Article written by:
Doug Davidson, CISA
Director of Information Technology Services


In December 2018, the Manufacturing Leadership Council released a cybersecurity-focused report “Cyber Risk: The 4.0 Dilemma.” In this report, it was predicted that cybersecurity attacks would rise and become potentially more disruptive in 2019 as companies deploy smart technology, interconnected systems, and sensors across their production facilities.

Currently, a little over halfway through the year, GBQ’s IT Services team is seeing these risks come to light as firms are increasingly fending off attacks. Industries such as health care, retail, and financial sectors handle personally identifiable information which is usually regulated at the state and federal levels (and now with GDPR, at the international level).

Manufacturing and distribution companies do have some exposure from personally identifiable information, particularly employees and health care plan information. But that exposure is not large enough to put information security and privacy compliance on the management radar.

And that isn’t where the real risk to a manufacturing or distribution entity exists. The overemphasis on personal information creates a false sense of security for those firms who haven’t fully evaluated their risks.

GBQ IT Services have conducted risk and security assessments, or have responded to business disruption for a number of manufacturing and distribution firms. Exposed office and production systems create risk so that a hacker can disrupt operations through the placement of ransomware. In our M&D assessments so far in 2019, our typical finding is that both office systems and production systems are susceptible to this type of attack. We have responded to two firms who suffered multi-week outages in production systems that were exposed to hacking activity. In the cases where firms were successfully attacked, business continuity plans were not in place to provide a playbook for quick recovery, which prolonged and compounded the outages.

  • Have you assessed your firm’s IT and production systems security in 2019?
  • Have you assessed your firm’s disaster recovery, continuity and incident response plans from both the perspective of IT and production systems?
  • Have you assessed your P&C insurance coverage to ensure proper cyber liability and crime coverage?


Business email compromise and cyber fraud

Business email compromise, a form of cyber fraud, occurs when a hacker gets into a business email system, intercepts emailed banking information and redirects the transaction. This type of activity is a threat to every organization.

  • Have you discussed secure forms of payment with your bank?
  • Have you assessed the security of your email systems?
  • Have you assessed your P&C insurance coverage to ensure proper cyber liability and crime coverage?


Third-party risk

With access to your system, third parties – suppliers, contractors, system integrators – present real risk. If they operate insecurely these third parties present an avenue of attack into your firm. Even those third parties without access to your system present a business disruption risk. If they operate insecurely, their production disruption may become your supply problem.

  • Have you assessed the security of your remote access systems?
  • Have you assessed the security of your key vendors and supply chain members?
  • Have you assessed your P&C insurance coverage to ensure proper coverage against third party risks?


Where to look for help

GBQ IT Services is one team of builders, breakers, operators, and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity, and productivity solutions.

We build value through IT strategy; protect value with information risk and cybersecurity services; measure value and improve productivity with data analytics and process automation; and assure value through IT audit services.

If you need help answering these questions, contact Doug Davidson or Rob Pyles.



« Back