Even though midmarket industrial firms have valuable IP and business processes, they are lagging behind other industries when it comes to data security, according to a recent report by assurance, tax and consulting firm McGladrey.
"A lot of the executives we asked about security risks don't believe their data is at risk or is at very little risk," says Karen Kurek, leader of McGladreys industrial products practice and a member of the National Association of Manufacturing (NAM) Board of Directors. "Two-thirds of them said it was at little or no risk. I think in general, in this sector, a lot of people don't understand the potential exposure that they have."
"But we know that middle market companies very much are targeted," she adds. "Part of [the reason for their belief] is because ignorance is not bliss. There's this false sense of security. They don't know what they don't know until something happens to them."
In its 2013 Manufacturing & Distribution Monitor report, McGladrey surveyed 1,067 industry executives across the U.S. and found that 68 percent of them feel their data is at little or no risk. However, that is actually and improvement from 2012, when 77 percent of industry executives felt their data was at little or no risk.
Executives at Large Businesses More Concerned by Risk
Executives at large businesses are actually more likely to be concerned with the risk. McGladrey found that 44 percent of executives at large businesses are concerned about risks to their data as compared with 31 percent of executives at midsized businesses and 32 percent of executives at smaller businesses.
"It seems as if executives at these large businesses understand something that executives at smaller businesses do not," the report notes. "This may reflect an assumption by smaller business executives that their data holds no interest for those seeking unauthorized access. This is a commonly held belief, but it is insufficient as a risk management strategy."
Manufacturing Sector Is No. 1 Target for Corporate Espionage
"The perception by a majority of executives that their data is at little or no risk, however, runs counter to the rising threats to information security," the report adds.
"Account takeovers and fraud are widespread: During 2010 alone, Symantec documented 286 million unique threats, a 400-percent increase from just the year before, the report continues. According to a report conducted by Verizon in 2013, there was a 275 percent increase in breaches in the manufacturing industry alone over the prior year. Notably, if the breach data was filtered for incidents of corporate espionage (cases where the data lost was the result of disgruntled or exiting employee), manufacturing was the No. 1 victim of these types of incidents."
Part of the reason for industrial executives' cavalier attitude toward the risk to their data may lie in the fact that these executives often don't believe their organizations have sensitive data, Kurek says. But she notes that every organization, no matter how big or small, has critical data: patents, technology, personnel records, corporate credit cards, health benefits, intellectual property and so forth—and there are plenty of customers for this stolen data, including rogue states, competitors and organized crime.
"Financially motivated attackers will take any data they can find," says Corbin Del Carlo, regional leader of Security and Privacy Services at McGladrey. "One company's Internet footprint looks the same as another to anyone interested in finding something of value, whether it's credit information, personnel information, intellectual property such as engineering drawings or processes, technology or other industrial assets. Size does not matter; information does."
Consequences of Data Breach May Take Time to Surface
Kurek notes that in one of the focus groups McGladrey held for the survey, a mid-market B2B manufacturer confided that its systems had been compromised just two weeks before the focus group.
"This company does a lot of sophisticated engineering for machine parts," she says. "They have a lot of patents and intellectual property."
While the company doesn't have much in the way of consumer data, the compromised databases did have "very sensitive information" such as technology patents, Kurek says, and the business doesn't know what effect the illicit access will have on its business going forward.
"They might not know the impact of that until they see something six months down the road when someone has replicated something that they've patented," she says. "That's really a wake-up call. People need to pay more attention to their data security."
McGladrey says that attackers have been successful at accessing information in all organizations, regardless of size. And the reason is typically weak or stolen access credentials.
"Attackers target the lowest hanging fruit to get access to data quickly and easily," the report says. "Companies need to take proactive steps to minimize their security risks and, as a result, mitigate any potential financial losses and compromised reputations."
Efficacy of Risk Management Depends on Definition of Risk
McGladrey did find that a majority of those surveyed (65 percent) have an IT risk management process in place, and 74 percent of businesses regularly monitor their systems to find threats and attacks that may have occurred. But the efficacy of those programs may come down to how your organization defines risk.
"Some define risk (or the lack thereof) as 'things are running,'" the report notes. "One executive felt that 'as long as the intranet is up, we're fine.'"
The reality is that most businesses today are distributed among several locations. That reality, combined with ever-increasing use of mobile devices, means information is often exchanged outside of firewalls, which increases the risk. Legacy technology can also increase risks.
"Another executive admitted that while they have a reasonable firewall, their business is run on technology from the 1980s: 'No one really understands how the current system works,'" the report says.