With Sean Devin, partner and technology strategist with Saskatoon-based MNP LLP
Are small- to mid-sized manufacturing companies on the Prairies really a cybersecurity target?
Absolutely — and the question itself starts to shape the reasoning why. Cybersecurity attacks happen to all sizes of organizations, in all industries, everywhere in the world. Even if you’re operating in a rural community selling only to local customers, you can be as much of a target as a global conglomerate with a highly integrated supply chain.
Think of it as a numbers game. As a hacker, I could go after one large company that invests heavily in protecting itself against digital vulnerabilities, or I could pursue several small companies that tend to not invest heavily in cybersecurity. I would have a higher chance of breaching the latter and could conceivably acquire the same volume of sensitive data in a fraction of the time, and at a lower risk.
What information do I have that anyone would want?
Many companies — particularly those in the SME segment — make the mistake of assuming their data is not ‘sensitive’ or worth enough to warrant a hacker’s interest. To the right person, however, your customer information, employee data, financial information, intellectual property, and other files are as good as gold. That will become only more true as data is leveraged to automate manufacturing, quality control, and other processes. Not all intruders want to steal your data to keep, either. Some simply want it to ransom back to you, as its value to you and your business may be greater than its value to others. Product drawings, bank records, prototype photos — if they are of value to you, they’re valuable to someone else.
What are the most prevalent cybersecurity threats facing my business?
The three biggest cybersecurity threats today are hacking, malware, and phishing.
Hacking is the act of someone or a group of individuals gaining unauthorized access to your computer. The average time a hacker stays hidden in a network before being discovered is 140 days.
Malware is malicious software that is intended to damage or disable computer systems and data. Ransomware is a type of malware that encrypts your data and provides you an opportunity to pay for it to be unencrypted (usually through a facilitated bitcoin transaction) by a certain time, or else it is deleted forever.
Phishing, meanwhile, is the act of obtaining sensitive information such as usernames, passwords, and credit card numbers, or receiving money, by disguising as a trustworthy entity or individual. Remember all those Nigerian princes who want to transfer you cash, if only you help with their legal fees? Or the bank that sends you an e-mail with a link to a website that looks exactly like theirs, requesting you to log in? These are prime examples of phishing scams. The rule of thumb is that if it seems suspicious or sounds too good to be true, it likely is.
What would be the potential impact to my business if I had a cybersecurity breach?
The impact to your organization can vary significantly depending on the scope of the breach and what type of information is compromised. Besides operational impact, financial loss, reputational damage, and even legal proceedings are also possible. Class action lawsuits are becoming more common in Canada due to cybersecurity breaches. How many customers or suppliers would want to do business with a company that is known to have lost sensitive information? Internationally, cybercrime damages are projected to hit $6 trillion each year by 2021, making cybersecurity one of the fastest growing industries in the world, for good reason.
What are some initial steps I should be taking right now to protect our company?
Regardless of the size or complexity of your organization, there are several immediate steps you can take and incorporate into policy.
Start by using and enforcing a company-wide protocol for strong passwords. I recommend a minimum of eight characters — mixed lowercase and uppercase, numbers, and special characters. A two-step or two-factor verification process is preferable whenever possible.
Next, ensure all your software and hardware is updated at least once per month. If you haven’t already installed a network firewall and anti-virus software, do so immediately and double-check they are both properly configured and auto-updating.
And finally: Setup your company devices to auto-lock, never add people to your social media profiles that you don’t know or who look suspicious, and allocate the resources to engage a qualified third-party in conducting a security assessment. Understanding your exposure is the first step to being adequately protected.