Manufacturers - protect your IP from social engineering attacks

Posted by Angela Messenger on October 19, 2018

Modern manufacturing makes increasing use of technology and connectivity to design, test and produce goods. The result is a growing opportunity and potential for an adversary to compromise your network as it increases your attack surface.

As touched upon in a previous post, globally, the manufacturing industry is the third most targeted sector and a recent report from EEF, the manufacturers’ membership organisation, noted more than four in ten manufacturers are unprepared for a cyber attack and don’t understand the full risk. [1]

One area in particular which should be a priority is understanding the threats associated by email. 70% of all compromises are from social engineering attacks. And whilst most people today are familiar with what phishing is, few realise the lengths to which cyber criminals will go to initiate a phishing attack.

Common attributes may still include a corrupt link or malicious download. But the circulation of these cyber attacks are becoming far more sophisticated than just an email with a fake company logo. Therefore providing sufficient cyber protection, especially to email systems is essential to ensure that your Intellectual Property (IP) is safeguarded.

Why cyber criminals want your intellectual property

Intellectual property is the ‘lifeblood’ to the manufacturing industry.[2] IP is often a company’s biggest asset, “responsible for as much as 70% of their corporate value”.[3] The financial value of trade secrets, know-how and customer data are all attractive targets and are at risk of being compromised by cyber criminals.

What’s more, manufacturers are perceived to be an easy target due to their reliance on often outdated machinery and a weak approach to cyber security. The same report from EEF highlighted the growing concern of cyber security to the industry:

  • 41% of manufacturers surveyed don’t feel they have the right information to access cyber security risk
  • 45% are not confident they have the ability to protect themselves
  • 12% have no processes or practices in place at all[4]

Is there a simple way to assess the risk of a cyber attack?

Companies should have a process in place that identifies, quantifies and manages the risks to their information assets. To quantify risk, the process should assess your threats and your vulnerabilities. It should also highlight the business impact should any of those risks be realised. In its most simplistic form:

Risk = Business Impact x Threat x Vulnerability

This approach and methodology is outlined simply and in more detail in our previous post; ‘why cyber criminals target the manufacturing industry’. Good, repeatable risk management ensures that the money you spend on your defences is appropriate and proportionate to the risk you are defending against.

Cyber attacks; email is still the principal route in

Email is the single biggest attack vector utilised by cyber adversaries to target companies and individuals. The professionalism behind these phishing campaigns is increasingly making it difficult for a user to spot. It is no wonder that users are duped into opening attachments or clicking on links. Cyber awareness and education can only go so far to protect your users. Technology can and should do more. Email protection solutions which keep pace with the threat landscape are out there.

One such solution is Pernix. It removes the need for your users to be technical cyber experts. The technology makes the decision around the authenticity or the content of the email. Of course, users should still be suspicious of any unusual requests, suggestions or demands received by email, especially from trusted suppliers. If a cyber criminal has full control of a supplier’s email account, it becomes very difficult for either the technology or the user to spot. Attackers use this to their advantage in the delivery of payment diversion or further phishing attacks.

Also educate your users to be cynics; if they receive any out of the ordinary requests, make sure they follow it up with a telephone call or by using a secondary method to check legitimacy.

How to make your company better protected?

The most important thing to do is to make a start. But you should not expect to solve all the problems and issues in one go. Make a series of improvements to your email systems as a priority. You can then look to conduct automated scans of the security vulnerabilities on your estate and install better defences on your hosts. Continue to assess your exposure and identify further areas for improvement. Look for value for money and implement a manageable programme that is not disruptive to your business.

Start by understanding the true costs and impact of a cyber incident to your organisation. Once you can measure the size of the risks, you can determine how much to spend and differentiate between good and bad implementations of IT security.

Find out more about Pernix, Corvid’s own hosted email protection service that protects users from fraudulent emails and phishing scams >


 Footnotes

[1] ‘Cyber Security for Manufacturing’: Industry report; EEF, The Royal United Services Institute (RUSI) and AIG (2018)

[2] https://www.computerweekly.com/news/252439718/Nearly-half-of-UK-manufacturers-hit-by-cyber-attacks

[3] https://www.itproportal.com/features/why-is-intellectual-property-important-to-business

[4] ‘Cyber Security for Manufacturing’: Industry report; EEF, The Royal United Services Institute (RUSI) and AIG (2018)