A shocking number of nationwide businesses targeted by cybercrime each year are small businesses. According to Verizon, nearly half of all recorded data breaches in 2021 impacted small businesses. For the small and medium-sized manufacturers (SMMs) in California, keeping stakeholders safe online requires more than workplace safety training, safety meetings, and password encrypters.
You need to invest in your cyber defenses with proactive cybersecurity measures.
Why SMMs Need Proactive Cybersecurity Measures
In a recent episode of CMTC’s podcast — Shifting Gears — the IT threat landscape facing small businesses in general, of which manufacturing makes up a huge portion, was laid out. Consider that:
- 43% of all cyberattacks target small businesses, specifically
- Small businesses saw a 424% increase in cyberattacks last year
- About 54% of small businesses think they're too small to be attacked
- 47% of SMBs say they don’t know how to protect against cyberattacks
For manufacturing companies, in particular, 82% of attacks in 2021 came from external threat actors, according to Verizon. Whether hackers are seeking lucrative trade secrets or fraud opportunities, they often find that SMMs and other SMBs lack the resources of bigger companies, across every industry.
The only way to prevent these attacks, or mitigate the damage they can do, is to craft and execute a strategy that extends beyond basic cybersecurity compliance and delves into proactivity.
Three areas of cybersecurity SMMs should tackle in their strategy first are multi-factor authentication (MFA), the whitelist (deny-all) approach, and small business architecture.
#1: Utilizing Multi-Factor Authentication (MFA)
Nearly every piece of hardware and software in your staff’s lives is protected by at least one factor of authentication — most likely a password or PIN. However, that’s not enough to ensure security.
A single factor is often insufficient to prevent cybercriminals from guessing, cracking, or hacking into a device. Weak passwords are easy for an attacker to guess, either outright or with the help of an algorithm. To that end, even a strong password can be coaxed out through social engineering or stolen directly in other attacks targeting credentials.
Today, it’s paramount to require at least two of the following kinds of factors:
- Knowledge Factor – What you know. These are passwords, PINs, answers to preset security questions (i.e., mother’s maiden name or first car’s make and model), etc.
- Identity Factor – What you are. These are biometric identifiers such as a fingerprint, retina, or other unique characteristics that can be scanned either physically or virtually.
- Possession Factor – What you have. These are cross-checks against a second device or account possessed by the authentication-seeker (i.e., a smartphone or email account).
There are other kinds of factors available, but these three constitute the most commonly used.
Importantly, MFA requires using at least two factors from different categories. Using two knowledge factors — such as a password and a PIN — is not effective MFA. Although requiring a fingerprint and retinal scan is likely to authenticate identity quite accurately, it’s still only one factor.
Two-Factor Authentication and Other Considerations
When implementing multi-factor authentication company-wide, it may be tempting to survey the workforce and determine which factors would be simplest to integrate. Choosing the two easiest ones is typically the logic that follows. However, using just two kinds of factors, in Dual- or Two-Factor Authentication (2FA), is potentially weaker than using three (or more) kinds.
In addition, each type of authenticating factor has stronger and weaker versions thereof.
For example, as noted above, a shorter password is going to be weaker than a longer, more complex one. Implementing minimum lengths (i.e., 12 characters) or complexities (i.e., special characters, spaces, etc.) and requiring regular updates helps strengthen the entire MFA chain.
Sound MFA practice allows for any individual factor to be slightly less secure — they work together to ensure that, collectively, they’re stronger than any one factor would be alone. However, you should still avoid common pitfalls, such as relying heavily on SMS-based MFA. Given the prevalence of phone spoofing, texting is harder to trust than an app-based system.
The bottom line: You should implement at least 2FA and ideally MFA on every piece of software and hardware that will allow it (all personal, professional, and other accounts and devices).
#2: Whitelisting Applications (AKA “Deny-All”)
The next tenet of proactive cybersecurity manufacturers need to consider is robust control over the kinds of apps and programs that operate on systems in their network.
The most baseline protection on this front is basic anti-virus and anti-malware measures, such as firewall configurations and content filtering, which monitor and restrict all incoming and outgoing traffic on your networks.
However, many of these configurations operate on a “blacklist” model, in which content is generally approved by default, but only blocked or otherwise denied if it meets certain criteria. Just like passwords, this is often not enough.
Instead, your manufacturing business might want to consider prioritizing a deny-all, or “whitelist,” model.
The way this works, across any deployment, is to deny all incoming traffic and downloads by default. Unless they meet particular criteria (i.e., being named specifically), individuals cannot install or operate them on any hardware subject to the policy and enforcement.
In practice, you can set up a system in which most or all users are limited, by default, to basic productivity-focused programs (such as Microsoft Office and a particular web browser, on which further restrictions have been installed).
Different team members with specific software needs may be allowed to install other programs — like Quickbooks for those in accounting or financial; planning and analysis, or Visio for your development team. In any case, allowing only the “essentials” minimizes cyberthreats.
