As larger companies build stronger, more fortified layers of cybersecurity, bad actors are increasingly going after small and midsize businesses they consider more vulnerable, according to an executive from an Atlanta cybersecurity company.
Spencer Cobb, director of strategic sales for Cytellix, spoke to a group of manufacturing professionals Tuesday morning during a training session for the S.C Manufacturing Extension Partnership at the S.C. Manufacturing Conference and Expo in Greenville.
He said previously cybercriminals have gone mostly after banking, finance and health care companies and data, but that’s been expanding in the past few years to include small and midsize manufacturers and supply chain companies.
Even though a secondary contractor might not have access to everything a larger company has on its servers, Cobb said even a little bit of classified data could be a critical cybersecurity target.
Cobb said cybersecurity threats come primarily from organized crime, nation states and activists using digital tools to make a political or social statement. He said they’re also unrelenting, constantly creating variants of their digital breaking-and-entering tools so they can avoid detection.
The Ponemon Institute, a data protection research organization, reports that the cost of a cyberattack for a small to midsize business tops more than $1 million on average. In 2017, 61% of smaller businesses reported cyberattacks, Cobb said.
The vulnerabilities aren’t always obvious, either, Cobb said. While a denial of service attack clearly is designed to shut down a business’ ability to use its data networks, other areas that can impact the integrity of systems and processes — especially manufacturers — can undermine a company’s production line and be difficult to detect.
He said that every single device that has an IP address, including robotics, should be secured as a possible entry point for a cyberattack.
“We live in a time when the physical world is connected to the digital world, and there’s a lot of benefits,” Cobb said. “What would happen if someone infiltrated that?
A lot of companies begin the cybersecurity conversation using the National Institute of Standards and Technology’s cybersecurity framework, Cobb said, though there are other options as well. The framework includes 14 controls, including items such having a written policy for maintenance, incident response, personnel security, risk assessment, systems integrity and access control.
Companies that want to make a case for more resources for cybersecurity should run a vulnerability scan of their system, Cobb said. A scan can be done at a low cost or for free, resulting in a report listing specific areas where a company might be vulnerable to digital attack.
For individual employees, Cobb said it’s important to have shorter, but more frequent personal reminders to reinforce to employees that they’re a line of defense and should be careful about what they click.
“We can’t keep people from doing the dumb thing,” he said. “But we can talk to them.”