Reducing Cyber and Data Security Risks for Industrial Manufacturers
The hard truth is that a cyber and/or data security event can happen to any industrial manufacturer. However, there are practices and tools that can allow companies to reduce their cyber and data security risks. This article will discuss some of these safeguards. We’ll discuss the potential consequences that cybersecurity events can have for industrial manufacturers, solutions to prevent possible security breaches, and we’ll cover some different forms of high-profile data and how to protect it, including some options that are available to QAD users.
Cyber and Data Security Breaches – What’s the Cost to Industrial Manufacturers?
Most organizations don’t think they are vulnerable to cyber and data security attacks—until they are hit with one. A 2019 IBM report (registration required) estimated that a typical company has a 29.6% chance of experiencing a system breach in the next 24 months. In 2020, IBM also reported (registration required) that “the average cost per lost or stolen record was $146 across all data breaches.” This same report found the average cost of a data breach to be $3.86 million, with the average cost being $8.64 million for breaches in the United States.
All this is to say that breaches can be extremely expensive. But where is all this cost coming from? Companies should note that the total cost of a data breach can be the sum of many different components, such as:
- US or EU Federal fines
- State and local agency fines
- Outside technology, vendor, and legal counsel expenses
- Class action lawsuits
- Internal disruptions associated with recovery (for example, data forensics on a ½ terabyte server can be approximately $60,000)
- Stock de-valuation for public companies
- Cyber insurance increase.
With all this in mind, we see the potential costs associated with failing to invest in the appropriate safeguards against cyber and data security risks. Now let’s look at some these safeguards.
Preventing Possible Security Breaches
We hear time and time again that human error is one of the most frequent causes of security breaches. Let’s look at some solutions to this problem that require minimal investment of time or funds.
Security Awareness Training
This training provides formal cybersecurity education to an organization, covering different security threats and the company’s procedures for dealing with them. Organizations may wish to outsource this training. One possible reason is that the different users within a company may speak different languages. In such a case, there is no way for HR or IT to effectively provide training material on policy.
Multi-factor authentication has the user provide two or more factors to gain access to a resource. This is an organization’s first line of defense when an untrained employee gives away sensitive information, and it is valuable in general because of its ability to reduce the risk of brute force attacks.
Restricting Local Administrator Privileges on End User Devices
Users may consider this a last line of defense. For example, if an untrained employee clicks on a nefarious link, these restrictions prevent unwanted items from getting installed on his or her computer, because he or she does not have the required privileges for such an installation.
While less tied to breaches from human error, here are some other low-cost security measures that can be taken to reduce the risk of breaches overall.
Active End-Point Monitoring
End-point monitoring is the tracking of activity across all internet-connected devices in an organization to protect against behavior that deviates from a baseline, which may be interpreted as malicious. Especially with so many personnel working remotely, end-point monitoring may never have been more important than now. It is important for IT departments to invest in the staffing to be able to respond to possible nefarious events, such as a login from an unrecognized location, but unfortunately many IT departments have struggled to invest in these measures.
Applying Security Patches
We know how important security updates can be. Sometimes, companies (for example, Microsoft) may provide security updates to its applications which should be installed on the same day they are released. However, organizations may opt to arrange them such that they run after hours.
Cyber and Data Security Risks for Industrial Manufacturers and How to Protect Against Them
If an industrial manufacturer experiences a cybersecurity attack, the potential consequences can be severe. Hackers can jeopardize the security and logistics of materials, impeding their movement from suppliers to the manufacturer. Shipments from the manufacturer to its customers could also be either delayed or even re-routed to the wrong location. Attacks can also result in the shutdown of internal systems.
Three major cyber threats that manufacturers face are web skimming, ransomware, and malware directed at Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA).
Web skimming is a form of attack where the attacker inserts malicious code into a website for the purpose of obtaining information such as customer credit card or personal data, potentially shutting down systems.
Ransomware is a type of malware which encrypts files on a device, preventing users from accessing those files until a ransom is paid to the hacker in exchange for decryption. Ransomware can potentially compromise millions of internal records.
The risk we’ll focus on is ICS/SCADA malware. If these systems are breached via malware, nefarious parties could stop operations or even alter BOMs.
There are various circumstances that exacerbate the risks posed to the ICS and SCADA systems. One such factor is that more ICS vulnerabilities are being discovered. A report from Claroty (registration required), an industrial cybersecurity company, found that in 2020, there were 25% more ICS vulnerabilities disclosed compared to 2019, as well as 33% more compared to 2018. The report also found that nearly 72% of these vulnerabilities can be exploited through a network attack vector (they are remotely exploitable).
There are additional contributing factors to a higher risk of cyber-attacks that are not specific to just ICS and SCADA. One such factor is that the pandemic has resulted in more remote work than ever before, leading to a larger attack surface. The Internet of Things (IoT) becoming more prevalent among industrial manufacturers has also increased the attack surface.
