Melissa Cromack - Good morning and thank you for joining us today for our webinar. I am Melissa Cromack, VP of Member Relations at Associated Industries of Massachusetts. I’d like to thank iCorps Technologies, our sponsor, for helping us make this event happen today. We’ll be discussing an important issue that affects all companies, which is cyber security. This is a top issue especially for manufactures, which are a quarter of AIM's membership.
A few house keeping items I want to go over before we get started is that we are doing a live Q & A during the webinar, so if you have questions please type them into the question pane. If we don’t get to them during this event, then we will get back to you with answers after. We’re joined by Jeff Lauria, VP of Technology at iCorps Technology, Sarah Haig Baker, COO & Co-founder of Silverside Detectors Inc., and David Sun who is our moderator today and is the Principal at Cliffton, Larson, Allen, LLP. Let’s dive right in. I'll hand it over to David.
David Sun - Thank you. Let me do a quick introduction. I’m the Principal at Cliffton, Larson, Allen, LLP. CLA is a national accounting and taxing advising firm with about 7,500 people and about 120 offices across the country. Within that large firm, we have over 100 people in our cyber security practice. I’m the principal of that practice and am the national practice leader for data breach for forensics. Now to you Sarah.
Sarah Haig Baker - Good morning. Silverside Detectors is the complete other side of the spectrum. We are about 10 people and we manage neutron detectors that are used by the Department of Defense and Department of Security to prevent nuclear terrorism. We are a small company with big standards. My role today is to represent that, and our audience.
Jeff Lauria - I’m Jeff Lauria the VP of Technology here at iCorps. iCorps is a national managed service provider with about 70 engineers across the country. We focus on bridging the gap between cybersecurity and manufacturing. As an outsourced IT provider, we ensure that the environment is secure. The area I focus on is IT compliance and governance. We ensure your systems are secure and meet the compliance requirements. We help Sarah and her folks as well as David and his folks. Back to you Dave.
David Sun - Thank you. So cybersecurity is a big issue. Here are some statistics as we wrap up 2021. IBM did a very good study where they surveyed various organizations that had a data breach. These are the scary statistics. The average cost of a data breach in the United States is $9M. Globally, the average cost is $5.3M, if the company had more than 25,000 employees. The global average cost of a breach for organizations with less than 500 employees is almost $3M. The point being is that small organizations take a large hit.
A few other interesting points are that if a remote workforce was a factor in causing a breach, which some were as the world moved home during COVID-19, there was a $1M increase to their data breach. The last data point that is very interesting: of these losses, 38% is due to lost business. For example, clients feel like you didn’t protect their data enough and then take their business elsewhere. More importantly, this also includes potential customers who never called you because they heard about a data problem. These numbers are real. For most organizations, it may not be comprehendible that numbers can get so high, but it’s true.
Here are some other global scary statistics. The global average from the time that a threat actor enters your environment from the time the organization recognizes that there’s a problem took 207 days. Then took another 73 days for them to get the threat actors out of their system. That’s 280 days from the time it's compromised and resolved. The question becomes, what are they doing in your environment during that time? In that time they can do a lot of damage. They are learning everything about your business. Going through your data and seeing who your vendors and clients are. They are learning it and then are making a copy of it. Once they’ve done everything they can do – extracted all of the value – they’ll disable the backups and maybe create some back doors. Then they are going to do the ransomware piece.
We all hear about ransomware in the news, but when I talk to clients and when we talk about ransomware, I find that clients have been given a false description of what ransomware is by the media. The media portrays ransomware as that your data has been compromised and you have to pay the ransom, and then you’ll get right back up and running. Most executives think that ransomware is a business interruption problem. However, they need to realize that ransomware has evolved. The hackers have realized that businesses are getting better at backups, so they are not paying the cybercriminals. So, the criminals are upping their game. They are saying that if you don’t pay the ransom, they’re going to publish all of the data and clients data. Then you’re going to have a lot of issues as a result. So it’s important for people to understand is that resuming the business is the first step in a journey that is quite long and involves all ongoing business ramifications. Now I’m going to hand this over to Jeff.
Jeff Lauria - Thanks, David. And before I take it away I have a few questions that we should address. The first being - what does the $2.9M represent? It’s the overall ramifications of the attack right? So 39% is lost business, which is probably $1.75M, $750k in ransomware, lawyers, IT restoration, and will probably end up buying new hardware.
David Sun - When you have a data breach, a lot of it is covered by cyber insurance. However, as we can see here, most businesses cap their cyber insurance policy at $1 million because they don’t think about the cost of lost business or anything beyond that. I'd advise you to look at your policy, and make sure you have ample coverage.
