Why are there still frequent, expensive and embarrassing cybersecurity incidents?
With all the investments organizations are making to strengthen their defenses and all the media attention devoted to cyberattacks, you’d think everyone has received the message and taken action to eliminate the possibility of more incidents. Unfortunately, plenty of recent headlines involving engineering companies say otherwise.
Consider these five recent incidents as cautionary tales. You may identify similar gaps in the defenses of your engineering company that need attention.
Cyberattack hits sensitive Canadian engineering firm
In March 2023, Black & McDonald, a Toronto-based engineering company, was hit with a ransomware attack by an unreported actor. The attack represented a significant threat to Canada’s national security and critical infrastructure because the company works on military bases and electricity generation plants.
In a ransomware attack, hackers encrypt the files of the organization they have infiltrated. The hackers promise to provide the decryption key for a ransom payment. To avoid detection, the hackers typically ask for payment in cryptocurrency.
A phishing attack precedes almost all ransomware attacks. Phishing attacks involve sending phony emails to as many of a company’s employees as the hackers can identify. These emails encourage employees to click on a link. By clicking, the employee unwittingly installs malware on their computer. The hackers use the malware to access the company’s systems to encrypt all the files to extort a ransom.
The most effective way to thwart phishing attacks is through email screening, employee training and continual vigilance.
UK engineering company Vesuvius target of cyberattack
In February 2023, UK engineering company Vesuvius fell victim to a cybersecurity breach involving unauthorized system access. The company’s shares fell by as much as 3.1% in early trading the next day.
Hackers access systems to steal confidential data they can sell on the dark web, and personal data they can use to launch identity thefts and steal employees’ money.
Preventing unauthorized system access requires comprehensive cybersecurity defenses.
Ransomware attack on engineering firm Weir cost millions
A sophisticated ransomware attack on Weir, a Glasgow, Scotland-based engineering company, forced it to shut down some core systems in September 2021—including ERP and engineering applications. The company was forced to delay shipments worth more than £50 million in revenue, and estimated that the incident could cost as much as £5 million.
Hackers like to disrupt company operations for bragging rights. Nation-states cause shutdowns of critical assets to demonstrate their disruptive power over adversaries.
Some organizations focus their cybersecurity defenses on Information Technology (IT) and neglect Operational Technology (OT) cybersecurity. OT refers to the systems that support operations such as manufacturing. Engineering companies with manufacturing operations need to ensure OT cybersecurity receives adequate attention.
HAECO hacked and employees put at risk
In February 2023, RedPacket Security named the Hong Kong Aircraft Engineering Company (HAECO) as the victim of an attack from notorious ransomware group LockBit. After an investigation, HAECO confirmed the hackers accessed the personal data of some of its current and former employees without authorization.
Hackers steal personal data to launch identity thefts and sell personal data to nation-states that want to bribe or blackmail employees for confidential engineering data.
When a third party tells your company you are the victim of a data breach, that indicates severe inadequacies in your cybersecurity defenses.
Morgan Advanced Materials struggles after cyberattack
British engineering company Morgan Advanced Materials stated it was managing a cybersecurity incident after detecting unauthorized activity on its network in January 2023. The incident appears to have been a ransomware attack. The company announced that recovery could cost up to £12 million, and operating profit for the fiscal year would be 10 to 15 percent below previous expectations.
The direct cost of recovering from a cybersecurity incident can be sizable. Operating adequate cybersecurity defenses often feels expensive, but is cheaper than a recovery.
What is causing management inaction about cybersecurity?
Incidents like these keep happening at engineering companies and other organizations because it’s difficult for management to know how high their cybersecurity risk is and how far it needs to be managed down. There’s no silver bullet for eliminating the threat. Management often falsely believes that:
- The IS department is managing the risk.
- Its engineering organization is too small or not attractive to potential attackers.
- Media articles about cybersecurity incidents exaggerate the consequences.
Also, management is continuously under conflicting pressures, including:
- Shareholder pressure for higher returns.
- Competitors claiming to offer lower prices.
- Customers not wanting to pay higher prices.
- Employee pressure for higher pay.
- IS leadership claiming that the cybersecurity sky is still falling after record spending on defenses.
- Suppliers wanting or needing to raise prices.
- Management desires to preserve their bonuses by keeping costs down.
In this demanding engineering business environment, management is reluctant to spend money on cybersecurity defenses that appear to offer little return. In too many cases, this inaction has produced disaster.
What are the consequences of management inaction about cybersecurity?
Engineering leadership can articulate these avoidable consequences of inadequate cybersecurity defenses:
- A headline about your cybersecurity lapses creating reputational damage among customers and suppliers, leading to loss of business.
- The cost and business disruption of cleaning up after a cybersecurity incident.
- Loss of revenue due to operational disruption.
- The likelihood of an investigation and a fine from a regulatory agency.
- Market share losses when theft of intellectual property creates competitors.
- Tarnish to your carefully cultivated, stellar executive reputation.
Even though the cost of cybersecurity prevention often feels high or even outrageous, it’s significantly cheaper than the cost of addressing the consequences of a cybersecurity incident.
What should management do about cybersecurity risk?
Engineering leadership can start by recommending a cybersecurity risk assessment. This work creates facts that trump opinions, hunches, gut feelings and denial.
The findings of a cybersecurity risk assessment will tell you:
- What defenses are working well. That fact builds confidence that some cybersecurity defenses are working.
- What defenses need strengthening. Those findings form the basis for an action plan to reinforce specific cybersecurity defenses.
- What potential defenses don’t exist. These items form the agenda for discussing additional cybersecurity defenses to implement. No organization needs to address all the items on the list to lower cybersecurity risk.
The findings move the cybersecurity discussion from generalities about risk and cost to multiple specific, granular actions where management can concretely assess the value and cost.
Acting on the findings of a competently conducted cybersecurity risk assessment can significantly enhance your organization’s cybersecurity defenses. Don’t let your company be the next victim that serves as a cautionary tale.
To learn more about strengthening your company’s cybersecurity defenses, read Top 10 Cybersecurity Tips for Digital Transformation.