Article by Michael McKinnon, Chief Information Officer, Pure Security
Today’s factories are complex, data driven environments. Whether that data is used to manage a process or monitor the performance of an industrial robot or machine, protecting information, plans and schematics is crucial. The impact of cyber-attacks on manufacturing environments can be significant and multi-layered.
When food maker Mondelez was hit with a cyber-attack, the cost to the business was reported to be around $100M. As well as halting manufacturing, it put a significant business acquisition on hold.
Manufacturers can be subject to many different types of attacks. For example, email fraud, or business email compromise, used by criminals to steal money by fooling people into paying fake invoices. Phishing scams are used to install malware or steal usernames and passwords and denial of service attacks can flood networks and stop critical equipment from working correctly.
Although technology can significantly assist businesses in thwarting many attacks, a well-trained workforce that understands the risks and can identify threats can help the business defeat cybercriminals. That takes a well-crafted and targeted security awareness program.
Here are five top tips to run security awareness training that actually changes staff behaviour and turns your team into a critical defence mechanism.
1 – Make it personal
Instead of the typical generic training most businesses use, make it personal. Teach people how to secure their social media accounts with strong passwords and two-factor authentication. Explain network security and teach them how to secure their home Wi-Fi. This will help them see the importance of security in the workplace. By making it personal, you can instill the need for behaviour change.
2 – Tailor your training
Manufacturers face risks that are different to other businesses. Consider the specific risks your organisation faces and deliver training that addresses those. Although there may be common elements across your business, such as making sure the entire team knows about phishing and ransomware, email fraud may just be targeted to finance staff.
3 – Use more carrots than sticks
Most people respond to rewards rather than the threat of punishment. Make it easy for your people to report potential threats without fearing negative consequences. Manufacturers have massively improved their occupational safety records by making it acceptable to report potential hazards. The same should be done with cybersecurity. Rather than punishing someone who is fooled by a phishing attack, celebrate the people that report potential threats.
4 – Use relevant metrics
Cyberattacks, even small ones that only impact a single computer, cost businesses money in lost productivity, repairs and further training. When measuring the success of a security awareness program, look at the savings in remediation costs and improvements in uptime. Those are metrics that matter to the business and will garner support and positive feedback from management.
5 – Be supportive
There will be some people who, for many reasons, might be more susceptible to being duped by threat actors. Instead of treating them as ‘repeat offenders’, look at the support and control you can offer them. For example, are they opening phishing emails because they are overworked or stressed? Are there sufficient controls around critical data they can access? Instead of looking for ways to ‘punish’ them, find ways to support them.
The goal of security awareness training is to encourage behaviour that reduces the risks for manufacturers. By making that training relevant and rewarding positive behaviour you will help people make better decisions and encourage them to ask questions when faced with a potential threat.