Wipfli logo

Episode 49: Cybersecurity Tips for Manufacturers

Bryan Powrozek
Oct 23, 2024
 

In this episode of The Sound of Automation podcast, we sit down with Tom Wojcinski, partner at Wipfli, and Jim Peterson, principal solutions advisor at ConnectWise, to discuss the importance of cybersecurity for manufacturers. Listen to the episode to learn about the increase in cyberthreats due to remote work environments and the expansion of digital ecosystems, as well as best practices for improving cybersecurity in manufacturing environments.

Transcript:

Jim Peterson 00:00

So many times we have data that we control that we put our arms around it in our work stations and servers but then we have the Microsoft 365, we have our financial ERP applications in the cloud. Data is everywhere so we got to be able to handle that in a really strategic way.

Podcast Intro Narrator 00:20

Welcome to the Sound of Automation, brought to you by Wipfli, a top 20 advisory and accounting firm. 

Bryan Powrozek 00:36

Hello and welcome to The Sound of Automation. I'm Bryan Powrozek, the host, and joining me today I have a colleague of mine and another expert coming in to talk on cybersecurity for manufacturers. Given October is cybersecurity awareness month, we thought this would be a good topic and a very impactful topic for manufacturers out there. So before we get into the subject, I'll introduce the guests who are joining me. First, we have Jim Peterson. Jim, you want to give a little bit of your background? 

Jim Peterson 01:09

Yeah, for sure. Jim Peterson, Principal Solution Advisor at ConnectWise. I've been in the industry 25 years, like a lot of us on this call, focused mostly on efficiency and cybersecurity in the SMB space. 

Bryan Powrozek 01:22

And also, I have Tom Wojcinski joining us from Wipfli. Tom, want to give us a little bit of your background? 

Tom Wojcinski 01:29

Yeah, sure thing, Bryan, it's good to talk to you again. I'm a partner in our cybersecurity and technology management practice here at Wipfli. So in my role, I get to spend all of my time thinking about how do we make our clients more cyber -resilient. That really means three things. We've got to be secure and resistant to attack in the first place. Secondly, we've got to focus on maximizing the availability of applications and data so our users have access to what they need, when they need it, wherever they may be. And the third part is we've got to plan for bad things to happen. Make sure we can get back online gracefully within the timely expectations of the organizations. 

Bryan Powrozek 02:04

Excellent, thanks. Well, Tom and Jim for joining me. And as I mentioned at the outset, October is cybersecurity awareness month. Although, depending on when you listen to this, it might not be October anymore, but it's still a great topic to focus on. And just in preparing for this podcast, I was looking up, you know, some statistics here. And I guess, depending on the source and statistics, as we all know, you can get them to pretty much say anything. But across the board, you know, there's it's pretty, there is a acknowledged fact that if a cyber attack, a successful cyber attack is going to have an impact on a small to mid sized business, you know, I saw ranges anywhere from $25 ,000 up to a couple hundred thousand dollars. If it gets into a data breach, I mean, that can get up into the millions. So not gonna kind of hold anybody to any specific numbers there, but it can have a serious financial impact for small to mid sized manufacturers. And another statistic that I came across was that approximately 43% of all cyber attacks were targeting small businesses. So it's it's definitely an area where, where bad actors who know they're trying to get have a successful attack. They're coming after small to mid sized companies and manufacturers are no different than than the rest of those. So, you know, I guess, handing it over to the both of you then to kind of talk about it. I guess the first area we wanted to really touch on was just kind of the surface area that business owners have to try and manage now, right? There's there's so many more access points with, you know, remote work, expansion of digital ecosystems, all these things are coming into play. So I guess, Jim, if you want to just lead us off there and and give us your thoughts. 

Jim Peterson 03:58

Yeah. You know, the environment is more complex every day. We're running into this challenge of new things being plugged into the network, systems being shifted from on -premise to the cloud, even in a manufacturing environment. And then obviously the workforce being more and more distributed every day. All three of these, and there's more, I'm sure Tom will add on to this, all these three, right, are adding a complexity that makes it more difficult to protect from the activity than ever before. So we've had to be more vigilant, had to do more on the planning side, and then really working to align with some standards to help set goals for manufacturers to understand how to protect themselves in today's world. So yeah, it's definitely challenging. Tom, I'm sure you have something to add on to that. 

