As cybercriminals continue to move beyond just attacking high-profile organizations, precasters must take the steps necessary to protect themselves and their customers.
By Bridget McCrea
There was a time when cybercriminals set their sights squarely on bringing down highly visible organizations like Yahoo!, Target, Marriott and Equifax. In each of these breaches, cybercriminals were targeting one main prize: customer’s personal data.
Fast-forward to 2020, and it’s clear cybercriminals aren’t just interested in large organizations anymore. In fact, Cybint Solutions said 43% of cyberattacks target small companies. In total, 64% of all companies have experienced web-based attacks, 62% experienced phishing and social engineering attacks, 59% were hit with malicious code and botnets, and 51% were impacted by denial of service attacks.1
Making cybersecurity top of mind
Cybersecurity and data protection may not be the most obvious challenges for a precast concrete manufacturer, but the reality is these companies are just as vulnerable to cyberattacks. They’re transacting business with customers, for example, which means safeguarding the actual payment processes while maintaining customer data should be of utmost concern.
Because industrial manufacturing companies aren’t exactly seen as a “technology hotbed,” it could present a major opportunity for a cybercriminal.
“When most of us think of a data breach, we think of large corporations like Equifax, but the reality is that most data breaches occur at small-to-mid-sized operations,” said Shannon Walcott, a senior sales executive at debit and credit card processing provider at BASYS Processing in Lenexa, Kan. “For the most part, that’s because organizations are less equipped to defend themselves from cyberthreats.”
Taking steps to keep payment data safe really does need to be a priority to protect your reputation, but it can also protect your bottom line. For example, Walcott said 60% of small businesses victimized by a cyberattack go out of business within six months.
“This is definitely an issue that is impacting the financial well-being and even the livelihood of organizations nationwide,” Walcott added.
In many cases, a fundamental misunderstanding of what actually leads to a data breach creates an environment whereby attackers gain access to critical information.
“Ninety-three percent of data breaches are completely avoidable,” Walcott pointed out. “A lot of people picture some hacker that has a personal vendetta against their company sitting behind his computer. That might happen occasionally, but most data breaches are far less complicated, with more than half of them caused by internal employee error.”
Consider the Equifax breach, for example. Because a single employee in the firm’s technology department neglected to install a recommended software update, the personal information (i.e., social security numbers, birth dates, addresses, drivers’ license numbers) of 143 million consumers was exposed. In addition, 209,000 consumers had their credit card data exposed as a result of the breach.2
“The best thing you can really do for the security of your company is arm your entire staff with the knowledge and training they need to securely handle sensitive information,” Walcott said. “The biggest challenge with this is compliance – everyone in your organization, from the CEO to the receptionist, needs to be onboard and complying with your security policies.”
Catching up quickly
For precasters, getting up to speed on customer data protection means ensuring all operating systems, software and any third-party applications are up to date and running on the latest software versions (which include patches and security enhancements meant to ward off the latest threats). Employee training is equally as important.
“Overexposed data presents a major risk to organizations regardless of size, industry or location,” Varonis Data Lab pointed out in its 2019 Data Risk Report.3 “Organizations that are not accountable for their data will need to catch up – and quickly.”
Government regulations are also shining a brighter spotlight on how companies manage their customers’ data. Enacted in 2018, the California Consumer Privacy Act (CCPA) governs consumer rights relating to the access to, deletion of and sharing of personal information collected by businesses.
“There are now fines involved if a company doesn’t inform its customers that data was compromised or lost,” Aaron Turner, president and chief security officer at cybersecurity software developer HighSide, Inc., warned. “The fines are hefty enough to put a smaller organization out of business.”
It’s bigger than you
When developing cybersecurity and data protection plans, many companies focus on their own four walls. This tunnel-vision approach can lead the businesses to incorrectly assume that hackers wouldn’t take the time to bother with their organizations.
“If you’re just running a precast plant and making stuff for a large construction project, why would anyone bother, right?” said Turner. “The reality is that someone might see that company as an easy mark.”
From there, the hacker would use the precaster’s infrastructure to attack an upstream portion of the supply chain (e.g. a larger conglomerate or government entity that the manufacturer is working with). Turner said the precaster that keeps these potential threats in mind can go a long way in protecting customer data and information.
“The key is to view cybersecurity from more of a global perspective and understand that someone would use a smaller company to attack the greater ecosystem versus just coming after the precaster directly,” Turner said.
First things first
There are some steps that manufacturers can take now to secure their customer data, shield their financial information and ward off cyberattacks. Colin Ma, founder of the Orange County Tech Alliance in Mission Viejo, Calif., said one of the first steps is to make sure your website is using Hypertext Transfer Protocol Secure (HTTPS), the de facto web security protocol for companies that want an enhanced security layer for sensitive data and transactions (i.e., user logins, billing details and credit card transactions).
By adding a layer of security on the data in transit through a secure socket layer (SSL) or transport layer security (TLS) protocol connection, HTTPS, which is now required by Google, enables encrypted communication and a secure connection between a remote user and the primary web server.4
“If one of your customers is sitting in Starbucks, using a public Wi-Fi connection and accessing your non-HTTPS site, it’s easy for someone with a packet sniffer or analyzer to intercept that data and capture the payment information,” Ma explained and added that HTTPS also helps to create an overall more secure data environment. “This is one of the biggest things that manufacturers can do right now to improve their cybersecurity approaches.”
Protecting customer data
When it comes to protecting customer data, Walcott said the first step is to realize not everyone in your company needs access to all of the data.
“Restricting access to a need-to-know basis prevents a lot of risk,” she advised.
Along the same lines, not every company needs every piece of information on the organizations and individuals that it’s working with.
“Many companies collect data that they just don’t need,” Walcott said. “Financial institutions need a social security number and that’s fine, but precast concrete companies don’t need to be collecting that information. It’s a waste of resources, and you’re compromising the security of that data.”
For data that is essential to your business operations, encryption and password-protection are both vital.
“If you have a credit card number on file, it can be used to process a payment, but the end user will not have access to the full card number,” Walcott said. “From their end, it would just be the first few digits and the last four digits. That protects your company from exploitation by your own employees (rare, but it does happen) and from malicious outside sources.”
Next, understand there are a number of convenient and affordable solutions to help you process cards safely. Point-to-point-encryption, data truncation and tokenization are all common security measures that your processor should be able to implement for you, Walcott explained.
Finally, Walcott said precasters should pay attention to the Payment Card Industry Data Security Standard (aka, “PCI compliance”), which helps companies process credit and debit cards safely. If you don’t know whether the payments you’re processing are compliant, ask your credit card processor.
Everyone is vulnerable
Most hackers are opportunists who are looking for an easy target. For example, they’ll seek out companies with existing vulnerabilities in their networks.
Precasters need to install software updates as soon they become available, store information in compliance with PCI data security standards and use strong password protection with two-factor authentication.
In return, precasters can rest easier knowing their customer data and their own internal systems are as safe as they possibly can be in our digital age. They’ll also gain the trust of their customers who want to know that they’re doing business with organizations that take issues like cybersecurity and data protection seriously.
“Many industries have felt like they are immune and don’t think the bad guys aren’t coming after them,” said Turner. “Unfortunately, those days are done. We’re starting to see the age where everyone is vulnerable.”
Bridget McCrea is a freelance writer who covers manufacturing, industry and technology. She is a winner of the Florida Magazine Association’s Gold Award for best trade-technical feature statewide.