13 Critical Questions (and Answers) to Maximize Your Cybersecurity & Compliance Strategy
Emerging technologies are transforming the manufacturing industry.
You’re doing more with less, you’re innovating at a rate never-before-seen, and you’re partnering with other businesses locally, nationally, and on the global stage.
But the more you let technology in, the more access points it creates for bad actors to steal your information, lock down your systems, stop production, and ruin your reputation.
If you haven’t already begun addressing your cybersecurity and compliance strategy, you are already at risk.
Trying to wrap your mind around cyberattacks? Unsure of what compliance certifications are right for you? Scroll down to learn more.
1. Are cyberattacks that big of a deal?
It’s impossible to ignore the role that good cybersecurity practices have on the success of businesses in 2022 and beyond.
Cyberattacks can halt your production, expose your most sensitive data, hurt your reputation, ruin supply chain relationships, and often foreshadow the closure of a business.
A 2020 McAfee report found:
- Global losses from cybercrime now total more than $1 trillion — a 50 percent increase from 2018
- Two-thirds of companies surveyed reported a cyber incident in 2019
- The average interruption to operations was 18 hours; the average cost was more than half a million dollars per incident
- IP theft and financial crime account for at least 75 percent of cyber losses and pose the greatest threat to companies
- 56 percent of surveyed organizations said they have not yet prepared a plan to both prevent and respond to a cyber incident
Manufacturers also need to know that:
- Data breaches exposed 36 billion records in the first half of 2020
- The average cost of a data breach was $3.86 million
- The average time to identify a breach in 2020 was 207 days
- The average lifecycle of a breach (from ID to containment) was 280 days
- Personal data was involved in 58% of breaches in 2020
- Security breaches have increased 67% since 2014
Damage related to cybercrime is projected to hit $10.5 trillion annually by 2025So, the short answer is “yes.” But the long answer is that companies that choose not to take the threat of cyberattacks seriously risk the very future of their business.
2. How likely is it that my business gets targeted?
Unfortunately, your business is more likely than ever to be targeted.
Think of it like fishing (actual fishing, not phishing — we’ll get to that in a minute).
Cybercriminals aren’t sitting in one spot and using a pole to go after a single fish at a time. They are in a state-of-the-art boat, throwing out nets, utilizing top-of-the-line sonar technology, and working with other criminals on other boats to trap as many fish as they can.
Your business isn’t trying to avoid one hook — you’re trying to avoid a thousand different nets in a thousand different directions. If one doesn’t catch you, the other 999 might.
When it comes to cyberattacks, it’s no longer a matter of if you’ll be targeted, but when.
3. What are the biggest cybersecurity threats today?
The sophistication of cyberattacks has evolved over the past decade, with most falling into five key categories, here are just a couple:
- Social engineering: This includes the most common threat — phishing — but also includes techniques like pretexting, baiting, quid pro quo, and tailgating. Each of these involves the attacker tricking people into giving up sensitive information directly or indirectly. Phishing itself accounted for 1 in every 4,200 e-mails sent in 2020 and 80% of reported security incidents.
- Ransomware: One of the most popular types of malware today, a ransomware attack, is when a cybercriminal sends a malicious e-mail or other trap that gives them access to your systems. Once inside, criminals can lock down systems and steal information — holding it for ransom until a fee is paid. According to recent studies, 1 in every 3,000 filtered e-mails contains malware, with the average ransom costing businesses $233,817 while being responsible for an average of 19 days’ worth of downtime.
4. Is it true that large companies get targeted more often than small- or mid-sized businesses?
This might be the biggest myth out there and could be the reason for the recent spike in cyberattacks. Large companies are no longer the most likely target; it’s small to mid-sized businesses.
When a large company is hit, it is front-page news. But more common attacks on smaller companies often go unnoticed.
Large companies have the resources and in-house expertise to devote to cybersecurity and criminals know this.
Smaller businesses don’t have those resources and often haven’t begun to prevent attacks — making them a prime target.
There’s also a legitimate fear that comes with discussing an attack; a fear of losing business and a fear of a reputation hit. Small companies may feel the weight of that risk more than a larger business would.
For those reasons and more, you shouldn’t feel safe being a small fish in a large pond. You should feel more at risk.
5. Why target manufacturers? Aren’t government agencies or health care services more attractive targets?
Those sectors do remain the high-level, and often most visible, targets for cybercriminals, but manufacturing is quickly taking the lead.
Cybercriminals want to achieve the biggest payouts for the least amount of work. Health care and financial targets have been on the cyberattack hit list for years and they know it. They’ve dedicated resources to fight back in ways manufacturing simply hasn’t.
Criminals also discovered the hidden value in targeting the manufacturing industry.
Every manufacturer is connected to larger supply chains; each is interconnected and interdependent on other chains. For the criminals looking to boost their reputation, why attack one healthcare business when you can attack a bolt manufacturer and send the global car industry into a tailspin?
Manufacturers represent a tantalizing new target.
6. How can businesses with tight budgets afford protection against cyberattacks?
Cybersecurity doesn’t have to be a huge investment.
There are many resources for companies on tight budgets or with limited staff. With the right strategy, cybersecurity can be simplified.
Here are a few ways you can kickstart your cybersecurity efforts:
- Look for opportunities to partner with experts that understand you — businesses of your size, scope, and budget.
- Get a sense of where you are — audits can help (check out question 13 for more)
- Identify the low-hanging fruit you can fix in-house or at a minimal starting cost
- Hire the right people with the right skills to tend to today’s technology issues
- Start somewhere — you don’t have to solve every problem today but begin to solve a problem whenever you can
- Look at the long-term: technology issues aren’t going away and cyberattacks won’t stop tomorrow. The more you prepare today, the better you’ll survive and thrive against future attacks.