Tom Wojcinski 04:46

Oh, yeah, I think it is increasingly challenging. But Bryan, I want to go back to one of the stats you shared with the 43% of cyber attacks targeting small, mid -sized businesses. Yeah, I talked to business owners fairly regularly, and they've got a general mentality. I'm painting with a broad brush here. Oh, cyber attack can't happen to me. Nobody wants my data. I'm just bending metal. I'm not doing anything interesting that somebody is going to want to steal my data. But the tax has changed with ransomware. It's not about whether somebody wants your data. Cyber criminals are betting you want your data, and if they can deprive your access to your data, they're going to go after it and see if they can get you to pay in order to get your data back and keep running your business. So it's good to hear stats that put that into perspective, because I think there's a fallacy that I'm a small business. I'm uninteresting from a cybersecurity standpoint. I'm not a target, but in the security profession, we know that's not true. So thanks for sharing that. A couple points just to add on to what Jim was saying as it relates to expansion of the digital ecosystem. And the network has left the building. It's gone beyond just our physical perimeter now. There's a couple of big risks with that. Rogue IT, where anyone in the company with a credit card can go and subscribe to a new software service and start sharing data and uploading it to a website or an app that hasn't been vetted from a security standpoint, and it might not conform to the security policy of the organization. The other aspect is even with approved cloud sites and using different SaaS providers, that's just increasing the amount of digital identities that employees need to keep track of and manage. And if you're not using Federation or single sign -on, that just means people are gonna start using passwords and likely make them easy to remember, which just means they're easy to attack as well. So just seeing the proliferation of cloud services just makes the attack surface that much bigger and that much harder to control for an organization. 

Bryan Powrozek 07:10

Yeah, you know, and to, to kind of add on to that, to even bolster that argument some more, the, the, the next part of that statistic was while they account for 43% of the attacks, they are, they account for over half of the successful attacks. So not only are they're disproportionately succeeding on, on those jobs. So that's, you know, even, even further enforces the fact that it's not only do they want your data, but they're getting in more often than not. So something you mentioned there, and I think is, you know, depending on the nature of the company, you know, I have, I have some more engineering focused companies who now, as you mentioned, kind of the workforce is distributed across the country. You know, a traditional manufacturer, it's, they haven't quite figured out how to let people manufacture parts at their house yet. So they're still coming into the office and building there. But the, the technologies that manufacturers are trying to keep up with, right? You've got, you've got new automation systems and technologies being added to equipment. You've got AI that, you know, I have some, some clients who, you know, employees are trying to figure out how to use chat GPT or co -pilot to do their, their work more effectively. And now to your point Tom, you've just exposed a bunch of data to a, you know, to an outside source. So, you know, I guess what, what are both of your thoughts and maybe Tom, you can, you can start off on this one and then Jim can, can add in. But with some of these technological advances, like the industrial, you know, internet of things and some of those changes that manufacturers are already trying and working their hardest to keep up with all the changes that are going on there. There's this added cybersecurity piece that they have to try and factor in after they've maybe selected a new piece of equipment to put out on the plant floor. 

