Companies operating in the industrial space are prime targets for cyber attack due to the technical, data driven nature of their business. Engineering archives, part drawings, CAD programs, customer data, financial data, research and proprietary software are just some examples of the types of critical digital assets that industrial businesses rely on. It's not just a company's digital assets that need to be protected. A data breach can seriously harm a company's reputation and in some cases it can block access to certain types of work and bidding opportunities.
A serious cyber breach won't sit well with customers that make confidentiality and security their priorities when selecting vendors.
Smaller Manufacturers are Prime Targets
Over 97% of all businesses in Canada are defined as "Small" meaning they employee less than 100 people. It's often assumed that cyber attacks are "large" company problems but the reality is that smaller businesses are popular targets. Why? ...
- Smaller operations may lack the knowledge, skills and resources required to implement an effective cyber security plan.
- Small business owners may not make cyber security a priority.
- Some small businesses owners are more likely to rely on older hardware and outdated software which can leave them vulnerable to attack.
- Smaller business owners and managers are sometimes unaware of the risks and the potential impact an attack can have on their company's ability to operate.
The Most Common Types of Cyber Attacks
There is seemingly an endless list of threats for companies to worry about and the attacks are becoming more sophisticated and potentially more dangerous every day. We've put together a list of some of the more common threats.
Ransomware We'll start with Ransomware as this seems to be the type of attack we hear most about in the media. A Ransomware attack involves an attacker gaining access to a company's network where they are then able to encrypt the company's data and block access to files until some form of financial ransom is paid. Access to the network is often gained through a vulnerability that is created when one of the users on the company network falls victim to a phishing email link or a compromised, unsecure website.
Denial of Service A hacker floods a company's website with too much traffic for it to handle so that legitimate site users can't gain access.
Phishing Attackers send out emails that appear to be from legitimate organizations or even from contacts that the victim may recognize. These emails encourage the victim to take action by clicking on a malicious link within the email.
Malware Software gets planted on a user's computer (often through a Phishing email). The malware then takes control of the victims computer, monitoring actions and keystrokes. The malware can send confidential data it collects back to the attacker.
Spoofing An attacker impersonates another user or trusted device on a company's network to gain access. Once in, the attacker can steal data, spread malware or bypass security controls to further compromise the network.
Brute Force Attackers attempt to access a network, specific computers or encrypted data by running software that tries a massive number of password combinations in a very short period of time.
Canadian SMB Cyber Security Stats
The statistics tell us two things. First, Canadian small & medium businesses (SMB) of all types are under constant threat from cyber criminals with many companies having already suffered an attack. Second, a significant portion of SMBs are ill-prepared to deal with an attack when it happens.
- 18% of SMBs (0 to 500 Employees) in Canada have been impacted by a data breach in the previous 2 years (2018 / 2019). This increases to 42% for SMBs that employ between 100 - 500 people.
- Of those attacked, 57% initially had no idea to what extent their systems were damaged.
- 46% of SMBs that were able to calculate the value of their losses estimated the financial cost of the breach to be in excess of $100,000.
- 79% of SMBs don't have any form of Cyber Attack insurance.
- 33% of Canadian SMBs spend nothing on cyber security annually, 28% spend less than 10% of their operating budget on cyber security.
- Only 47% of Canadian SMBs have taken action to implement tools and policies to protect themselves against cyber attack.
- 32% of Canadian SMBs have little to no confidence in the ability of their business to withstand an attack.
- 51% of SMBs believe their business is currently vulnerable.
*Stats taken from Insurance Bureau of Canada Cyber Security Poll (2019)
Take Steps to Protect Your Business Today
A company doesn't have to spend alot of money or be technically savvy in order to implement some basic safeguards. You also don't have to hire consultants or produce a formal cyber security plan. While ultimately you will want to put your plan and policies into some sort of document what really matters most in the short term is that you actually take action to protect your business.
We've put together a list of recommendations that if followed will go a long way towards helping to shield your business from cyber criminals.
Identify the Risks
Start by working with management and employees to identify potential risks and vulnerabilities. These risks might be external in nature (ie. unauthorized network access) or they can be internal (ie. a weak password policy). Once you know the risks you can start working on coming up with a set of solutions that will address and minimize each threat.
Consider Working with a Managed IT Service Provider If you can't afford to have your own in-house IT support it's not a bad idea to establish a relationship with an outside IT support vendor. There are several benefits to contracting out your IT maintenance but the most important reason is that these companies will take the burden of managing your IT related issues off your shoulders so you can focus on what you do best. The digital landscape is changing all the time and keeping up with the latest technology and security issues can be a fulltime and often daunting task for a small business.
Take some time to properly source out, research and interview a few candidates before making your choice. Check references and make sure the people you hire have the tools in place to support you.
Backup, Backup, Backup
A well designed data backup system is critical. Even if a company loses all their data due to an attack its usually no issue to get back up and running if a healthy backup is available.
