When it comes to information technology security, no company or industry is immune to unauthorised access to its data. Recent high-profile data breaches have influenced U.S. companies to update their security protocols, according to a recent RSM survey.1
Yet when it comes to their own companies, many manufacturers feel it unlikely that their data will be a target of any breach attempts. They believe that their companies are too small or that their data is too insignificant or even useless outside the context of their business. Hackers have no interest in their data, so the thinking goes, because it is not easily monetised in the way that Social Security numbers or credit card numbers are.
The statistics of cybersecurity say otherwise; a recent report by Verizon puts manufacturing at the top of the list when it comes to industries being targeted by cyber espionage.2 Incidents of this type made up 60 percent of the breaches reported in the study by manufacturers, with proprietary trade secrets and intellectual property, credentials and systems data among the information disclosed to unauthorised parties.
Understandably, because of the cybersecurity initiatives put forth by the Securities and Exchange Commission, manufacturing companies and their boards primarily fear losing client or customer information, since these fall under legal protection and data disclosure laws. According to a study by Kaspersky Lab,3 these data types are of primary concern to companies, followed by concerns regarding intellectual property. They are much less concerned with losing personnel information or corporate bank account access. Yet, in today’s business and technology environment, all information has value. Bank account information and access credentials, for example, are particularly attractive to thieves, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account. According to the Symantec Internet Security Threat report, almost a third of manufacturing companies experienced a cyberattack in 2014, with more than 230 of those attacks resulting in a reported data breach.
Targets and their risks
The steady rise in the value of data over the past 10 years has made hacking an increasingly popular and profitable enterprise. It’s the data, not the size of a target, which holds the value for the hacker. While manufacturers usually do not have the volumes of consumer data that can be found in financial or health care companies, manufacturing was the third-most targeted industry in 2015, according to the Verizon study.
Manufacturers large and small may be vulnerable to breaches by criminals in a number of ways, and there are several areas at risk:
- Intellectual property. The FBI estimated that the cost of the intellectual property stolen from U.S. companies in 2014 was almost $500 billion4. Most of this is attributed to China-based groups, like Emissary Panda, which extracted, on average, 58 gigabytes from each of their victims. Alternatively, when companies participate in joint ventures, intellectual property can become open to theft.
- Bank account information. Particularly attractive to thieves are online banking accounts, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account. If the proper controls are not in place, hackers will simply set themselves up in the system as a vendor and create payments to themselves—without, of course, rendering any services.
- Payroll, cost accounting and other systems. These systems may include Social Security and other human resources-related information that have a potential dollar value to the hackers.
The price of vulnerability
According to the RSM Manufacturing & Distribution Monitor, 63 percent of manufacturers are only somewhat or not at all confident in their current ability to monitor and safeguard sensitive customer data from unauthorised access. There are real and significant costs associated with such exposure.
While public disclosures of intellectual property theft are rare, the U.S. Department of Justice handed down a formal indictment of five members of the Chinese military for hacking several companies in the steel and solar industries. The indictment, however, included details of how more than 700,000 pages of emails from Westinghouse were stolen to learn the company’s strategies and plans.5 Potential losses from this intrusion are hard to calculate, as any business conducted in China by Westinghouse could have been negotiated with a massive advantage of knowing the company’s intentions.
According an analysis by NetDiligence of 160 data breach insurance claims6:
- The average cost for crisis services (forensics, notification, legal guidance) was $499,710
- The average cost for legal defense was $434,354
Amid all of the efforts taken by companies to enhance IT and data security (and despite the media coverage of many high-profile and expensive breaches), one in 10 manufacturers say they are taking no actions to improve safeguards. With so much at stake—potential financial losses, compromised brand reputations, unauthorised access to operational capital and proprietary information, and possible regulatory violations—taking no action cannot be an option.
1 “The Real Economy, Vol. 4” (April 2015)
2 “2015 Date Breach Investigations Report,” Verizon
3 “Global IT Security Risks 2014—Online Financial Fraud Prevention” Kaspersky Lab
4 China-based hacking of 760 companies shows cyber cold war
5 Schmidt, M. and Sanger, D. “5 in China Army Face U.S. Charges in Cyberattacks,” (5/19/2104), The New York Times
6 NetDiligence® 2015 Cyber Claims Study