Tom Wojcinski 09:01

So two topics I'll tackle there, Bryan, you had IoT and AI, and they're both really relevant from a cybersecurity standpoint. Anytime I hear IoT, put my security practitioner hat back on and that is just code for tiny computer connected to the internet. And organizations are responsible for all the security aspects of IoT devices once they start plugging into their network. And they often leave unnecessary services enabled, don't change the default passwords on these devices. And all of these things will have security vulnerabilities that are discovered over time, so they still need to be patched. Just because it doesn't have a keyboard that you're plugging into or typing on your laptop, they still have all the security implications that an organization still needs to take care of. So IoT is not gonna lie. There's awesome technology there. There's great reasons to start using more and more automation and it's really cool stuff, but if you're not thinking about the security implications of not patching, not changing default passwords, there's some big risks that you could be taking on there. On the AI piece, I can't live without GoPilot. I use it daily. It's changed the way I work and it's provided tons of value and efficiency for me. But you've gotta be cognizant of the security implications of using generative AI in the workplace. I've talked to organizations and people are bragging about all the stuff that they plugged into chat GPT when it first came out and then it's like, oh, I got my company policies. I wrote all my policy manuals in chat GPT. That's great, that's good. Look at the spreadsheet I've been working on. Look at all this stuff that chat GPT helps me optimize my understanding of sales and different things that now we're starting to get into this pretty important stuff about the business. I'm like, do you consider that information confidential? Oh yeah, this is the heart of my company. Why did you just share it with the internet then? And people didn't understand the implications of chat GPT not having enterprise data protection in place and you're training the model that's gonna be retained. It can be regurgitated to some other user based on their queries and interactions. So you gotta really think through those scenarios. We, I said, I use GoPilot every day. Microsoft's done a nice job with the security of GoPilot for Microsoft 365. It keeps your data in your tenant so it doesn't leave and so it's protected, but you still have to understand the permissions of the user and make sure that the data that GoPilot will have access to is really what you want that user to have access to. I've seen a lot of organizations that have excessive file sharing permissions, but the user doesn't know it. They don't know how to get to that information. And so they relied on security by obscurity. GoPilot doesn't care. GoPilot is, if the user and GoPilot has access to it, you can interact with that data. So now you can use natural language prompts and start searching for last year's bonus file to see how much Jim got bonus last year when I know I work way harder than Jim. So there's some pretty simple data protection strategies that companies need to be thinking about before they start using AI. 

Bryan Powrozek 12:38

Well, Jim, I don't know that Tom works harder than you, but we'll leave that for another episode. But I guess what have you seen in practice, Jim, kind of out in the market? How are manufacturers dealing with, as Tom talked about, now you've got these two cutting edge things that in every, and I can say this as a reformed engineer, I mean, every engineer wants to play with the latest and greatest toy and try the newest thing. And so this is getting out onto the plant floor how do you embrace technology without, you know, just ignoring all the blind spots that it can create? 

Jim Peterson 13:16

Yeah, it's tough, you know, because depending no matter which industry you're in, it could be a service based industry or manufacturing based industry, we're all trying to increase our capacity and decrease the time on a specific task, you know, those those results are trying to speed everything up. And we don't think of the cost. I mean, Tom brought up a couple of really important things and Bryan, did you to you did too, right? If we have some sort of ransomware event, right, we have this operational disruption that we have to deal with. When bad actors get in and take data, we have this intellectual property or trade secrets or whatever level of data we want to protect. But we don't think about a lot of these other things that can come in when we're plugging in solutions, whether it's an IoT, a new machine, or some sort of AI. And it's the third party risk. It's the extortion side of things that can happen with additional access. When we talk about Internet of Things, we think, oh, I plugged a device in a thermometer or some sort of control or business automation. We don't think about the other side of that. And any time, especially in the manufacturing world, whenever we're connecting things together, we really increase that third party risk that can have a significant impact into loss of data. So we hit that reputation, we hit that revenue, you know, the risk to our partners, our supply chain, there's so many risks out there. And all we're typically thinking about is I need to do more faster. So one of the challenges with that process is how do we actually do a selection of a technology to determine if it's safe? And it's harder than we think because we put so much trust in everybody we sign up for. You know, I have some sort of problem with throughput. And when I sign that contract, I've solved the problem. It's really just the start. That true investigation of who we should trust and how we should trust them with information is probably one of the things we need to be focusing on first before we think about that capacity. The issue. 

Bryan Powrozek 15:08

Yeah, and I can't help but whenever I talk to clients about this, I always get drawn back to the target data breach from 10 years ago, right? And that they sourced it to the HVAC company and that that was, you know, who would have thought that you would have had a data breach through something like that, you know? And so, so, yeah, it's you mentioned the thermometer that you've connected now into your network, but still it's it's part of that surface area that you and Tom both talked about at the beginning that that now you have to make sure is protected and and taken care of. So, well, let's let's turn away. It's, you know, it is the Halloween season. So let's turn away from the scary side and let's talk about, you know, what can manufacturers obviously do about this? So, Jim, just kind of leading up, you know, what are some of the best practices that manufacturers should be thinking about, you know, to to improve their their cybersecurity capabilities within their organization. 