Protecting Against These Risks
One way to reduce these cyber and data security risks is to invest in a cloud ERP system. The cloud is often the safest environment and most protective against attacks on data in the ERP system, due to the centralized cybersecurity measures that providers offer. Services may include intrusion detection programs, an incident response team, and regularly scheduled penetration testing. Cloud systems can also avoid the high management cost of on-premises systems.
There are also several ways that industrial manufacturers can reduce the risks posed by ICS/SCADA malware specifically.
This involves asset inventory and an operational technology (OT) systems management program, including things such as user and account management and software management. Organizations may also want to consider how they are going to manage their patches. This may seem simple at first but managing patches can be difficult and time-consuming.
Effects of ransomware or malware can be diminished if there is more limited access between devices. Companies may wish to consider how they can check for abnormalities that alert when the system is about to be compromised.
This involves protecting systems compromised through means such as remote access. This can involve isolating these systems based on function.
There are other areas companies may want to address to further reduce risk to their ICS/SCADA systems. These are questions such as “Have we invested in offline backups in the case of cyber-attacks?” “Do we have a training protocol for OT and cyber events?” “Do our personnel know what to do when issues arise?”
High Profile Data and How to Protect It
Protected Data Potentially in QAD
- PHI (Personal Health Information)
- PCI (cardholder data)
- PII (Personally Identifiable Information)
- Protected financial data
- Financial reporting info
- Bank routing codes
- Commission rates, pricing
- Intellectual property (BOMs, routing content, etc.)
- Other competitive information (pricing, cost of goods, test result performance, etc.)
If any of this data exists in QAD, there are potentially ways that this data can be exported. If any intellectual property is exposed, competitors can gain an advantage. The same holds true for information such as pricing information or test result performance. Therefore, companies may wish to consider this when developing their data protection scheme.
Managing General Data Protection Regulation (GDPR) Requirements for Data Protection
There are a couple of questions that industrial manufacturers can ask themselves as a step toward managing GDPR requirements.
The first is “Are we auditing outsourcing vendors?” A company may wish to assess what info it shares with these vendors, and potentially consider auditing these vendors to ensure that they are secure.
The second question is “Are training records concerning data management in place?” For GDPR requirements, it is mandatory that all data handlers receive data management training.
Companies will also want to ask “Are we documenting the purposes for retaining data? Do we document how long the data is retained?” This will naturally lead to companies asking if such retention policies and procedures are being adhered to—and if these are documented.
Another question involves unstructured data. How much unstructured data does the organization have? Where exactly is that data? eDiscovery tools such as Veritas eDiscovery Platform can help organizations find what sensitive data exists within the company and where it is located. Then, the organization can decide how to proceed—whether that be through encrypting the device where the data is located, encrypting the data itself, or destroying the data.
Compliance auditing is another data protection angle to consider. This allows the company to see with whom the organization is exchanging data and why. Companies may wish to have either an internal audit team that specializes in data management, or one that the company can outsource.
How the QAD ERP Application Can Help
There are numerous options within the QAD ERP application for bolstering security. Here we list a few. (If you have any questions regarding these options, we encourage you to reach out to us here.)
- Segregation of Duties and Access Control (EE)
- Customer/Supplier Transaction Blocking (EE)
- Field Security
- Dictionary field Security
- Browse Data Exports & Imports
- Active Directory Integration (2016EE and up)
- Application Time Out
There are also some procedures used to heighten application security.
Least privilege/access processes
This means that the user has only the permissions necessary to perform his or her job, thereby reducing unnecessary risk.
Formal access/menu request processes
An organization can make its request processes formal. It may involve having designated applications or forms for requesting data. The organization may have several people from different functions required to approve access to the user.
Regular review of roles and associated access
As a person’s role within the company changes, so too should his or her access privileges; he or she likely should not still have access to the same data from a previous role if the organization is to follow the least privilege protocol. The HR team is going to be the most likely to be notified of these changes. This is one of the many reasons why having an HR member as part of an organization’s security team may be useful.
Ideally, the same day an employee is terminated, he or she will no longer have active directory access. Otherwise, this is likely to show up on an audit.
We’ve discussed the potential costs of cyber and data security incidents and where these costs can come from; the importance of activities such as security awareness training in lowering security breach risk; specific ways for industrial manufacturers to reduce risk of exposure to ICS/SCADA malware; the different forms of high-profile data organizations may deal with, and we’ve included several questions manufacturers can ask themselves to determine if their data is secure. Lastly, we looked at the security options available to QAD ERP users, as well as general procedures useful for lowering cyber and data security risk.
However, we cannot hope to cover all such risk-reducing practices deeply in a single article. We therefore encourage you to visit our Cybersecurity webpage, where you will find a list of our services, including a general security assessment and a GDPR compliance evaluation. You will also get a look at the Logan methodology for cybersecurity.
We also encourage you to reach out to us with any questions you may have regarding cybersecurity or the QAD ERP for your organization.
Is Your Accounting Software Hurting Your Business?
Top 10 Inventory & Operations Decisions Distributors Are Making Blind
2020 Nucleus Research Report on ERP Technology