In a rare, televised interview on 60 Minutes, Federal Reserve Chairman Jerome Powell said that his two big concerns about the U.S. economy are a resurgence of COVID-19 and, to most viewers’ surprise, cyberattacks. Although his primary focus was cyberattacks against financial institutions, cyberattack concerns can cause significant anxiety for all organizations.
Manufacturers must be made aware of this. A harmful cyberattack, or possibly worse, a ransomware attack, can have severe ramifications on their business operations.
But why are cyberattacks such a pressing issue now?
Possibly, Powell answered this best when he said, “The world evolves; risks change. I would say that the risk that we keep our eyes on the most now is cyber risk.”
Let us explore his statement a little further. Yes, the world evolves. Things are changing. But the catalyst for much of the increased cyber risk has been the pandemic.
Those individuals involved in all forms of harm — from building break-ins to cyberattacks — have had a golden opportunity to fine-tune their skills during the pandemic. New types of phishing (emails that look like they come from reputable sources), malware, ransomware, and password attacks have surfaced that did not exist before the pandemic.
In one recent case, hackers were able to break into a Florida water treatment plant. The hackers tried to trigger the system to release large amounts of sodium hydroxide, used in small amounts to treat water. Had the attack succeeded, this could have caused thousands of people to become ill and possibly scores of deaths, long before officials knew what was happening.
So, how as business owners can we eliminate such incidents from materializing?
The unfortunate answer is that we can’t. However, the more optimistic answer, and the one manufacturers should be aware of, is that we can minimize these risks — cyberattacks, break-ins, thefts, and other damaging acts — considerably.
Conducting a Risk Assessment
The best way for manufacturers to minimize the chances of a cyberattack or any other type of harmful intrusion is by conducting a risk assessment. Many manufacturers conduct these internally and do so regularly. They may establish an in-house risk assessment team to help identify and minimize potential risks on an ongoing basis. However, a periodic review from a third party is recommended. A fresh set of eyes often can detect vulnerabilities that are overlooked by in-house teams.
These "fresh eyes" are frequently more attuned to how the world has changed, as Chairman Powell mentioned, and the dangers and organizational weaknesses that may be present now, which were not evident just a short time ago.
Let us start our discussion on risk assessments with two important definitions:
Risk: The possibility of an event occurring that will have a negative impact on an organization, its people, its physical and intellectual property and data, its finances, and potentially, its customers.
Risk assessment: A program that identifies and assesses security defects and vulnerabilities in a property, suggests steps to address these issues, and in some cases, implements key security systems and controls to help protect the property.
(See Sidebar: What is the difference between a risk assessment and a business continuity plan?
A properly conducted risk assessment typically involves the following stages:
Crime demographics. Different localities experience different types of crime. Analyzing the neighborhood and crime demographics where the facility is located can reveal the most common risks in the area.
Appearance. A well-kept facility tends to be overlooked by unsavory characters. Poorly maintained sites are often considered a more advantageous target.
Site. Very often, drones are brought in to look for facility weak points. This is especially true if the plant is located in a remote setting. These eyes in the sky can identify vulnerabilities that are difficult to assess or that a facility is altogether unaware of. For instance, drones have been able to locate areas where someone might be able to access operational areas not open to the public.
Cybersecurity. One of the reasons cyberattacks have become such a big concern in recent months is remote working. Many systems were designed to protect online infrastructure, assuming people were accessing data in the office, not in their homes. With the quick shift to remote working, many organizations were caught off guard or were unaware of this vulnerability.
Risky habits. A July 2021 survey in the United Kingdom and the United States found that 56 percent of IT technicians believe company employees have picked up bad cybersecurity habits due to working at home. Most employers agree. 1
The worry here is that these bad habits may apply to all types of risks such as not having a effective perimeter protection system installed, poor or nonoperating lighting or CCTV systems; depending on old or outdated emergency response plans; not having an executive security program in place, and more.
Without these, it becomes easier for attackers to exploit a manufacturing facility.
Policies Addressing Today’s Security Issues
Many manufacturers have few if any emergency policies in place to address a daylight break-in, a hostage situation, a cyberattack, or a shooting or other act of terrorism. While most administrators have general emergency policies for when police, fire personnel, or an ambulance is needed, shootings and other acts of terrorism are emergencies many have never even considered.
Supply chain. Manufacturers’ supply chains are highly complex and can be exposed to a variety of risks. These risks are further complicated because the entire process of delivering parts and components from one manufacturer to another is often dependent on several third-party service providers throughout the supply chain. Once again, a risk assessment can help identify and minimize vulnerabilities. It can also help manufacturers become more resilient. Should a disrupting incident occur, it can help the organization get back on its feet and fully operating as quickly as possible.
Nature. Due to climate change, many manufacturers worldwide are experiencing floods, tornados, and other acts of nature they never encountered before. What should they do if such an event occurs? Should workers be asked to stay in the plant? Should they leave the property? Should electronics and building mechanicals be turned off?
And the big question manufacturers and all types of organizations have is: how quickly can they resume operations should an incident occur?
A risk assessment can not only help manufacturers answer these questions but also address the other vulnerabilities discussed here. Manufacturers should also note a risk assessment is not a one-time procedure. According to a report by Deloitte, an international financial management firm, "Surviving and thriving requires keen recognition and response to change. A manufacturer's risk assessment should incorporate agility and flexibility, so the company can recognize and respond to risks that were not evident a year or two earlier."
The entire process also helps manufacturers be more proactive. Capable and astute manufacturers can no longer just react to emergencies. They must take steps and have programs and policies in place to help reduce the chances of them happening or help eliminate them from happening in the first place.
Johnathan Tal is CEO of TAL Global. Based in Silicon Valley, TAL Global is a leading risk management, security consulting, and investigative agency serving airports and other clients all over the world. Tal can be reached through his company website at www.talglobal.com.
1 "Why remote working leaves us vulnerable to cyber-attacks," by Bernd Debusmann Jr, The BBC, July 27, 2021.