Jeff Lauria - Also, one final question before I take it away, is holding data hostage the new trend for ransomware? Yes, that’s been the trend for about three years now. Not everyone does this, but a lot of attacks do. Sometimes, the cyber criminals won’t even tell you that they’re exposing your data. Organizations focus on how to keep people out, but a lot of people are not monitoring what’s going on in their network.
As I move into my presentation, I want to talk about the industrial revolution. The 4th industrial imagination age involved automation, IoT, cloud computing, cognitive computing, and AI. Going to start with an example. We had a manufacturing company here in Boston that got hit with ransomware. They had to send all of their employees home, were shut down for three days, and had to rebuild their systems. The ransomware affected the ability to place and ship orders. Similarly, with the industrial revolution, it didn’t affect the pipeline itself, but it affected the ability to build, measure, etc. When these systems get shut down, it may not be the systems used to manufacture, but it’s the systems used to build.
When we start talking about the 4th industrial revolution we talk about automation. Additionally, we talk about cyber-physical systems, which could be my car driving around tethered to a back-end system. IoT are things that we do all of the time such as the cameras that are sitting on the manufacturing floor that’s accessible through a webpage. Cloud computing includes things that we do every day. Cognitive computing is helping us make decisions. Artificial Intelligence includes automating processes. We spend a lot of time educating our employees about cyber security and phishing, but one of the things we need to do as an industry is to educate them on data and how to protect data. An example of this could be an online ordering system. Amazon went down this week and the first thing they said was that it wasn’t a cyberattack. However, it was right before their biggest season so it’s interesting that this happened. If you have a public system, talk to your vendor and see what they can do in an attack.
As we move to the next screen, we can see that automation is all about trust. Your server talking to another server automatically. When the trust is broken, it’ll get exploited. Bad actors can get in the middle of this, and they can exploit their data. Valuable information includes your customers' names and phone numbers. Don’t just rely on third-party vendors. Ask third-party IT vendors about automation. Zero-trust is a term that signifies to not trust anyone, and only trust who you need to trust. Next is cyber-physical systems which include exploiting for profit, smart cars, smart cities, supply chains, etc. Even though you may not use them today, they’re subject to being taken over. Generally, this is because of fault in employees. Cloud computing includes everyday threats, hostage takeovers, etc.
This is where human factor comes into play. We spend a lot of time protecting the people protecting the data, but we need to start protecting the software protecting our data. There have been data breaches because they misconfigure storage containers. My focus today is the system aspect of it, so auditing those systems and making sure they’re configured properly is best. The biggest thing is that other companies go out and get fish tanks, TVs, etc. and they can cause breaches. When we talk about cognitive computing, it's about protecting the code. It’s very important to look at all of your moving parts in your organization.
Make sure you renew your keys every year. Limit access. Patching your systems is very important. By the time a patch goes out everyone knows about the exploit. IoT devices, put them behind a firewall and limit connectivity. One of the things with IoT devices is that there is no human access. People deploy MFA out of convenience. We are seeing more and more exploits while you’re busy. A good multifactor system having matching something on the screen. David do you agree?
David Sun - Yes. First of all putting it in is important, but then using it correctly and using it well is the best. People are doing things such as texting them or phone calls, while better than nothing, if you have the ability to use a phone app tied in, it’s the best version.
Sarah Haig Baker - Do you train on the bids you’re submitting?
David Sun - Yes on the contacts that come through a lot of the regulations are depending on who it comes from. The human factor is always a part of every check box. People are always at the center of it.
Jeff Lauria - The next screen talks about the 5 fundamentals of security. NIST is the National Institute of Security and Technology. This sets the standards on how we should do stuff around technology and security. The good part here is that most standards is the same. The good part is that for the most part they are the same thing packages in a different way. If you don’t have a framework to follow- framework is guidance and areas you should focus on- pick one and follow that guidance. With that said, every organization needs something to identify a threat. You also need tools to protect your data, assuming people are breaking into your data, firewalls are good. Next is detect and respond. Having a response plan is something that should be written up ahead of time. Response plans are all about how to recover, PR litigation etc. If you don’t have a cyber response plan, go to your cyber insurance provider and see if they have a template you can use. The ability to recover is important. Having backups is important. David, how often are you seeing organizations practicing this?
David Sun - 0. In my experience, less than 5% of organizations practice a DR plan or a response plan. Often times they make it and don’t update it for years and don’t have current updated tests. I see this a little more often since I come in after the fire happens. Some organizations are recognizing it and recognizing that they want to run tests. It’s good now that some organizations are recognizing where they need to go, which is testing and being ready for an incident.
Jeff Lauria - you bring up a good point. One of the things we do at iCorps is that we are about the before whereas David will take you through the process.
