14 Critical Questions (and Answers) to Maximize Your Cybersecurity & Compliance Strategy
Emerging technologies are transforming the manufacturing industry.
You’re doing more with less, you’re innovating at a rate never-before-seen, and you’re partnering with other businesses locally, nationally, and on the global stage. But the more you let technology in, the more access points it creates for bad actors to steal your information, lock down your systems, stop production, and ruin your reputation.
If you haven’t already begun addressing your cybersecurity and compliance strategy, you are already at risk.
At InsITe Business Solutions we don’t start with technology, we start with understanding. We understand that not every business is up to speed on these issues and have created this one-stop shop for answers to the most commonly asked questions we get every day.
Trying to wrap your mind around cyberattacks? Unsure of what compliance certifications are right for you? Scroll down to learn more and connect with us to begin a one-on-one conversation about what your business needs to do to thrive in manufacturing’s high-tech future.
1. Are cyber attacks really that big of a deal?
It’s impossible to ignore the role that good cybersecurity practices have on the success of businesses in 2021 and beyond.
Cyberattacks can halt your production, expose your most sensitive data, hurt your reputation, ruin supply chain relationships, and often foreshadow the closure of a business.
A 2020 McAfee report highlighted the impact with the following statistics:
- Global losses from cybercrime now total more than $1 trillion — a 50 percent increase from 2018
- Two-thirds of surveyed companies reported some kind of cyber incident in 2019
- The average interruption to operations was 18 hours; the average cost was more than half a million dollars per incident
- IP theft and financial crime account for at least 75 percent of cyber losses and pose the greatest threat to companies
- 56 percent of surveyed organizations said they have not yet prepared a plan to both prevent and respond to a cyber incident
Manufacturers also need to know that:
- Data breaches exposed 36 billion records in the first half of 2020
- The average cost of a data breach is $3.86 million
- The average time to identify a breach in 2020 was 207 days
- The average lifecycle of a breach (from ID to containment) was 280 days
- Personal data was involved in 58% of breaches in 2020
- Security breaches have increased 67% since 2014
- Damage related to cybercrime is projected to hit $10.5 trillion annually by 2025
So, while the short answer is “yes,” the longer answer is that companies that choose not to take the threat of cyberattacks seriously are risking the very future of their business.
2. There’s a lot of businesses out there. How likely is it that my business gets targeted?
Unfortunately, your business is more likely than ever to be targeted.
Think of it like fishing (actual fishing, not phishing — we’ll get to that in a minute).
Cybercriminals aren’t sitting in one spot and using a spear or a pole to go after one fish at a time. They are in a state-of-the-art boat, throwing out nets, utilizing top-of-the-line sonar technology, and working with other criminals on other boats to try and trap as many fish as they can in one go.
Your business isn’t trying to avoid one hook — you’re trying to avoid a thousand different nets being cast out in a thousand different directions. If one doesn’t catch you, the other 999 might.
When it comes to cyberattacks, it’s no longer a matter of if you’ll be targeted, but when.
3. What are the biggest current cybersecurity threats?
The sophistication of cyberattacks has evolved over the past decade, with most falling into five key categories, here are just a couple:
- Social engineering: This includes the most common threat — phishing — but also includes techniques like pretexting, baiting, quid pro quo, and tailgating. Each of these involves the attacker tricking your people into giving up sensitive information directly or providing access to passwords and other details the attacker can use to get the sensitive information. Phishing itself accounted for 1 in every 4,200 e-mails sent in 2020 and 80% of reported security incidents.
- Ransomware: One of the most popular types of malware today, a ransomware attack is when a cybercriminal sends a malicious e-mail or other trap that when opened provides them access to your systems. Once inside, criminals can lock down systems and steal information — holding it for ransom until a fee is paid. According to recent studies, 1 in every 3,000 filtered e-mails contains malware, with the average ransom costing businesses $233,817 while being responsible for an average of 19 days’ worth of downtime.
Interested in learning more about today’s most common cyber threats? Download our free e-book, InsITe’s Practical Security Defense Guide, to identify top threats and learn tips to prevent breaches and vulnerabilities in your facility.
4. Aren’t most businesses that get attacked by large, global corporations? I’m a small or mid-sized business, should I even be worried?
This might be the myth most responsible for the spike of cyberattacks in recent years. Large companies are no longer the most likely target; it’s small to mid-sized businesses.
