Cybersecurity is a hot topic for businesses. Over the recent years, cybersecurity threats have spread from the retail industry to almost every corner and niche of the business world. As result, manufacturers are no longer safe from cybersecurity threats. According to “The State of Industrial Cybersecurity 2018” trend study published by Kaspersky, over 75% of the companies surveyed expected that they would become a target of a cybersecurity attack in the operational technology industrial cybersecurity space.[1] Despite this certainty of a pending cybersecurity attack, only 23% of the companies surveyed followed the minimal mandatory industrial or governmental guidance and regulations. As past cyber attacks have proven, all it takes is one weak spot in the cybersecurity fence for hackers to access, corrupt or steal critical information or disrupt a supply chain. The stakes in the manufacturing industry are too high for companies to remain inattentive to the seriousness of this issue.
Cybersecurity and the threats commonly associated with it, such as hacking, spyware, malware and ransomware, are important issues to be discussed by all organizations. However, it is important to remember that such items are only a few pieces of the overall business security puzzle. An organizations vulnerabilities extend beyond the virtual world. Described below are a few additional areas that should be addressed as part of a comprehensive business security plan.
PRIVACY
It is very important that a business adequately protects information about, and the identity of, its employees, customers, suppliers, vendors, and resource providers. By ensuring systems and procedures are established and followed which restrict access to this information to only those who really need it, a business can prevent the spread of information and reduce the risk of it possibly being used incorrectly or illegally by an unauthorized individual. The procedures established should also include a process for archiving and purging excess, expired or unnecessary information. Limiting those who have access to the business’ sensitive information reinforces the classification of such information as confidential in the business world which can be useful when responding to a cyber-attack or later prosecuting a cyber-attacker.
PHYSICAL SECURITY
The physical security of your information and systems is just as important as the cybersecurity. Businesses should restrict or limit the number (and type) of individuals who have physical access to equipment and technology to reduce the risk of physical theft or damage. This means considering everyone who has access; employees, independent contractors and vendors. It can be surprising the number of individuals who have physical access to a business’ critical information; both during business hours (i.e. clients, visitors, vendors, etc.) and afterhours (i.e. security personnel, cleaning crews, etc.). This is especially important if any information is stored in an unencrypted format.
Additionally, businesses should limit and monitor virtual access to information stores, access points and any interconnected devices to ensure such are only being used as allowed by only those authorized to do so. Past attacks have been caused by cyber-attackers accessing information through third-party vendor systems (i.e. attacker used network credentials provided to HVAC vendor for external access).
CONTINGENCY PLANNING & DISASTER RECOVERY
The speed from which a business can respond to a cybersecurity attack can be the difference between recovery and devastation. Advance planning is crucial. Businesses should develop, test and deploy the hardware, tools and processes needed to quickly and effectively recover information in the event of a catastrophe. In addition, business should determine in advance how they wish to handle such a situation and the steps to be taken to inform potentially affected parties of any potential loss of information.
OPERATIONAL SECURITY
The way an organization runs its business or the method that a manufacturer uses to make its products is only confidential if it is kept a secret. An organization should limit those who have access to strategic or market differentiating information to help protect a businesses’ manufacturing processes and trade secrets. Developing an informational response plan can help effectively address any leaks or the spread of potential adverse information regarding the organization.
PERSONAL SECURITY
Implementing background checks for all employees and service providers with access to information (or the ability to access information) can help to limit the unauthorized spread of information. Behavior monitoring can also be instituted to proactively detect exposure risks. Once a monitoring processes is established, an organization should monitor activity at all levels and implement set warnings should leaks occur or employee behavior vary beyond normal expectations.
The depth, comprehensiveness and frequency of these checks should be proportional with the sensitivity and strategic importance of the information to be accessed by the checked individual. It is important to test all levels of the organization for vulnerabilities to discover and address potential exposure points.
Not having any piece of the business security puzzle diminishes the effectiveness of the overall security system. The first step is to assess and evaluate the viability of your current cybersecurity protection and policies. Using such information as a baseline, a simple systematic approach can be taken to address any possible vulnerabilities and resolve such. Taking protective steps can decrease the risk of exposure and reduce the time and resources spent on a security breach, should one occur.
Should you have any questions about business law or any other laws that may affect your business, or would like to schedule a free initial consultation, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800 or contact us online.
Waltz, Palmer & Dawson, LLC is a full-service law firm with various areas of service to assist your business, including: Employment Law, Intellectual Property, Commercial Real Estate, Litigation and general Business Law services. Individual services include Estate Planning, Wills and Trusts, Probate, Guardianship, Divorce and Family Law, Collaborative Divorce & Mediation.
This article constitutes attorney advertising. The material is for informational purposes only and does not constitute legal advice.
[1] The State of Industrial Cybersecurity 2018, Kaspersky Lab AO, https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf