Manufacturers – protect your IP from social engineering attacks

Posted by Angela Messenger on October 19, 2018

Modern manufacturing makes increasing use of technology and connectivity to design, test and produce goods. The result is a growing opportunity and potential for adversaries to compromise your network, as it increases your attack surface.

As touched on in a previous post, globally, the manufacturing industry is the third most targeted sector by cyber criminals, and a recent report from EEF, the manufacturers’ membership organisation, noted more than four in ten manufacturers are unprepared for a cyber attack and don’t understand the full risk. [1]

One particular area to prioritise is understanding the threats associated with email. 70% of all compromises are from social engineering attacks. And while most people today are familiar with what phishing is, few realise the lengths to which cyber criminals will go to initiate a phishing attack.

Common techniques may still include a corrupt link or malicious download, but these cyber attacks are becoming far more sophisticated than just an email with a fake company logo. Providing sufficient cyber protection, especially to email systems, is therefore essential to ensure your Intellectual Property (IP) is safeguarded.

Why cyber criminals want your intellectual property

Intellectual property is the ‘lifeblood’ of the manufacturing industry[2]. It is often a company’s biggest asset, “responsible for as much as 70% of their corporate value”[3]. The financial value of trade secrets, know-how and customer data are all attractive targets, and are at risk of being compromised by cyber criminals.

What’s more, manufacturers are perceived to be an easy target due to their reliance on outdated machinery and a weak approach to cyber security. The EEF report highlighted the growing concern of cyber security within the industry:

  • 41% of manufacturers surveyed don’t feel they have the right information to assess cyber security risk
  • 45% are not confident they have the ability to protect themselves
  • 12% have no processes or practices in place at all[4]

Is there a simple way to assess the risk of a cyber attack?

Companies should have a process in place that identifies, quantifies and manages the risks to their information assets. To quantify risk, the process should assess your threats and vulnerabilities. It should also highlight the business impact should any of those risks be realised. In its most simplistic form:

Risk = Business Impact x Threat x Vulnerability

This approach and methodology is outlined simply and in more detail in our previous post ‘Why cyber criminals target the manufacturing industry’. Good, repeatable risk management ensures the money you spend on your defences is appropriate and proportionate to the risks you are defending against.

Email is still the main route in

Email is the single biggest attack vector used by cyber adversaries to target companies and individuals alike. The professionalism behind these phishing campaigns makes them increasingly difficult to spot. It is no wonder that users are duped into opening attachments or clicking on links. Cyber awareness and education can only go so far to protect your users. Technology can and should do more. Email protection solutions which keep pace with the threat landscape are available.

One such solution is CORVID Email Protection. It removes the need for your users to be technical cyber experts. The technology makes the decisions on the authenticity and content of an email. Of course, users should still be suspicious of any unusual requests, suggestions or demands received by email, especially from trusted suppliers. If a cyber criminal has full control of a supplier’s email account, it becomes very difficult for either the technology or the user to spot the difference. Attackers use this to their advantage to divert payments or in further phishing attacks.

Educate your users to be cynical. If they receive any requests that are out of the ordinary, make sure they follow it up with a telephone call or by using a secondary method to check legitimacy.

How to better protect your company

The most important thing to do is make a start, but don't expect to solve all the problems and issues in one go. Make a series of improvements to your email system as a priority. You can then look to conduct automated scans of the security vulnerabilities in your estate and install better defences on your hosts. Continue to assess your exposure and identify further areas for improvement. Look for value for money and implement a manageable programme that is not disruptive to your business.

Start by understanding the true cost and impact of a cyber incident to your organisation. Once you can measure the size of the risks, you can determine how much to spend and what to spend it on, and differentiate between good and bad implementations of IT security.

Footnotes
  1. ‘Cyber Security for Manufacturing’: Industry report; EEF, The Royal United Services Institute (RUSI) and AIG (2018)
  2. https://www.computerweekly.com/news/252439718/Nearly-half-of-UK-manufacturers-hit-by-cyber-attacks
  3. https://www.itproportal.com/features/why-is-intellectual-property-important-to-business
  4. ‘Cyber Security for Manufacturing’: Industry report; EEF, The Royal United Services Institute (RUSI) and AIG (2018)