at roughly $25 million.
Each of these incidents share several commonalities that other companies can learn from:
Secuvant has specialized expertise in the agriculture and construction equipment industries. According to Layton, today’s machinery is becoming more digitized with GPS, Internet of things (IoT), telematics, machine learning, artificial intelligence and 5G connectivity. As a result, the potential exists for the creation of a heightened cybersecurity risk. Furthermore, as equipment users become more informed about technology, their expectation of how their data is stored and protected is intensified.
All of this evolution requires a change in thought from equipment providers.
“The industry’s past experiences with cybersecurity risk cannot be representative of the future,” Layton pointed out. “We can’t make future decisions on how we invest and protect our businesses based on what has happened in the past.”
To begin gaining a better understanding of the industry’s current and future states, Secuvant undertook an extensive research study of both ag and construction equipment manufacturers and dealers.
On the manufacturer side, roughly 60% of survey respondents said it is likely that cybersecurity is addressed in executive-level meetings. Roughly 66% said their company had a past cyber incident. Layton said this is a pretty good sign because past incidents should always trigger increased dialogue among company leaders.
Another series of questions was also interrelated. The results are less encouraging.
A solid 78% of manufacturers said there was a high level of cybersecurity in their companies. But only 69% said they were confident in their cybersecurity preparation, and just 62% said there was a capable IR plan in place. This data shines light on a gap that exists between what manufacturers think exists and what actually exists.
“These percentages should be nearly identical,” Layton pointed out. “The deeper we get into the questioning, the deeper we get to the truth. And the truth is, a lot of things need to be in place to truly be protected in cybersecurity. When we do risk assessments of any company, we generally find that the security readiness is only half of what the executives think it is.”
A similar gap exists on the dealer side of the industry. But when it comes to dealers, the percentages are much lower. “Smaller dealers in particular, meaning those with sales under $150 million, are about 50% less secure,” Layton added.
Layton stresses the importance of having a cybersecurity plan that is in alignment with business goals. To that point, he said the following items are typically the most important for AG/CE companies:
Companies must gain a clear understanding of their current state. They must look at their risks and prioritize them. What role should the executive team play? Where should money be invested to beef up the cybersecurity plan?
Whatever the order of priorities, creating a culture of cybersecurity must start with executive leadership. Layton said company leaders should ask themselves these questions:
In many cases, a cyber-related incident ends up serving as a catalyst for companies to start placing increased focus on cybersecurity. Even worse, many do not have a sound understanding of where to begin once they do determine they want to make significant strides and improvements and provide a greater level of organizational protection. That doesn’t have to be the case. However, in committing to cybersecurity – and, perhaps more importantly, taking the necessary steps to follow through on that commitment – companies can provide themselves with a greater level of organizational protection and protect both their valued assets and their bottom lines.
For more information, visit www.aem.org/.