Our Sites

7 steps to better cybersecurity

To prevent a hack, revisit the fundamentals

Cyberthreats are omnipresent. No matter what industry an organization operates in—even some of the seemingly more secure ones like politics or banking—every working individual appears to be at risk of being hacked. And metal fabricators are no exception to the rule. According to Kroll’s 2017/2018 “Global Fraud & Risk Report,” 88 percent of manufacturing executives said their companies experienced a cyber incident or information theft, loss, or attack over the past 12 months. Even more alarming, the “IBM X-Force 2018 Threat Intelligence Index” found that the manufacturing sector is one of the most frequently hacked industries.

Many manufacturers are increasing their investments in cybersecurity technology—particularly in the wake of increased regulation, including the European Union’s General Data Protection Regulation. With cybersecurity threats increasing and regulations to prevent them being introduced, manufacturers must evaluate every facet of their businesses that could be putting their own data, their employees’ data, their customers’ data, and even their vendors’ data at risk. This is an especially necessary, though admittedly daunting, task for smaller, custom manufacturers, which run the same risk as larger manufacturers but with fewer resources for prevention.

For those manufacturers that fall into the job shop camp, there is no time to waste when it comes to thinking about a cybersecurity strategy. As a first step, such manufacturers should look to eliminate vulnerabilities in their enterprise resource planning (ERP) system, a tool that intersects with many critical parts of the business.

Manufacturers that use ERP software should be well aware of the threats the software could pose if it isn’t properly protected. ERP tools typically contain and control nearly every mission-critical piece of data for manufacturers, such as inventory counts, financial records, manufacturing details, pricing information, and customer requests. This makes ERP a primary target for hackers. More often than not, this data is housed in one central location within the software. This makes the data incredibly useful for manufacturers, but it also makes it all the more susceptible to attack if the tool does not include advanced cybersecurity features.

Small manufacturers must also be in tune with where all of the important data within the organization is stored and who has access to it. Large manufacturers may assign project work to many people, some of whom work in the office while others are remote; accessing and verifying the location of important data in this environment can prove to be a challenging endeavor. Smaller manufacturers with fewer employees might have an easier time identifying who is working on what project and when, though without systems to manage access and control, the risks are just as great, with possibly even greater negative impacts. Small manufacturers must use every tool at their disposal to track where data is stored, transferred, and used throughout their organization. Otherwise, they could wind up with an extremely costly and detrimental data breach.

What Would an ERP Hack Look Like?

Unfortunately, thanks to advancements in technology, hackers have various weapons at their disposal. They can send a malicious link that downloads spyware onto the recipient’s computer or even impersonate a colleague or friend to request sensitive information. When it comes to hacking into the information stored within an ERP system, the tactic is no different.

A hacker could email an employee at the manufacturer using social-profiling tactics to entice the individual to click on a link; open a document; or share confidential information like financial data, bank information, customer lists, or even product specifications. All this could give the hacker access to the ERP system if it isn’t protected.

A hacker’s attack is an even greater possibility if the manufacturer doesn’t have any controls set up that define and manage how data can be shared outside of the organization. Ransomware could cause detrimental harm to a manufacturer, particularly if it doesn’t have a proven disaster recovery plan.

Hackers could steal customer data such as payment information, order requests, and contacts, then use that information to commit fraud. They could access the manufacturer’s financials or hold sensitive data for ransom and threaten to release it to the public.

Sometimes threats come from within the manufacturer’s own walls. If the servers that house the ERP software are not adequately protected physically (for example, locked in a computer room with restricted access), it wouldn’t be out of the realm of possibility for a disgruntled employee either to steal the data or do damage to the server. Although these are worst-case scenarios, falling victim to each is a possibility for small manufacturers that don’t take a critical look at their cybersecurity best practices.

First Steps to Prevention

While investments in heavy-duty cybersecurity or security specialists may not be an option, small manufacturers can still work to prevent a hack. If you work at a small manufacturer (or a large one, for that matter), you can start by revisiting the following cybersecurity fundamentals.

1. Educate. First, educate employees on common hacking tricks. This requires a small monetary investment, and yet it is one of the most important things company leaders can do to safeguard data. Employees must know how to identify and avoid potential breaches.

