By David Kane, Ethical Intruder
In today’s business environment, we work often with customers and partners from a distance.
Our employees spend a good portion of their day on the computer sending and receiving information. In the past few years executives and managers in manufacturing have been trying to understand how this might relate to all the news we hear about cybersecurity. According to the 2017 Verizon Data Breach Report (the cyber industry defector guideline), manufacturing is taking center stage when it comes to cyber espionage. While most companies, especially smaller and midsize companies say, “we are not a target,” the data is showing the opposite. What the Verizon Data Breach Report found was that the second most commonly attacked vector for hackers is corporate espionage. The number one industry being affected is manufacturing.
So, is corporate espionage the cloak and dagger vision we have from old spy movies? Is there any reason to think your organization is at risk? Why is corporate espionage happening and how can you lower the threat?
To begin, we explore whether your organization is at risk. To answer the question, we look at some basic attributes. Are you in a competitive space, do you have any proprietary designs, concepts, formulas, strategies or are you bringing a new product to market? It really comes down to considering if anyone benefits from knowing your intellectual property. This applies across all of manufacturing from robotics, to medical devices and all traditional manufacturing organizations.
One of the misconceptions of user training is to just focus on “reducing clicks” by your employees who receive suspect emails.
Corporate espionage can take several forms. For example, a disgruntled employee with access to information could walk out the door. That though, the insider threat, is not what the Verizon Data Breach Report is referring to. The biggest threat is through social engineering which most typically rears its ugly head in the form of a phishing email. So, what is a phishing email for the uninitiated? It is a nefarious attempt by a malicious intruder to get an employee or user of your systems to take an action where the consequences of that action will help the malicious intruder. Many companies have begun having awareness and training programs with their employees which is a tremendous help. There are various products and services that can help you along the way. A key to any of the training or awareness programs is to have management buy in, take it seriously and have a way to follow up with additional reinforcement training. Users being susceptible to phishing is mostly a behavioral and cultural issue, so the best way to attack the problem is to focus on behavior and corporate culture change.
OK, so phishing leads to corporate espionage, but how? A more aggressive and common approach is to simply ask your employees for their system credentials in exchange for something the attacker is offering. When we perform evaluations for customers, we find that 15-35% of your employees will give us their log-in credentials simply by asking. Before you get down on your employees, it is important to know that phishing does not discriminate based on the role or department your employees reside in. Management and certain areas such as finance are very susceptible to providing the information, in many cases at a much higher frequency than your shop floor or administrative employees. Once the attacker has credentials, no one can detect them and they have easy access to your most vital information.
One of the misconceptions of user training is to just focus on “reducing clicks” by your employees who receive suspect emails. Having fewer people click on phishing attacks is vital, yet there should be some shared focus on what happens “after the click.” What can the intruder access when even one user is clicking the wrong link? Let’s explore a real scenario used to steal information from manufacturing organizations.
First an intruder will send out some lure emails to finance, executives or anyone with access to intellectual property. Once they determine who is susceptible to a simple click, they can send an additional attack to the user and with one click produce a snapshot of your calendar and your inbox. From here they can look for important meetings that are scheduled as verified by reviewing email content.
Now the attacker can send a final email to the susceptible employee just before a meeting and turn on their microphone to listen, turn on their web cam to watch, and most important, automatically pull the last 10 documents they had open right off the desktop without any warning. Since they might be in a planning, design, strategy or contracts meeting, the potential documents they have open could be devastating if received by the malicious intruder. These types of attacks are why espionage in manu-
facturing is up so dramatically in the past year. It is silent and bypasses many of the security and IT controls you may have in your organization.
The good news is that if you work with your IT team and security professionals they can help you to reduce the clicks, understand what happens if someone still clicks, and then protect against those vulnerabilities to make you more secure.
So, if you are in manufacturing with intellectual property to protect, from funded startup to advanced manufacturer, you very likely now or in the future will be a target. Don’t blame the employee or feel unable to solve the issue, empower your organization to have good behavioral practices and promote change in corporate culture through awareness, training and a review of your susceptibility to this silent attack.