You don't want to backup your data to one location and you want to make sure your data gets backed up automatically on a set schedule (multiple times each day if possible). We recommend a system that backs up your critical data (or even your entire IT environment) 2 to 3 times each day with copies of each backup being kept in multiple locations. You might, for example, have your critical data backed up to a locally managed device (ie. a server) and then have copies of this data uploaded to a secure remote data storage location. Some companies may decide to backup their data to portable devices such as flash drives and then take these devices off premise for storage in another location. This is fine if you have a very strict process in place to ensure the security of the device but it is risky since portable devices can be lost or stolen.
In this day and age there is no excuse to not backup your data. It's one of the simplest things you can do to help protect your business.
Invest in Commercial Grade Protection for your Network Spending a little more on protecting your business network and hardware is a worthwhile investment. Too many smaller businesses think they can get by with off the shelf network hardware or free versions of security software but while this approach saves money it also leaves them exposed to attack. A Firewall is a piece of hardware or software that acts as the gatekeeper for requests for access to your company network. A commercial grade firewall provides a wide variety of security features and options that aren't available from less expensive, off the shelf models. We suggest purchasing a firewall through a reputable IT support provider so they can properly install and configure the firewall to provide you with the highest possible level of protection.
An "Endpoint" is any device connected to a network. A computer, laptop or smartphone are all examples of endpoints. Endpoint Protection Software is software that helps business owners set rules (policies) over how their network operates and what data or sources of data (ie. Websites) it allows to be accessed. An Endpoint solution goes beyond basic anti-virus protection by also offering email filtering, web filtering and firewall services that can all be easily monitored and managed.
Learn to Recognize Threats and Educate your Employees You can't protect yourself until you learn to recognize what an attack looks like. There are ample resources available online that will teach you about the different types of cyber threats and how to identify them. Teaching employees to recognize a threat when they see it and then training them on what to do next is a critical early step in reducing your company's exposure to attacks.
For example, email is one of the most popular tools used by cyber criminals. Teaching employees to recognize suspicious email messages and coaching them to never click on links or reply to requests contained within these sorts of emails can cut your exposure to an outside attack significantly.
Make sure your Email is Secure Employee training is key but its equally important to make sure the security and privacy settings for your email service are set correctly. Go through your email settings on your own or speak with your email provider to ensure your services are setup to provide as much protection as possible.
Keep Unauthorized Software and Private Files off your Network It is common for hackers to use software or certain types of files as a means to plant malware on an unsuspecting user's computer, mobile device or the company network. A company needs to have rules around the downloading & installation of unauthorized software and apps on company computers and mobile devices.
Don't allow anyone to copy or download personal files (ie. photos, movies, personal documents etc.) onto your work computer or network from a personal drive or remote location. While its not recommended, if you still decide to give permission for someone to copy or download files to their PC you need to ensure the files are scanned by a security application first before they are permitted.
Restrict Access to your Network and System Settings It's a good idea to limit who is allowed to make changes to your network or IT system settings. Nobody should be able to install software or alter their system or security settings without approval from an authorized individual also known as the System Administrator.
Stay Up to Date Its critical to ensure you hardware and software is up to date at all times. Hardware and software updates can add new functionality and enhance the performance of your devices and software but updates also ensure your hardware and software are secured against possible cyber threats and vulnerabilities.
Out of date hardware with old operating systems or software that has not been kept current can become easy pathways for hackers. You can set most updates to happen automatically or have an IT support provider monitor your systems to ensure all critical updates get applied as they become available.
Establish a Password Policy One of the biggest security risks to your business is the password. In the wrong hands a password could give a criminal instant access to your company network, your valuable digital assets and even your bank account.
When it comes to password rules, companies should not allow employees to write down their passwords, passwords should never be shared and the company should have standards that dictate how passwords should look to ensure they aren't too easy to guess. In addition, passwords should be changed regularly and every application an employee uses should require a unique password.
Encourage Employees to be Mindful of their Mobile Devices Effort needs to be put in when outside of the office to ensure mobile devices such as smartphones, tablets or notebooks don't end up stolen or misplaced. If you need to carry sensitive data on mobile devices its not a bad idea to have some way of remote locking and even wiping clean mobile devices that go missing. Device manufacturers (ie. Apple, Samsung etc.) provide access to remote management tools.
Have a Procedure for Departing Employees When an employee leaves a company their digital profile needs to be deactivated and wiped clean immediately. Inactive email accounts or unused but active login credentials can become targets for hackers.
Also while we don't want to assume the worst, the reality is that a former employee might decide to take out their frustrations or disappointment on your business. Its critical that former employees lose all access to company devices, data, email and network access a soon as they cease their employment.
Act Today to Be Safer Tomorrow
Technology is designed to enable companies to succeed but unfortunately it also leaves us exposed to attack from those who hope to use our technical tools against us. Cyber crime is one of the greatest threats to Canadian businesses of all sizes and those operating in the industrial space have much to lose in the event of a breach.
If your company already has a security plan and system in place to protect against cyber attacks then you are in the minority of those who are prepared. If you haven't started to think about cyber security yet you need to do so immediately. Even following some of the more basic recommendations in this post will make a difference.
The key is getting started before it's too late.