How to Take Filtering Further With a Whitelist
Whitelisting improves upon approve-all firewalls and filtering approaches by exerting maximum control and visibility over programs installed and operating on your systems. One tradeoff is a potential lack of flexibility: it can create bottlenecks in approving software that’s hard to verify as secure.
Regardless of potential and minor inefficiencies, the benefits of whitelisting far outweigh the downsides of a permissive approve-all architecture. There are two main ways to implement this architecture:
- Native Whitelisting, via Windows Active Directory, controls which programs can be installed, how they can be used, and by whom, including deny-all configurations.
- App-Based Whitelisting, via programs such as Carbon Black (formerly Bit9), allows for greater visibility and control over listing, aided by big-data-driven threat analytics.
Aside from these solutions that organizations can install and manage internally, there are also third-party vendors who provide listing services. A cybersecurity consultant or managed services provider (MSSP) can facilitate or fully manage whitelisting so that internal IT and technical staff can devote their time and energy to R&D.
Whichever method your organization chooses, it should implement some version of deny-all content blocking to ensure that only pre-vetted programs are installed across your devices.
#3: Implementing Small Business Architecture
Finally, small and medium-sized manufacturers need to consider implementing a cybersecurity architecture that caters to their specific needs and means. In most cases, this requires foregoing a “flat topology” in favor of a more complex, multi-tiered topology.
Too often, businesses try to apply a one-size-fits-all approach to protecting all professional and personal devices within their orbits. In our cybersecurity podcast, Ernie Edmonds likened this to linking a bunch of row-houses together. If one catches fire, all of them could be in danger.
Instead, SMMs should take a proactive approach.
Enter Zero Trust Architecture (ZTA).
Per NIST, the ZTA approach grew out of efforts to protect highly sensitive information housed in governmental and other critical security databases. It operates on the basic principle that an attacker could always be present and is, in fact, always present, so no implicit trust is allowed.
Yes, ZTA assumes the same trust level for all assets, meaning it’s technically a flat topology. But ZTA can be applied selectively across different networks, with some devices subject to it and some not.
In practice, this means eliminating ease-of-access configurations for all systems and devices that are subject to ZTA. For example, browsers, apps, and websites cannot be allowed to save users’ login credentials, as saving such information can allow access sessions to last indefinitely, or grant access to a certain user or user class by default. All of those easy accessibility features open the whole system up to risks.
Why Manufacturers Need Multi-Tiered Topology
Manufacturing companies house many varieties of technology, both for work and personal use. Unless your company enforces a strict Bring Your Own Device (BYOD) security policy, there’s a chance there are many unaccounted-for devices connected or adjacent to your networks at any given moment. These need to be segmented away from sensitive data.
Multi-tiered topology assumes different levels of sensitivity and ensures that devices within defined boundaries (i.e., “green zones”) are only accessible in finite, tightly monitored ways.
Implementing a multi-tiered topology satisfies all of NIST’s critical security functions:
- Identify – Document, inventory, and continuously monitor all assets that come into contact with organizational networks, along with all security risks and requirements.
- Protect – Implement and manage access controls and other restrictions to prevent unauthorized disclosure, changes, or other compromises to security or integrity.
- Detect – Scan for evidence of cybersecurity events, or indicators thereof, to identify threat actors and begin quarantine and remediation processes as soon as possible.
- Respond – React to attacks before or as they happen to minimize and contain their spread, maximizing uptime and overall short- and long-term business continuity.
- Recover – Restore lost functionalities as quickly as possible and rebuild defenses to bolster resilience and minimize the likelihood and impact of future cyberattacks.
To return to the row-home metaphor, implementing a multi-tiered topology separates the houses. Mission-critical data, such as personal information protected by several regulatory compliance standards, is in a safe (green) house. If an unsafe (red) house burns down, that has no effect on the security of green — and all the sensitive data inside of it.
However, a successful multi-tier topology is easier to theorize about and project than it is to implement. Doing so requires clear policy and fair enforcement, along with staff-wide commitment.
How CMTC Helps Bolster SMM Cybersecurity
CMTC understands the cybersecurity challenges California SMMs face. Consumers and business partners need assurance that your organization protects their critical information. Regulatory requirements for companies working with the DoD or other governmental agencies can strain IT and tech resources across all your departments.
We exist to help businesses like yours craft a schema to overcome these challenges.
Can cybersecurity be challenging? Absolutely. However, for SMMs who lack the IT resources of larger manufacturers, it can be much easier, and much more effective with third-party assistance.
Get in touch today to see what our cybersecurity consultants can do for your business.
About the Author
Gregg Profozich is a manufacturing, operations and technology executive who believes that manufacturing is the key creator of wealth in the economy and that a strong manufacturing sector is critical to our nation’s prosperity and security now, and for future generations. Across his 20-year plus career in manufacturing, operations and technology consulting, Mr. Profozich helped manufacturing companies from the Fortune 500 to the small, independents significantly improve their productivity and competitiveness.