Industry experts share key tips on implementing safeguards.

With cyber threats becoming increasingly sophisticated, it is more crucial than ever for businesses to be informed of the risks. In response, SOCMA asked industry thought leaders from the banking, insurance and legal sectors to address the topic during a recent Executive Forum at the University of Houston. Jonathan Hay of Cadence Bank, Steve Stransky of Thompson Hine and Laura Burke of McGriff, Seibels & Williams provided crucial insight and case studies surrounding the importance of cyber security.

How cyber attacks are hitting companies where it hurts most

From email to business software to wire transfers, hackers are attacking businesses in almost every conceivable way. But manufacturing was one of the late comers to purchasing cyber security policies because many companies don’t believe they have a cyber risk, Burke said. There is a lack of understanding of what a cyber policy may actually do for a manufacturer and the risks that may actually face them.

Besides proprietary information associated with business transactions, companies have employees, and there is a cyber risk associated with protecting their information and their privacy, Burke said. There is also potential for business disruption and property damage, depending on the type of attack. For example, a couple of years ago, a group of hackers attacked a German steel mill’s corporate network, causing a furnace to overheat. This led to actual property damage that rendered the mill useless.

Companies are also being hacked via their third-party service providers or office software programs that operate offsite and retain data in the cloud. “The weakest link, if it’s not your system, is your vendor’s system,” Stransky said.

According to one case study, hackers attacked a company’s invoicing system via the cloud by watching how the system operated and developed dummy invoices. The hackers then changed the instructions in Office 365, so when a customer responded to an invoice request, it was rerouted to the hackers’ email. Thus, customers unknowingly paid the hackers via wire transfers. This drove the company to a loss of several million dollars within a matter of days.

In another example, Burke said hackers brought down the entire network of a large bank in the Ukraine within 45 seconds, impacting the supply chain for months. And, one company thought it had paid off a bank in an M&A transaction only to find that hackers had intercepted the payment and the money was still owed.

According to research from BlueVoyant, 92% of U.S. organizations suffered a breach in October 2019 - September 2020 as a result of weakness in their supply chain. No matter how high companies build their walls, they really can’t be 100% defensible, Burke said. If a company shares information with another party, or relies on a third party for data processing and/or information technology services, it is vulnerable.

Hay also noted that from April 2019 - September 2020, he has seen an uptick in clients who have had their email compromised resulting in funds transfer fraud. One customer spun off an entity, registered a new domain, and within two weeks it was compromised. The threat actor was watching their funds transfer email processes and impersonated a funds transfer request.

Protecting confidential business information should be top of mind for specialty chemical manufacturers, and some companies worry that reporting cyber attacks to the government will breach confidentiality. Stransky said that is not the case. For example, the Cyber Security Act of 2015 ensures that companies do not waive any applicable privilege or protection provided by law, including trade secret protection when reporting certain cyber incidents to the federal government. This shows the government is trying to work with the private sector to mitigate the damages caused by cyber attacks, which are occurring every single day, he said.

Defending against cyber attacks 

Building a cyber security culture in your business is critical. Here is a checklist of things to consider: 

• Implement technical controls
• Conduct penetration tests to identify vulnerabilities
• Know your data
• Protect confidential business information 
• Ensure all vendors have cyber controls in place
• Develop public/private partnerships 

Ransomware, human error key factors in data breaches

According to Stransky, 50% of the data breaches that impact his clients are due to ransomware, and the other 50% are due to human error resulting in the unauthorized disclosures of sensitive personal information. For example, Stransky frequently advises his clients on how to respond to situations in which a client’s own employee (erroneously) sends an email outside the organization containing the wrong attachments with sensitive data, such as social security numbers or health and wellness information pertaining to other employees. This inadvertent disclosure of personal information may trigger legal obligations to report the incident to the individuals whose information has been compromised, state or federal regulatory law enforcement authorities, and other third parties. It also increases the risk that the organization may be subject to litigation, government investigation, or reputational damage.

Hay noted that 80% of actual breaches are due to compromised credentials, and less than 20% were due to hacking. Of that 80%, 60% of those were cloud-based email services. Having compromised credentials makes for an easy mechanism to break into networks.

Sage advice on cyber security

So how does a company defend against increasingly sophisticated cyber attacks?

When your company is dealing with vendors, “Don’t just ask your vendor if they have a cyber security policy: ask what it is!” Burke said. “Building a culture around security is critical.”

According to Stransky, cyber security should not be just a post-action response. Technical controls need to be in place today, and companies should also conduct penetration tests to identify where system and network vulnerabilities exist. The better an organization knows the types of data it collects and retains, the better prepared it will be to respond to data incidents.

Stransky also urged companies to “know your data. Understand the types of personal data you collect on your customers, employees, vendors, website users, etc.”

Partnerships between the public and private sector are important to ensure that companies are protected and sharing information transparently, Hay said. “Between all of us, we are all better together than we are isolated,” he said. “I think that is a trend in the cyber security community in the last five years. You see a lot of actual vendors coming together to share information and work more collaboratively now.”

Hay encouraged companies to “do the fundamentals and do them well,” and he said new privacy laws in the U.S. will drive more compliance and security practices.

For more insight on supply chain issues, contact Paul Hirsh at [email protected], or call (571) 348-5102.

Article courtesy of the Society of Chemical Manufacturers & Affiliates.