Not long ago, the concept of cybersecurity might have been associated with science fiction movies. Today, cybercrime is a real and rapidly evolving threat.
Recent data breaches at such retailers as Target and health care organizations as Anthem have received extensive media coverage. Many manufacturers or distributors may feel less likely to be targeted by cyberattacks because they don’t keep large databases of credit card or Social Security numbers.
But a 2014 study by the National Defense Industrial Association indicated manufacturing companies are targets, too. Factory floor systems often are weak links in safeguarding technical information, and small manufacturers rarely are equipped to manage the risks.
The good news: Preparedness and education go a long way in reducing the likelihood of a successful cyberattack.
A manufacturer’s data that could be targeted by cyberattacks include: credit/debit card information; employee data and Social Security numbers; usernames and passwords; and intellectual property.
While many cyberattacks are Internet-based intrusions into secured systems, significant losses have resulted from much simpler attacks. Some of the most effective are built on the concept of social engineering and compromise internal controls using only email or dummy websites.
The losses resulting from social engineering attacks and business email compromises exceed $740 million from over 7,000 U.S. companies since late 2013, when the FBI’s Internet Crime Complaint Center began tracking the scams.
Email can be used to deliver cyberattacks in a number of ways. Attachments containing viruses or other malware can deploy when the user clicks on the attached files. Email accounts can be hijacked.
Most sinister of all: Targeted, preplanned fraud or theft attempts use social engineering to trick employees into transferring funds or providing critical business data to thieves.
For example, consider a wholesaler purchasing goods manufactured overseas. Shortly after receiving a legitimate invoice by email, the accounting department receives a second, “corrected” version from an imposter, containing the same information as the first invoice but with different payment instructions. The wholesaler’s accounting personnel is fooled and wires a $400,000 payment to the imposter’s account in a foreign country. The impostor’s email contains numerous grammatical mistakes and other errors, and the message actually comes from a Yahoo account – not a company account at the manufacturer – but it is persuasive enough to work.
Here are nine steps to protect businesses:
1. Increase training and awareness.
2. Ensure verification processes are being followed, i.e., call the customer or vendor to verify changes in account information or wire transfer instructions.
3. Double check email addresses.
4. Look out for different email providers or domains.
5. Do not open email messages or attachments from unknown individuals – especially zip files or embedded links.
6. Know your customers’ habits, including reasons behind payments and their amounts.
7. Maintain a paper file of vendor contact information for those authorized to approve payment instruction changes.
8. Limit the number of employees with authority to conduct wire transfers.
9. Consider an insurance policy that covers losses from cyberattacks.
Gary Schafer is a partner with BKD LLP in the manufacturing and distribution group. He can be reached at gschafer@bkd.com.
