manufacturing and cybersecurity: emerging risks and ... · cryptocurrency commonly used to pay...
TRANSCRIPT
© Wipfli LLP 1
Manufacturing and Cybersecurity:Emerging Risks and Leading Strategies
Date or subtitleBob Cedergren, Partner
© Wipfli LLP
© Wipfli LLP
Agenda
Cybersecurity threat landscape Business risks Top hacker “attack” techniques 10 Tips to protect your company Compliance Requirements for DoD Contractors Tools and resources Q&A
2
© Wipfli LLP
Wipfli Firm Foundation
• Founded in 1930 in Wausau, Wisconsin, by Clarence J. Wipfli
• 87-year history of client service
• More than 1,900 associates
• 47 U.S. offices – CA, ID, IL, MN, MT, PA, VA, WA, WI – and two offices in India
• Over 60,000 clients
• Wipfli is ranked in the top 20 among America’s 100 largest public accounting firms
3
Our Mission“To contribute to the success of our associates and clients.”
© Wipfli LLP
Wipfli Cybersecurity Practice
4
Comprehensive Governance, Risk,Compliance, and Testing
© Wipfli LLP
Notable Data Breaches
5
© Wipfli LLP
But What About Manufacturers???
Since 2016, 310 breaches made public affecting 6.5 billion records
Examples:
• ABM Industries (New York, NY) – Hacked 11/17
• Kimberly-Clark (Neenah, WI) – Hacked 11/17
• Pratt Industries (Conyers, GA) – Hacked 5/17
• Northrup Grumman (San Diego, CA) – Hacked 4/17
• And there is more……
Organization of all types are affected and can be the victims of cyber threats
6
© Wipfli LLP
Business Has Changed
7
Big DataMobile apps
Compliance
BYOD
Outsourcing
© Wipfli LLP
Cyber Risk Trends
Big business – More highly skilled hackers (cyber gangs/organized crime) who are financially motivated
Cyber crime is currently outpacing traditional crime in the United Kingdom in terms of impact, spurred on by the rapid pace of technology and criminal cyber capability, according to the UK’s National Crime Agency
• The bad guys are getting better
– Tool kits
– Crimeware as a service
8
© Wipfli LLP
Cyber Risk Trends
New platforms create new cyber attack opportunities The Internet of Things (IoT)
• Cars• Smart home devices (e.g., security systems)• Medical devices (e.g., scanners, insulin pumps, implantable defibrillators)
• Embedded devices (e.g., webcams, Internet phones, routers)
9
© Wipfli LLP
What is Your Gold?
What do you have that someone else may want? Supplier list Bank account information Trade secrets Employee listing Intellectual property Prospect list New product release M&A information New technology
Knowing this is key to implementing a cyber program!
10
© Wipfli LLP
Cybersecurity Business Risks
Damage to Critical Business RelationshipsUnauthorized access to client data could be devastating to relationships.
Risk to Operations & RevenueOperational stability could be impacted by a cyberattack.
Impact of Breach on Growth StrategyA breach that includes IP roadmap or M&A plans would be expensive, time consuming and may derail growth plans.
Brand & Reputational RiskCurrent security posture could be embarrassing to executives and may damage the our brand.
Compliance & RegulationNon-compliance with client and prospect cybersecurity requirements would impact ability to compete.
© Wipfli LLP
Email Scams – Phishing Targets
12
In the last five years, there has been a steady increase in attacks targeting businesses with fewer than 250 employees
© Wipfli LLP
Cyber Risk Trends – Business Email Compromise (BEC) Scams Attacker targets a senior executive (e.g., CEO, CFO) Attacker gains access to victim’s email account or uses a “look-
alike” domain to send a message tricking an employee to perform a wire transfer
Wire transfers are typically $100,000 or higher Businesses should adopt two-step or two-factor authentication
for email
12
© Wipfli LLP
Cyber Risk Trends – Ransomware Example
Employee opens email Personal files (and data
on shared drives) encrypted
Ransom demand to provide key to decrypt
Ransom demand increases after 72 hours pass
Pay in Bitcoin or USD?
Over 4,000 ransomware attacks have occurred daily since January 1, 2016 (300% increase over 2015). Source: FBI
13
© Wipfli LLP
What About Bitcoin?
Cryptocurrency commonly used to pay ransomware demands
Must be purchased on an exchange Fees about 200 – 300 Bitcoin This was ok in the past when the price of one Bitcoin was
relatively smallClosed yesterday (2/28)at $10,747.70 for one BitcoinOne year ago, it was $1260.92Need to have Bitcoin already purchased to meet the
ransomware timeframeDoes anyone have a Bitcoin account to use for this purpose?