When a large company is hit, it becomes front-page news while the more common attacks on smaller companies often go unnoticed. Large companies have the resources and in-house expertise to devote to cybersecurity and criminals know this. Smaller businesses don’t have those resources, and often haven’t even begun to prevent attacks, making them a prime target. There’s also a legitimate fear that comes with discussing an attack; a fear of losing business and a fear of a reputation hit. Small companies may feel the weight of that risk more than a larger business would.
For those reasons and more, you shouldn’t feel safe being a small fish in a large pond. You should feel more at-risk.
5. Why target manufacturers? Aren’t government agencies or the health care and financial industries more attractive targets?
Those sectors do remain the high-level, and often most visible, targets for cybercriminals, but manufacturing is quickly taking the lead.
Cybercriminals want to achieve the biggest payouts for the least amount of work. Health care and financial targets have been on the cyberattack hit list for years and they know it. They’ve dedicated resources to fight back in ways manufacturing simply hasn’t.
Criminals also discovered the hidden value in targeting the industry. Every manufacturer is connected to larger supply chains; each is interconnected and interdependent on other chains. For the criminals looking to boost their reputation, why attack one healthcare business when you can attack a bolt manufacturer and send the global car industry into a tailspin? Manufacturers represent a tantalizing new target.
6. Cybersecurity requires a huge investment of resources — time, staff, money. How can businesses with tight budgets really afford the proper protection?
First, know that cybersecurity doesn’t have to be a huge investment. There are resources for companies on tight budgets or with limited staff, and with the right strategy, cybersecurity can be simplified
If you’re worried about resource allocation, start with a conversation with us. We won’t charge you an arm and a leg to audit your company’s current preparedness status. You’ll get a sense of where you are, where other similarly positioned businesses are, and what you need to do to protect your business at a cost affordable to you. We even offer free resources to help get your company’s cybersecurity strategy off the ground.
With help from insITe, you’ll get a jump start in identifying the low-hanging fruit that you can fix to improve your protection at a minimal starting cost.
We also pride ourselves on ensuring everything we deploy or upgrade for our clients leaves them more secure than when we found them. Even if you can’t do everything now — and most businesses can’t — we can help you build a multi-year strategy to protect you in the short term, and get you where you need to be in the long term.
7. My business is part of a much larger supply chain. Even if I’m protected against most attacks, can’t someone get into my systems through other parts of the supply chain?
What your business does affects the rest of the supply chain and vice versa. Steer into that mindset.
As you’ll read in our compliance section, you’re well within your rights to require that your suppliers secure their systems and information to the same standard that you secure your systems and information to protect your customers.
If companies farther down the chain are requiring new security or compliance standards, make sure those up the chain are aware of them also.
Recommend third-party audits and avoid allowing security and compliance to be done through self-certification. That’s just not enough anymore. We find that most uninformed manufacturers simply “check the boxes” in an audit regardless of whether they meet the criteria or not!
Finally, you can reduce your own liability and improve security and compliance across the supply chain by placing these requirements into your contracts and business agreements.
Today’s manufacturing supply chain is a true chain. It’s only as strong as its weakest link.
8. How do I know my IT partner is doing what needs to be done to secure my business from cyberattacks?
You selected your current technology vendor at some point for good reason. But even as they work to support you and your team, there can be missed opportunities to leverage new technology, improve efficiencies, or refine existing security measures.
Until you put them to the test, you’ll never really know if you’re receiving the most value for your dollar.
You can use our free resource, 10 Questions You Should Ask Your IT Provider, to get a sense of where they stand and how they are best representing your interests.
9. What’s one technology we should absolutely invest in to avoid being the victim of a cyberattack?
If we’re being completely biased, Microsoft 365. InsITe Business Solutions is a Microsoft Gold Partner and we believe that it is a product that can be at the core of your technology.
But if you are leveraging or are already heavily invested in another platform, there are alternatives that allow you to secure data and maintain other critical elements like accessibility and ease of use. We can help with that too.
The benefit all of these platforms allow, is the ability to house all of your business services: e-mail, chat, communication, collaboration, voice, files, projects, and other business data, all in one platform, with world-class security capabilities that can be enabled in just a few clicks. Not only that, your team can then utilize any device, anywhere - from your IT guy’s most trusted Mac to your kid’s laptop - and know that the information will still be secure.
The key to this approach is that you no longer worry as much about securing each device, instead the security focus is on the platform and the data in it. So no matter what device accesses the information, no matter from what location, the information is secured. This not only simplifies the security effort but also enables your team to work faster and more agile.
10. Tell me the basics behind an effective compliance mindset.
A lot of it comes down to how you treat risk management.
