Manufacturers pay a steep price for data vulnerability
INSIGHT ARTICLE |
When it comes to information technology security, no company or industry is immune to unauthorized access to its data. High-profile data breaches have influenced U.S. companies to update their security protocols, according to an RSM survey.1
Yet when it comes to their own companies, many manufacturers feel it unlikely that their data will be a target of any breach attempts. They believe that their companies are too small or that their data is too insignificant or even useless outside the context of their business. Hackers have no interest in their data, so the thinking goes, because it is not easily monetized in the way that Social Security numbers or credit card numbers are.
The statistics of cybersecurity say otherwise; a recent report by Verizon puts manufacturing at the top of the list when it comes to industries being targeted by cyber espionage.2 Incidents of this type made up about one-fifth of the breaches reported by manufacturers in the study, with proprietary trade secrets and intellectual property, credentials and systems data among the information disclosed to unauthorized parties.
Understandably, because of the cybersecurity initiatives put forth by the Securities and Exchange Commission, manufacturing companies and their boards primarily fear losing client or customer information, since these fall under legal protection and data disclosure laws. According to a study by Kaspersky Lab,3 these data types are of primary concern to companies, followed by concerns regarding intellectual property. They are much less concerned with losing personnel information or corporate bank account access. Yet, in today’s business and technology environment, all information has value. Bank account information and access credentials, for example, are particularly attractive to thieves, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account. According to the Symantec Internet Security Threat report, more than 3 million identities were exposed through breaches at manufacturing companies, putting the industry among the top ten sectors breached in 2015.
Targets and their risks
The steady rise in the value of data over the past 10 years has made hacking an increasingly popular and profitable enterprise. It’s the data, not the size of a target, which holds the value for the hacker. While manufacturers usually do not have the volumes of consumer data that can be found in financial or health care companies, manufacturing was second only to government in as a target of cyberespionage in 2016, according to the Verizon study.
Manufacturers large and small may be vulnerable to breaches by criminals in a number of ways, and there are several areas at risk:
- Intellectual property. Dollar losses due to intellectual property theft total in the hundreds of billions per year. Most of this is attributed to China-based groups, which account for 70 percent of IP theft overall, according to some estimates.4 Alternatively, when companies participate in joint ventures, intellectual property can become open to theft.
- Bank account information. Particularly attractive to thieves are online banking accounts, enabling them to transfer funds when a computer virus is introduced into a system used to manage the account. If the proper controls are not in place, hackers will simply set themselves up in the system as a vendor and create payments to themselves—without, of course, rendering any services.
- Payroll, cost accounting and other systems. These systems may include Social Security and other human resources-related information that have a potential dollar value to the hackers.
The price of vulnerability
According to the 2016 Manufacturing Monitor, 22 percent of manufacturers have had an unauthorized user accessed their company’s data or systems—and 11 percent don’t know whether they have or not. There are real and significant costs associated with such exposure.
While public disclosures of intellectual property theft are rare, the U.S. Department of Justice handed down a formal indictment of five members of the Chinese military for hacking several companies in the steel and solar industries. The indictment, however, included details of how more than 700,000 pages of emails from Westinghouse were stolen to learn the company’s strategies and plans.5 Potential losses from this intrusion are hard to calculate, as any business conducted in China by Westinghouse could have been negotiated with a massive advantage of knowing the company’s intentions.
According an analysis by NetDiligence of 183 data breach insurance claims between 2013 and 20156:
- The average cost for crisis services (forensics, notification, legal guidance) was $357k
- The average cost for legal defense was $130k
Amid all of the efforts taken by companies to enhance IT and data security (and despite the media coverage of many high-profile and expensive breaches), one in 10 manufacturers say they are taking no actions to improve safeguards. With so much at stake—potential financial losses, compromised brand reputations, unauthorized access to operational capital and proprietary information, and possible regulatory violations—taking no action cannot be an option.
1 “The Real Economy, Vol. 4” (April 2015)
2 “2016 Date Breach Investigations Report,” Verizon
3 “Global IT Security Risks 2014—Online Financial Fraud Prevention” Kaspersky Lab
4“The IP Commission Report” (May 2013) The National Bureau of Asian Research
5 Schmidt, M. and Sanger, D. “5 in China Army Face U.S. Charges in Cyberattacks,” (5/19/2104), The New York Times
6 NetDiligence® 2016 Cyber Claims Study