Sarah Haig Baker - It’s not a one-and-done thing. It's an ongoing investment and ongoing maintenance.
Jeff Lauria - Yes that’s a good point too. Cybersecurity and infosec are ongoing. You can hire a company that tests your plan, they could get back to you Monday morning and say that everything is fine and then you could get exploited Monday afternoon. So cybersecurity hygiene is an investment and need to build a budget around it. It needs to be there and you will get attacked sooner.
David Sun - I would suggest that 15-20% of their IT budget should go to cyber security. I would also argue that it should be part of their security budget, since it’s a security issue. One of the things I see is that there is a human tendency to not want to do this. You need to look at this as a security issue and have it be accountable for not only in IT operations but also in COO directly.
Sarah Haig Baker - That’s a great point, you’ll never have manufacturing control and staff. The same thing applies for segregation of duties and tools.
Jeff Lauria - There are a bunch of compliance frameworks. The good part is that you should find a framework that is achievable by your organization. Start small and have something measurable. From there, you can map out and move up. Most of these requirements are fundamental. MFA is a practice that is acceptable in all kinds of frameworks. Moving to the next frame, I'll show additional frameworks. Some of these may apply to you. Ultimately everyone needs to. Now turning it over to Sarah.
Sarah Haig Baker - So one of the primary things I’ve found is that we have a lot of should's and not a lot of do’s in our lives. The takeaway from me is to figure out how to get to the first floor to the second floor and to keep climbing up to get better. I’m reminded every time I go to the grocery store that I should get a flu shot. However this morning I took my daughter to the doctor and they gave her a flu shot and I said hey here’s my arm too. So the proximity of me being close to the needle got me a flu shot. For my company, the start the journey for a better cybersecurity came with ways to need to comply with regulations that came down with our customer. This slide's example is selling to the federal government, but it may look like something different for you. This is challenging as agencies have different standards and the standards can change. It won’t be a large change, but there will always be something added to it.
Third, if there’s a requirement passed on by a customer it can be difficult to triage priorities. Lastly, it’s not a one and don’t process. There’s auditing, maintenance, and training etc. Next, we do have opportunities. The first being that you can be competitive. Impetus for training. Humans are one of the weakest links in this industry. We all have passwords that are waiting to be hacked. Lastly, we all know that we should be doing this anyway. Jumping to the next slide in terms of the lessons learned is that it’s really easy to drop. You get the contract, find standards, do a first assessment, and after that’s done it's hard to remember to come back and review checklist. Giving someone ownership is helpful and showing that institutional memory isn’t lost. That person will also be a meeting scheduler so they can review the audit and get customers back in house. Next, is that investments are carried forward. Making sure every contract has the requirements and are prepared for the next opportunity. To this question about how these requirements trickle down to an ERP is that an ERP is something that people have access to and how the ERP is connected to systems and issues of access will all be governed. None of these standards say that there are good or bad services to use. They’ll tell you about elements of a healthy system and explain what to look for in a system. Let me kick that question back to Jeff and David to build off of what I was just saying.
Jeff Lauria - So I’ll add that most of outsourced ERP systems typically have a section on compliance and how they fit into the model. One of the things you need to be aware of is that they’ll give you a platform, but you still need to manage it. Passing it over to David.
David Sun - I think you both hit the nail on the head with those points. So we’re getting to the end of our time, if there are any other questions out there I encourage you to send them in here. In wrapping up, we talk about all of the shoulds and the question is motivation to get the to do’s done. Going back to the same study I was talking about before, look at all of the companies that had a data breach. They put them into two buckets. The first included companies that had compliance failures and the second was had a low level of compliance failures. Averaging the cost of the data breach and they found that companies who had lower levels of compliance errors on average their breaches cost them $2.3M less. So the people who invested and spend money in cybersecurity, it cost them less. The motivation here is that it saves you money. We can break it down to specific things. Incident response testing is at the top of the list. Organizations that did incident response testing on average cost them $295,000 less than those who didn’t. Employee training on average is $236,000 less.
Jeff Lauria - I’m going to leave you with this. Here are companies who would rather pay the PCI and do that as cost operations and not have to deal with it. Up until they get breaches, their customer walks away and business get closed. Testing and security is key.
David Sun - So with that, we are at the end of out time.
Melissa Cromack - Thank you all for joining. We’ll email you answers to your questions if we didn’t get to it. Some things I want to go over to email firstname.lastname@example.org with any other questions. Lastly, we have a bridging talent gap talk on December 16th. We appreciate you taking the time to join us. We want to thank iCorps for sponsoring us. Thanks again and have a great rest of your day.