The best advice we’ll give to clients is to treat cybersecurity compliance, and really all aspects of cybersecurity, as a core competency you’ll want to read up on as a business owner.
Whether it is newer requirements like Cybersecurity Maturity Model Certification (CMMC), older requirements like Defense Federal Acquisition Regulation Supplement (DFARS) and International Traffic in Arms Regulations (ITAR), or other need-to-know frameworks like through the National Institute of Standards and Technology (NIST), it’s essential in today’s connected economy to understand what is required based on what you manufacture and who you do business with.
Whether it’s a unique vertical within the government or work you’re doing with other industries, you can be assured that there will be specialized requirements all along the way.
Rather than trying to manage it all by yourself, once you have the basic knowledge — or to help you achieve it — you should look for a compliance expert to partner with.
The less you have to take on alone the better, especially when dealing with compliance which can result in significant penalties if not followed correctly.
You can connect directly with the insITe Business Solutions team for a full breakdown of existing requirements like the ones listed above and others that are specific to your business, industry, and partnerships.
11. How common are compliance requirements in manufacturing contracts? Is it really something I should be thinking about?
Given the significant increase in attacks on the manufacturing supply chain, there is an increased focus on compliance — particularly for top-tier manufacturers.
While these companies have significant risks of their own to worry about, one of their key vulnerabilities lies with their suppliers having limited-to-no direct control of the technology.
When you look at today’s supply chain, many customers and suppliers are now providing direct system access between each other’s data.
As a result, the top-tier manufacturers are now writing compliance requirements right into their contracts and are even pushing for formal audits across their entire supply chain.
We are also receiving more requests to perform these security and compliance audits from our clients further down the supply chain.
As a supplier, it is not only smart to have a handle on your security in general but it is also becoming a competitive advantage in bidding for new jobs.
There was always significant leeway when it came to the validation of compliance, but that is simply going away at this point.
Third-party auditing will become a hard requirement as fewer businesses will trust the word of a supply chain partner.
They want to know for themselves that all necessary compliance regulations will be met and handled by organizations with the correct certifications.
You can utilize InsITe Business Solutions to begin the process of getting all your I’s dotted and your T’s crossed. Our experienced team helps you navigate current challenges and plan ahead for where you need to be next year, two years from now, and further down the road.
12. Are there benefits to achieving compliance certifications beyond just winning government contracts?
Today, business leaders want to know that you are doing what needs to be done to protect your data — and also protect their data.
Achieving compliance certification shows your supply chain partners and others that you take cybersecurity seriously, and have taken the appropriate steps to protect your data and theirs, and subsequently are doing your part to protect the overall supply chain.
Sometimes sharing that you have those certifications can be enough to continue a conversation with a prospective customer, while not having it can be enough to disqualify you from consideration for a particular contract.
13. What’s the most important thing a business can do to stay ahead of compliance?
Perform at least a basic audit. Take the time to complete a self-analysis of what your gaps are in security and compliance.
By completing even a base-level security and compliance audit, you can then identify the low-hanging fruit that you can quickly improve. It also helps to provide you with direction to continue enhancing your cybersecurity and compliance. Even if your goal is to achieve a particular compliance level a year or two down the road, by getting a sense of where you want to be, you can build a strategy to accomplish it.
14. How can InsITe Business Solutions assist with my security and compliance-related challenges?
Think of us as a place to start your journey toward greater cybersecurity and stronger compliance standards. InsITe Business Solutions can help you:
- Evaluate your current cybersecurity posture, or compliance status
- Identify existing gaps
- Mitigate the high impact, low-mid effort gaps
- Build a long-term cybersecurity and compliance strategy, and manage it to completion
- Partner with the proper third-party compliance certification providers
- Provide continual cybersecurity and compliance management, as requirements evolve
If you are ready to start a conversation about cybersecurity or to prepare your team for future compliance requirements, connect with our team today! We’re ready to help move you forward.
ABOUT INSITE BUSINESS SOLUTIONS:
InsITe helps businesses and manufacturing companies get the most out of current and emerging technologies with a customized IT approach to maximize growth, efficiency, insights, and productivity. InsITe is not a typical IT company selling products for short-term, short-sighted fixes. We invest in long-term solutions for a company’s growth by taking the time to learn its products, process, and business goals before bringing tech into the conversation. In this way, we become much like our Clients’ very own internal IT department with familiar faces who understand the business.
If you have any questions about this post please leave a comment. We read and respond to all comments. Or better yet, give us a call and ask to talk directly to our Founder and CEO Mike Schipper 616-383-9000.