Being a smaller company makes it easier and less time consuming to train every employee at least once per quarter. While phishing emails are the source of most cyberattacks, employees also need to be cognizant of company password policies, social engineering, third-party software, data protection, threats from malicious websites, fake WiFi access points, and problems caused by reusing credentials. Every employee must be able to identify these types of scams to prevent granting hackers access to the ERP system and its confidential data.

2. Protect Email. Small businesses in particular rely heavily on email, despite it being one of the most common and vulnerable ways for malicious individuals to gain access to an organization’s systems. Businesses must apply strong software tools that protect emails from spam, phishing attacks, malware, and viruses. Given a small company’s size, it’s easier to ensure all employees are protected and conscious of the dangers.

3. Identify Vulnerable Data. Identify, locate, and (ideally) encrypt the most vulnerable, mission-critical data. This can include the financials, customer and vendor information, payment details, employee records, and sensitive emails. Typically, smaller businesses don’t have extensive software that monitors where each piece of data is stored. This forces employees to do this crucial job manually, which increases the probability of falling victim to a cyberattack.

ERP systems can store most of the sensitive data, and it’s up to the ERP vendor to qualify the platform’s safety and security. In addition to evaluating the ERP vendor’s safety measures, companies should also consider implementing a strong backup strategy to prevent a devastating loss.

4. Know Who Uses What. Businesses and their employees could be using any number of software and hardware tools at any given time. By identifying every software and hardware tool that’s running, companies can build a complete inventory of everything that’s in its network. The complete inventory makes it easy for internal experts to ensure everything is secure, particularly the tools that run with an ERP platform. Without complete visibility, company executives and information technology professionals won’t be able to apply patches and remove rogue software from the system.

5. Update, Update, Update. Be sure that all software is up to date, always. In June 2017, the Petya ransomware attack hit computers across Europe and the U.S., demanding $300 in Bitcoin to unlock encrypted files. The organizations spared by the hack had installed the latest software update from Microsoft, which included crucial security patches. Because ERP platforms are part of a larger ecosystem of software and hardware, regular security patches must be applied to hardware and network devices, operating systems, antivirus, and other software applications to prevent potential breaches. Thankfully, most ERP vendors send out patch updates throughout the year and offer immediate fixes for time-sensitive issues.

6. Consider the Cloud. Consider moving mission-critical services to the cloud. According to a Microsoft SMB Study, 78 percent of small businesses will have adopted cloud computing by 2020. That’s not surprising when you consider that moving from on-premise systems to cloud systems can remove the time and expense of maintaining multiple servers, scheduling regular data backups, and performing vulnerability testing and monitoring—all of which distract a business from delivering the products and services that its customers expect.

Cloud deployments can help eliminate that distraction. They also provide companies the safety net of knowing that, in the event of an attack, they will have limited or no downtime. This was evident in the experience of one company with an on-premise ERP system. The company suddenly fell victim to a ransomware attack—and then found that its backup systems couldn’t be restored. By converting to the cloud, it was able to restore its systems while eliminating future system downtime and reducing future vulnerabilities.

7. Have a Recovery Plan. Finally, develop and test a disaster recovery (DR) protocol. While the previously mentioned steps should help a small manufacturer limit the risk of a potential ERP hack, mistakes can happen. In the event that all other mitigation strategies fail, manufacturers should establish a DR protocol that can help the business revert back to a previous period in time after a hack occurs.

The protocol should help the organization respond to any cyber threat and be capable of evaluating the potential impact a hack can have. Manufacturers should test and update the DR plan regularly to ensure it is properly set up to handle the aftermath of any hack. Without doing so, manufacturers who fall victim could discover their data is completely lost.

A Very Real Threat

Small businesses can be particularly vulnerable to both cyberattacks and their aftereffects. Using ERP systems to store, manage, and distribute information is highly beneficial to companies, but a central system presents its own set of vulnerabilities. Implementing the above precautions can prevent companies from putting both corporate and customer information at risk from malicious hackers.

Jeff Ralyea is president, manufacturing division, ECi Software Solutions, 4400 Alliance Gateway Freeway, Suite 154, Fort Worth, TX 76177, 817-662-3726, www.ecisolutions.com.