Jim Peterson 16:10

Yeah, so I'll break it down to three. I mean, they're not easy, but they sound easy things. We talk about it all the time in the industry, we have people, process and technology, and I'll just pick one of them for right now. And the people side, right? We need a level of expertise in a few different areas in today's today and tomorrow's right cyber world. Obviously, how to run the processes for the technology that provide the cyber security. I mean, that's kind of level one and either having that internal or partnering with the right company is very important to the overall strategy. We have that data protection side. How do we know where our data lives and how it needs to be recovered for an individual process or organization? You know, so many times we have data that we control that we put our arms around it in our workstations and servers, but then we have the Microsoft 365. We have our financial ERP applications in the cloud data is everywhere. So we got to be able to handle that in a really strategic way. And then, like Tom was talking about, we need some level of understanding of AI in that people side, it's really critical to understand how to use it properly, and then how to get the most out of it. So it's both training on protecting and efficiently using. So I'll stop with just the people side of it, because I could probably talk on all of the points forever and make sure I give Tom some time to jump in as well. 

Bryan Powrozek 17:31

Yeah, well, I do want to I do want to just tag on to one thing there that you mentioned about having the right people. And I think that that goes, you know, even beyond, you know, it's having the right employees, having the right partners in your ecosystem, because I've seen so many instances and not not even just cybersecurity related, it can be any type of software selection or new business process, where you bring in a well meaning partner, somebody that's coming in to try and help you solve, as you mentioned, I'm trying to solve this problem here, my throughput, or my whatever, okay, we've got the solution, we put it in place. But if they don't understand the rest of the business, they don't know what those unintended consequences are. So it really underscores finding, whether it's a direct hire, whether it's a partner, whoever people that understand your business know how it operates, because and then can sit there and say, well, yeah, you do this over here. Well, well, don't you also have data over here as well? Oh, yeah, yeah, we weren't thinking about that. Okay, now you kind of pulled that all together. 

Jim Peterson 18:34

Yeah, you hit on that really well. And if we were going to talk a long time about process, that would really fall into that space because yeah, we need people who understand today's world and are willing to take the time to understand tomorrow's world. We also have to be able to build, change and execute processes. It's super critical because we think of the assessment side of things on data infrastructure, security, there's so many assessments that need to be done. And if we don't have the right people behind it, we can really miss the real challenges that are out there and only be focused on one or two vulnerabilities when there's potentially hundreds of them out there, right? 

Bryan Powrozek 19:10

Yep. So Tom, I guess your thoughts on best practices. 

Tom Wojcinski 19:14

Oh Bryan, there's entire podcast series dedicated to just that topic. It's tough to narrow it down, but I'll tie it back to part of my introduction where I said you've got to be resistant to attack in the first place and then you got to make sure you're recoverable for when the bad things do happen. So we can give your listeners some pretty tactical what are the things that we can be doing to be resistant to attack. One, you've got to make sure you've got multi -factor authentication everywhere. It's got to be on all of your remote access methods, VPN, your email, remote access, SaaS applications that you're using, everything has to have multi -factor authentication on it. We've seen insurance companies even start mandating that you've got to have multi -factor authentication for your administrative accounts to help prevent against ransomware attacks. So multi -factor authentication everywhere you possibly can turn it on. Two, patch your systems. You've got to have regular patch management and process and ideally backed up and validated with some vulnerability scanning or vulnerability management processes to make sure that we did patch everything in our environment. We don't have anything unsecured that's out there. Then third component is you really got to have some sort of managed security endpoint detection response service that's actively watching inside your network for indicators of compromise and things that look like they might be ransomware. So I think those three go together on the be more resistant to attack. On the recoverable piece, you've got to make sure you're isolating and testing your backups. I've talked to way too many organizations that didn't know their backups had failed and they didn't have anything recent or their backups were encrypted during a ransomware attack because they weren't properly protected. And in both those cases, these organizations are looking at months of manual recovery to rebuild the business from spreadsheets and the little snippets of data that they could get. It's really challenging when your backups are destroyed or not available to you. So you've got to isolate and test your backups regularly to make sure they're good and that your team knows how to do it, especially when the stress level is through the roof. 

