Lee Masterson remembers vividly the day his company was forced to reckon with its cybersecurity vulnerabilities.
In 2014, Masterson, global director of IT and software for Appleton’s CMD Corp., was called down to the office of the company’s controller. She had CMD’s chief financial officer in her office,and they showed Masterson an email that appeared to be from the company’s president.
The email asked the CFO to initiate a wire transfer, but luckily, a small anomaly caught the controller’s eye. The email signature of the company’s then-president read Steven Sakai, but this email was signed Steve Sakai.
“Her face was white, and she was like, ‘I was going to do this,’” Masterson says.
The controller didn’t go through with the transfer and averted a costly error, but it proved a wake-up call for the company, Masterson says. It was the first time he or CMD had encountered that type of threat, and it opened leaders’ eyes to the need to beef up cybersecurity.
Masterson knows his company got lucky. He mentions other companies in the area that have fallen victim to phishing scams and lost $100,000 or more with no recourse.
The company, a manufacturer of the capital equipment that produces trash bags and pouches, has since invested in training to educate employees about spotting suspicious emails as well as implementing web filtering and blocking. It also updated its aging firewall to a next-generation version, reviewed rules and codes and purchased cyber insurance to protect the company against large-scale attacks.
CMD is far from alone in its situation. The Wisconsin Manufacturing Extension Partnership found 55 percent of small- and mid-sized businesses have experienced a data breach or cyberattack, and the average cost of a successful attack is $60,000.
Ever-more sophisticated attacks
Fast forward a couple of years from CMD’s near miss, and Derek Laczniak, account executive and director of cyber practice for M3 Insurance, says most companies are now aware of the wire transfer con. Unfortunately, threats don’t stop evolving.
“Keep in mind that we’re all kind of chasing something that’s 10 feet in front of us,” Laczniak says. “Cybercriminals, no matter what your IT person says, no matter what I say, they have proven to me over the time I’ve been doing this, that they are adapting and ahead of us.”
Top threats include ransomware, malware and phishing scams. Some hackers may use social manipulation and pretend they’re a customer. The company then sends a product or equipment and never gets paid for it.
Posing as a CEO to obtain money or information remains popular. Cybercriminals may pretend to be a CEO and ask human resources to review W-2 forms before they’re sent to employees and then start filing false tax returns. Employees may lose their tax refund for six to eight months, and companies can risk damaging relationships with employees, says Laczniak, who will present a breakout session on cybersecurity at the upcoming Manufacturing First Expo & Conference in Green Bay.
In another scam, perpetrators create an email address designed to look like accounts receivable at a manufacturing company and then use the internet to search for its customers. They then create fake letterhead and email customers saying they’ve switched financial institutions and ask them to forward information to a new routing and account number.
Because of the terms some companies use, it may take some time to catch that the customer is late in paying an invoice. This situation can create hostility between businesses, as the company must decide whether to forgive the customer’s debt. M3 has seen two such claims of this type from Northeast Wisconsin.
If a manufacturer is attacked, it can stand to lose money, days of production and credibility. Concerns only grow as companies increasingly turn to robotics integration. Machinery can come to a standstill, and it may not know what part to make for that day, Laczniak says.
“If you can’t make widgets for four days, you suffer a tremendous net profit loss,” he says.
For Fabio Perini, a global manufacturer of tissue converting equipment with its North American headquarters in Green Bay, it’s about balance. The company works to address cybersecurity concerns while still providing Industry 4.0 solutions to consumers and embracing innovations such as internet of things devices and cloud computing, says Kent Maxwell, a business analyst for the company.
“The enablement and the potential of cloud computing is so huge that you don’t want to avoid it, but it is definitely a concern,” he says. “It’s a strange concern because right now if I have a system internally, I need to protect it. It’s my responsibility. I have to take action. In the future, I have to trust that my third party is doing it.”
A special challenge for SMMs
Cybersecurity threats touch companies of all sizes, and each level faces unique difficulties. Big companies, for example, have more to lose, and their large infrastructures can make them disorganized, Laczniak says. The CFO might not see the CEO often, for example, and could more easily fall prey to a wire transfer scam.
Small- to mid-sized companies (SMMs), however, have smaller staffs and budgets and may not even have any IT professionals on staff. In addition, they’re more likely to be mired in the day-to-day work of keeping up with demand. Wil Cox, an account executive for the WMEP, says attacks on SMMs have increased. In many cases, these companies don’t have updated software or firewalls and are easy to break into, he says.