15
© Wipfli LLP 16
© Wipfli LLP
Recommendations for Individuals
Go to www.equifaxsecurity2017.com and select “Potential Impact” to see whether your data was involved
Enroll in TrustedID Premier Check your credit reports; you can do this by visiting
www.annualcreditreport.com or through TrustedID Premier Place a fraud alert on your records Consider placing a credit freeze Consider buying additional fraud protection Monitor your bank and credit card accounts closely
18
© Wipfli LLP
Equifax Impact on Businesses
Additional risk for opening accounts and extending credits; additional verification will be required
Job candidates – Stolen identities may be used on job applications, background checks, I-9 verification, etc.
More data protection and breach notification laws and regulation Higher scrutiny of security controls by clients and prospects
19
© Wipfli LLP
The total average cost of a data breach was $3.62 million ($141 per record), down 10% from previous year. The size of data breach increased 1.8% to more than 24,000 records. Source: Ponemon 2017 Cost of Data Breach
Cyber crime will cost businesses over $6 trillion by 2021; Source: Cybersecurity Ventures
32% of companies said they were the victims of cyber crime in 2016. Source: PWC Economic Crime Survey 2016.
Average time attackers stay hidden on network is over 140 days. Source: Microsoft
Rising Costs
20
© Wipfli LLP
Protect yourself!
• NEVER share your passwords• Know who you are talking to and authenticate• Be careful what you share on Facebook and other social media• Install a firewall• Anti-virus / Anti-malware• Patch and Update• Use Encryption• Secure websites – https://• Don’t click on links (or send to others)• Never download software or programs from unknown sites• Wireless Security
• Secure home / organization network• NEVER use public network with sensitive information
• Use Strong Passwords (+9 digits, alpha-numeric and special characters) e.g. Br0wnEleph@ntRun
21
© Wipfli LLP
Protect your organization!
22
© Wipfli LLP
Tip 1: Know what you are protecting
Customer database Personally identifiable information
(PII)• Account information• Credit card• Drivers license
Intellectual property Business plans Employee records Financial information
23
© Wipfli LLP
Tip 2: Practice Good Security Hygiene
Complex passwords Firewall, Anti-virus, Anti-malware
• Kaspersky Labs – DHS banned (Sept. 2017)
Backup data Patch and update Limit administrator rights
24
© Wipfli LLP
Tip 3: Perform Security Assessment or Penetration Test
If your password is your name, you deserve to be hacked.
If your password is 123456, you deserve to be hacked.
25
© Wipfli LLP
Tip 4: Train Your Employees
You have to learn the rules of the game, and then you have to play better than everyone else.
~Albert Einstein~
26
© Wipfli LLP
Tip 5: Develop and Test Response and Continuity Plans
27
© Wipfli LLP
Tip 6: Encrypt Whenever Possible
28
© Wipfli LLP
Tip 7: Manage Mobile Devices
29
© Wipfli LLP
Tip 8: Use Multi-Factor Authentication
30
© Wipfli LLP
Tip 9: Prepare to Respond to Client Requests and Compliance Mandates
Security policies SOC 2 reports Due diligence package
31
© Wipfli LLP
Tip 10: Review Cybersecurity Insurance
32
© Wipfli LLP
DFARS Cybersecurity Requirements
All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
DoD Contractors and suppliers (including small manufacturers, must adhere to two basic requirements:
1) Provide adequate security to safeguard covered defense information that resides in or transmits through their internal unclassified information systems from unauthorized access and disclosure; and
2) They must report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.
33
© Wipfli LLP
What is Adequate Security?
34
Full compliance required by December 31, 2017
© Wipfli LLP
Implementation Process
Understand Controlled Unclassified Information (CUI).
Conduct NIST MEP Cybersecurity Self-Assessment (see NIST Handbook 162)
Create Plan of Actions & Milestones (POA&M) to implement corrections.
Build cybersecurity into internal processes that includes continuous monitoring and assessment.
Develop and implement a process to identify and report cyber-incidents to the DoD.
35
© Wipfli LLP
Cybersecurity Essentials for Manufacturers
36
Cybersecurity assessment
Perimeter vulnerability assessment
Internal vulnerability scan
Email phishing/spoof (social engineering)
Employee training and awareness
24/7 incident response and handling
Security policy templates
Monthly Internet perimeter scanning
© Wipfli LLP
Cybersecurity Scorecard
37
• Rapid Assessment
• Result is a Cyber Risk Scorecard
• Provides a baseline
• Leads to discussions on developing a cyber program
• Identifies high-risk areas
© Wipfli LLP
Tools and Resources
NIST 800-171 • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
Manufacturing Extension Partnership Cybersecurity Resources• https://www.nist.gov/mep/dfars-cybersecurity-requirements
30 Tips in 30 Days• https://www.wipfli.com/form-30-tips-signup
Wipfli Cybersecurity www.wipfli.com/cybersecurity• Weekly Alerts• Monthly e-Newsletters / Blogs
Ransomware: Avoiding a Hostage Situation –• https://www.wipfli.com/insights/articles/cons-ransomware-avoiding-a-hostage-situation
38
© Wipfli LLP
Questions
39
Confidential—For Company Internal Use Only 41
41
www.wipfli.com