Why Manufacturing Companies are Now More Susceptible to Data Breaches

Contacts

SVP, Management Liability and Client Experience
+1 763 548 8599
August 28, 2018Minnesota

Originally published 4.18.18. Updated August 2018.

Many Owners And Managers Assume They Have No Exposure. Wrong.

Manufacturing companies are highly susceptible to cyber-attacks—or any kind of “data breach” for that matter. That’s especially true of small or midsize companies.

The 2018 Marsh & McLennan Agency’s Cyber Survey Report found that only 36% of small/midsize companies purchase cyber insurance, while 53% considers cyber risk a top five risk for their business. And manufacturing, along with other non-financial, non-retail, nontechnology industries, is now every bit as prone to experiencing data breaches for three basic reasons:

  1. They’re responsible for data that can be ransomed or sold.
  2. Banks, tech companies and others that have been primary targets have beefed up security so cyber attackers can’t get in as easily.
  3. Most manufacturing companies haven’t improved their cyber security or their overall data security—so they’re a far easier target.

39% of all cyber-attacks in 2016 were against manufacturing companies, according to the U.S. National Center for Manufacturing Sciences. That’s up 6% from the previous year, and those breaches cost the companies anywhere from $1 million to $10 million each. That study also reports that 21% of manufacturers suffered a loss of intellectual property, with more than 90% of what was stolen classified as “secret” or “proprietary.”

Where are these companies vulnerable?

  • Unprotected computer systems and servers.
  • Printers, scanners, fax machines, copiers, and other networked equipment.
  • Unshredded documents sitting exposed in easily accessed dumpsters.
  • Employees falling victim to scams via email, smart phones, and social media.

Employees can be unwitting participants in cyber-attacks. In fact, recent studies show that cyber breaches are most commonly caused by non-technical issues rather than sophisticated hacking schemes. But sometimes, employees are responsible for the attacks. According to a recent Verizon Data Breach Investigations Report, in 60% of all cyber breach cases, insiders steal data with the expectation of converting it to cash. And 15% of the time, employees take data to a new employer or use it to start a rival company.

As cyber risk increases for companies in all industries, sizes, and geographies, many breaches could be avoided by training people and implementing processes designed to safeguard files and transmissions.

Why Don’t Companies Take More Steps to Protect Sensitive Data?

Companies point to the lack of trained security staff and inadequate budgets. However, given the enormous costs associated with a data breach, not protecting data could be penny wise and pound foolish. The costs of adequately protecting data may not be nearly as high as companies assume.

One simple solution may be a comprehensive password management system to help employees avoid lost or forgotten passwords. Employers should require password changes periodically (experts recommend every six months) and prohibit reusing old passwords. Experts also suggest using a two-step verification process for login (fingerprint, secret questions, or known device push authorization—a code sent to the employee’s known cell phone, for example) to enhance security.

Companies should also make sure employees know what to watch for, particularly phishing, spear phishing or other social engineering attacks that include burying harmless-looking clickable URLs. Employers are constantly surprised by how many people in their own organizations will fall victim to these scams.

According to the 2018 Marsh & McLennan Agency’s Cyber Survey Report, only 18% of respondents had developed a cyber incident response plan. While 36% said they had implemented a plan to train employees to recognize phishing emails. And 23% had conducted penetration testing of their online defenses.

Beyond the costs and lost productivity, manufacturing companies can be liable for losing or exposing proprietary client/customer intellectual property data; allowing a virus to be transmitted to another company; and allowing access to personal information of employees as well as clients.

How Can Your Company Do Everything It Can to Protect Data?

Here are several essential questions recommended by WomenCorporateDirectors and Marsh & McLennan Agency that every company C-level manager—as well as the Board—should answer:

Here are several essential questions recommended by WomenCorporateDirectors and Marsh & McLennan Agency that every company C-level manager—as well as the Board—should answer:

  1. What cyber risk management framework does the organization use?
  2. Where are our most significant residual vulnerabilities?
  3. Where do we rank in cyber preparedness compared to relevant peers and how do we benchmark our performance?
  4. Which leaders across the organization have accountabilities for cyber risks and other data breach issues? How do we ensure we have enough resources dedicated to each?
  5. What company policy and protections are in place regarding ransomware threats and related payments? Do these plans consider local laws?
  6. Have we quantified and assessed the potential financial impact of an interruption caused by a cyber event?
  7. Do we have a dedicated cyber insurance policy, or are we relying on add-on products or blended coverages?
  8. What are the limits of liability of cyber insurance that we have available and how can we determine if they are sufficient?
  9. How often will the board be updated on the status of cyber risk management and cyber insurance coverage, and what will be the format of that report?
  10. How have we compared our cyber insurance program to our fundamental risk profile, as well as to similarly situated peers in our industry, or those with similar risk/threat profiles?

How Can Manufacturing Companies Develop More Data Protection Against Cyber-Attacks?

  • Have employees set strong passwords.
  • Make sure employees know not to share or post passwords.
  • Keep data backed up – several backups in multiple locations.
  • Train your employees – constantly.
  • Only allow employees access to data when they absolutely need it.
  • Keep software up to date. If you have a patch, install it as soon as possible.
  • Monitor your network.
  • Put a “Denial of Service” mitigation into place.
  • Have published procedures and policies, especially for handling sensitive data.
  • Encrypt your data whenever possible.
  • Employ two-factor authentication (password and additional private information).
  • Verify any request for information.
  • Make sure employees keep devices with them at all times– don’t lock them in a car and be wary of doing business on free Wi-Fi.
  • Maintain security on all mobile devices.
  • When you’re doing e-commerce, only use an encrypted website.
  • Create and maintain and “incident response” plan.
  • Have an outside firm conduct regular risk analysis/risk assessment tests.
  • Have in-place policies for telecommuting.
  • Follow the rules for disposal and data retention of all sensitive information.
  • Perform due diligence before entering into any agreements or partnerships, even with new clients or customers.
  • Keep clear inventories of digital assets and locations.
  • Cover yourself: make sure you have more-than-adequate cyber security insurance.

TALK WITH MARSH & MCLENNAN AGENCY

To learn more about how Marsh & McLennan Agency can help protect your organization from data breaches, including cyber-crime, contact your account representative.