“It’s easier to get into a small company and look for, say, $60,000 to get your system back than it is to go after GE or Harley-Davidson,” Cox says.
Complicating matters, cybersecurity often is viewed as a cost that offers nothing value-added, Cox says. It’s something a company must invest in, but it won’t increase sales or reduce costs.
There is help available to SMMs. The WMEP offers cybersecurity assistance to manufacturers, and Mike Burgard, director of strategic operations for Marco, also recommends forming or getting involved in peer groups.
Information Sharing and Analysis Centers, or ISACs, can prove a powerful tool, Burgard says. It’s important for companies involved to be good citizens, participate and share experiences.
“Threat intelligence communities are essential. It’s not something you can just say, ‘Hey, I’m part of this.’ You actually have to do something,” Burgard says.
CMD’s Masterson says his company finds value in being involved in a peer group and benefited from learning about the experiences of another Northeast Wisconsin company that was hit with a crypto locker and ultimately ended up paying to have their equipment unlocked.
The afflicted company lost three days of work, and all its computers servers were out. It was forced to start from the ground up and work to bring everything back at a cost of hundreds of thousands of dollars. The company’s willingness to share its experience, however, proved invaluable for CMD, which implemented new solutions based on the peer company’s experience.
A people problem, not a technology problem
While cybersecurity is a complex problem, some of its solutions are deceptively simple and inexpensive. If there’s one point everyone in the IT and cybersecurity realm can agree on, it’s the importance of educating users.
Fabio Perini’s Maxwell says the human component is vital. Since email is the primary vehicle for attempted cyberattacks — and because it’s more important than even phones for Fabio Perini — his company has added multiple layers of mail filtering through Google, which he estimates catches 90 percent of suspicious emails and stops them before they ever reach the company.
The 10 percent gap, though, is where educating employees comes in.
“The reality is, at the end of the day, something will get through,” Maxwell says. “The idea that someone believes you can 100 percent protect yourself from a cyber issue is a false premise.”
It also doesn’t cover for the fact that threats are constantly evolving. When something seems off, having an employee question that and flag it can be the difference between averting crisis and falling victim to it.
“Education is critical,” Burgard says. “That is by far and away the No. 1 thing.”
Maxwell also recommends companies complete an assessment of their vulnerabilities. He says the process has helped Fabio Perini prioritize areas of concerns, and he argues companies can’t be fully prepared for an attack without one.
When it comes to the problem of suspicious wire transfer requests, companies can implement some simple financial protocols, Burgard says. For example, they can set up a procedure that dictates employees don’t send a wire transfer until they talk to an authorizing person by phone. Businesses also can advise all customers of potential scams and establish that someone will personally call and notify them of any banking changes.
Other inexpensive solutions include ensuring passwords are safe, complex and changed often, completing software updates when they arise and using multifactor authentication when possible. This may include a phrase in addition to a password or some kind of biometric authentication, Cox says.
The explosion in the number of employees bringing their own devices to work, or BYOD, creates another layer of complication. It’s important for companies to put a policy in place around portable media use. At Fabio Perini, if employees have an application for which they need to use their own device, it goes through the IT department and there’s a dialogue, Maxwell says.
Implementing a system that gives employees as little access to networks as possible on their own device is a good idea, Burgard says. Businesses also can add network segmentation. Creating a separate network for BYOD users will keep them off certain parts of the network that aren’t safe for them to access, Masterson says.
In addition, Laczniak recommends people stay on top of cybersecurity news and trends. He also encourages companies to test the interdependency of their networks. Efficiencies come with digitizing the manufacturing space, but it’s important to visualize and plan for what would happen if certain systems were to go down.
“I think some of those practices on the front end, on a risk management basis, coupled with some kind of risk transfer or insurance, become really critical ways to avoid the risk,” he says.
Visit Insight on Manufacturing online for stories related to this month’s cover story:
• Lakeshore Technical College launched a new Manufacturing IT program this fall, and it includes cybersecurity coursework. More.
• Catch up on efforts of companies working with the defense industry to comply with the NIST 800-171 standard, which is designed to protect controlled, unclassified information in non-federal information systems and organizations. More.