Bryan Powrozek 21:54

Yeah, no, and I think that that goes to even, you know, like you said, having some, you have your recovery plan, but have you ever tested it out, right? Have you ever, you know, done a simulation or brought somebody in to do some pen testing to see, you know, how would the system actually respond when this happens? You mentioned the example of having the backup encrypted as part of the ransomware. Okay, well, that's, you know, you're completely defeated having a good process in place. 

Tom Wojcinski 22:25

Yeah. We've got a good number of veterans on our security team. And it's one of the things I've learned from them is no plan survives first contact with the enemy. So you've got to have the plan though. Planning is essential to make sure you're prepared and ready to go when it's go time. 

Bryan Powrozek 22:47

And just my own shameless plug in the multi -factor authentication. I was one of the people that when that first started rolling out, I'm like, God, this is just one more thing I have to do. Until that one time I got an email asking me to confirm, or I got the code saying, hey, put this in. I'm like, wait a second, I didn't log in. So somebody really wanted on my Netflix account apparently, but it's good habit to get into. So, all right, so we've covered a lot there. And as Tom said, I mean, we could do a whole series on this. And maybe if I get the green light from the marketing team, we can add a couple more topics on this here. But just kind of final thoughts from each of you around this topic and thoughts for cybersecurity awareness month. So Tom, I'll let you go first. 

Tom Wojcinski 23:34

Yeah, don't go it alone. Get access to some expertise to help you. These organizations that I've seen have the really difficult recoveries. They tried going it alone and they did what they thought they knew to do, but they didn't really have the background and the experience of hundreds of clients in the space and didn't have the battle wounds themselves. But they missed things. I think it's really important that you get access to expertise to help you with your security journey. 

Jim Peterson 24:08

Yeah, no, I'll kind of double down a little bit on Tom, but probably from a different angle, have an assessment done. And you know, we would recommend a vulnerability security or risk networks are great, but it's just going to identify what's there. But so often this world changes from day to day or week to week. And what you thought might have been safe last year may no longer be safe. The challenging part of that is you have to have someone running the assessment that understands how to find everything and how to validate it and judge the risk level. So manufacturers, you know, good or bad or notorious for having systems that were a little older, right, because they continue to work and they they're extremely expensive to replace. So identifying those true vulnerabilities, being able to build a plan to protect those going forward, protect the whole organization is critical, but you have to have that knowledge, you have to have somebody behind that scan that can really make that right recommendation and assess the level of severity. 

Bryan Powrozek 25:03

No, it's great. Both great recommendations. I guess, Jim, if someone wants to reach out to you, continue the conversation, has any questions, what's the best way to get in touch with you? 

Jim Peterson 25:13

Yeah, email's great, jim.peterson@connectwise.com. Or feel free to hit me up on LinkedIn. Just Jim Peterson, you'll find me. Perfect. 

Bryan Powrozek 25:21

Tom, same for you. 

Tom Wojcinski 25:22

Yeah, you can email me at tom.wojcinski@wipfli.com. 

Bryan Powrozek 25:32

Excellent, yeah, and we'll have the names will obviously be in the show notes for listeners. And they'll also there'll be a link. Wipfli has a kind of 30 tips for 30 days, I guess Tom you want to mention a little bit about that. It'll be linked in the show notes as well. 

Tom Wojcinski 25:48

Yeah, for every October for Cyber Security Awareness Month, we do put together an ebook with 30 tips to help improve your company's cybersecurity posture. It's a great publication of short digestible snippets of good practices that you can put in place. It's a nice checklist for companies to work through. 

Bryan Powrozek 26:11

Excellent. Well, thank you both again for the time and for coming on and sharing your insights. 

Podcast Outro Narrator 26:16

Thank you for tuning in. Don't forget to like us, subscribe, and share on social. To learn more about Wipfli, visit us at Wipfli.com. That's W -I -P -F -L -I dot com. Perspective changes everything. 

 

Author(s)

Bryan Powrozek
CPA, CGMA, CGMA, Senior Manager
Tom Wojcinski
Partner

TOP PICKS

Revisit valuation and business transitions before key tax law changes
FDI insights for the Midwest manufacturing sector
Protecting against digital disruption in manufacturing