7. Even if I’m protected, can’t someone get into my systems through other parts of the supply chain?
What your business does affects the rest of the supply chain and vice versa. Steer into that mindset.
Just know that you’re well within your rights to require your suppliers to secure their systems and information to the same standard that you do. Protecting your customers’ sensitive information is paramount.
If companies farther down the chain are requiring new security or compliance standards, make sure those up the chain are aware of them also.
Recommend third-party audits and avoid allowing security and compliance to be done through self-certification. That’s just not enough anymore.
We find that most uninformed manufacturers simply “check the boxes” in an audit regardless of whether they meet the criteria or not!
Finally, reduce your liability and improve security and compliance across the supply chain by including these requirements in your contracts and business agreements.
Today’s manufacturing supply chain is a true chain. It’s only as strong as its weakest link.
8. How do I know my IT partner is doing what needs to be done to secure my business from cyberattacks?
You selected your current technology vendor at some point for a good reason. But even as they work to support you and your team, there can be missed opportunities to leverage new technology, improve efficiencies, or refine existing security measures.
Until you put them to the test, you’ll never really know if you’re receiving the most value for your dollar.
9. What is the one technology we should invest in to avoid being a victim of a cyberattack?
If we’re being completely biased, Microsoft 365. InsITe Business Solutions is a Microsoft Gold Partner and we believe that it should be at the core of your technology.
But if you are leveraging or are already heavily invested in another platform, some alternatives allow you to secure data and maintain other critical elements like accessibility and ease of use.
The benefit all these platforms allow, is the ability to house all your business services: e-mail, chat, communication, collaboration, voice, files, projects, and other business data, all in one platform, with world-class security capabilities that can be enabled in just a few clicks.
That means your team can use any device, anywhere — from your IT guy’s most trusted Mac to your kid’s laptop — and know that the information will still be secure.
The key to this approach is that you no longer worry as much about securing each device, instead the security focus is on the platform and the data in it.
So no matter what device accesses the information, no matter from what location, the information is secured. This not only simplifies the security effort but also enables your team to work faster and more agile.
10. What are the basics behind an effective compliance mindset?
A lot of it comes down to how you treat risk management.
The best advice we’ll give to clients is to treat cybersecurity compliance as a core competency you want to read up on as a business owner.
Whether it is newer requirements like Cybersecurity Maturity Model Certification (CMMC), older requirements like Defense Federal Acquisition Regulation Supplement (DFARS) and International Traffic in Arms Regulations (ITAR), or other need-to-know frameworks like through the National Institute of Standards and Technology (NIST), it’s essential in today’s connected economy to understand what is required based on what you manufacture and who you do business with.
Whether it’s a unique vertical within the government or work you’re doing with other industries, you can be assured that there will be specialized requirements all along the way.
Rather than trying to manage it all by yourself, once you have the basic knowledge — or to help you achieve it — you should look for a compliance expert to partner with.
The less you have to take on alone the better, especially when dealing with compliance which can result in significant penalties if not followed correctly.
11. How common are compliance requirements in manufacturing contracts?
Given the significant increase in attacks on the manufacturing supply chain, there is an increased focus on compliance — particularly for top-tier manufacturers.
One of their key vulnerabilities lies with their suppliers having limited-to-no direct control of the technology.
When you look at today’s supply chain, many customers and suppliers are now providing direct system access between each other’s data. As a result, the top-tier manufacturers are now writing compliance requirements right into their contracts and pushing for formal audits across their entire supply chain.
At InsITe Business Solutions, we are also receiving more requests to perform these security and compliance audits from our clients further down the supply chain.
As a supplier, it is not only smart to have a handle on your security in general but it is also becoming a competitive advantage in bidding for new jobs. There was always significant leeway when it came to the validation of compliance, but that is simply going away at this point.
Third-party auditing will become a hard requirement as fewer businesses will trust the word of a supply chain partner. They want to know for themselves that all necessary compliance regulations will be met and handled by organizations with the correct certifications.
12. Why should I pursue compliance certifications beyond winning government contracts?
Today, business leaders want to know that you are doing what needs to be done to protect your data — and protect their data.
Achieving compliance certification shows your supply chain partners and others that you take cybersecurity seriously and have taken the appropriate steps to protect your data and theirs. It also demonstrates that you are doing your part to protect the overall supply chain.
Sometimes sharing those certifications can be enough to continue a conversation with a prospective customer. While not having it can be enough to disqualify you from consideration for a particular contract.
13. What’s the most important thing a business can do to stay ahead of compliance?
You should perform a basic audit.
Take the time to complete a self-analysis of what your gaps are in security and compliance.
By completing a basic security and compliance audit, you can then identify the low-hanging fruit that you can quickly improve.
It also helps to provide you with a clear direction to continue enhancing your cybersecurity and compliance.
Even if your goal is to achieve a particular compliance level a year or two down the road, by getting a sense of where you want to be, you can build a strategy to accomplish it.
InsITe Business Solutions is an MMA Premium Associate Member and has been an MMA member company since September 2020. Visit online: trustedinsite.com.
About the Author
Mike Schipper is the Founder and CEO of InsITe Business Solutions, a Michigan-based IT solutions company dedicated to solving today’s technology challenges and assisting companies in maximizing growth, efficiency, insights, and productivity through current and emerging technologies. He can be reached at 616-383-9000 or firstname.lastname@example.org.