If all you read were headlines, you’d be forgiven for thinking cybersecurity is a Big Tech or IT issue alone. It makes sense. When most people think of a cyberattack, they think of large-scale theft of personal information, often from big companies central to how we live in an increasingly interconnected world, like online shopping, online banking, or social media.
The truth is that cybersecurity isn’t just a Big Tech — or even big company — issue. Any company can fall victim to a cyberattack. Larger companies might have the budget to put sophisticated protections in place, knowing they’re likely to be targeted. Smaller companies might choose not to prioritize cybersecurity, believing that they are too small to be worth pursuing. But this misapprehends the risk by making incorrect assumptions about how criminals conduct cyberattacks. Criminals rely on a virtual net of automated attacks requiring little eff ort or money; company size plays little role in who becomes a victim.
Consider the manufacturing sector. Manufacturing leaders are often more oriented toward operational technology than information technology. They also generally don’t see themselves as technology companies. At least not until the technology stops working.
But the only manufacturers that do not need to worry about cybersecurity are those who aren’t using computers connected to the internet, and that rules out almost everyone. Modern manufacturing equipment and factories are highly networked, and once something is connected to a data network, it’s vulnerable to a host of malware attacks that can disrupt or even halt operations. The outcomes of an attack can range from a failure to fill orders to significant consumer inconvenience to “bet the company” lawsuits.
The same risk applies to all businesses. Manufacturing is incredibly diverse, from large heavy machinery to small consumer products, even biotechnology and medical devices. Bottom line: If you’re connected to the internet, you need to make cybersecurity a priority.
The good news is that businesses can manage the risks of a cyberattack. They might not stop one from happening, but they can minimize the impact, accelerate their recovery, and obtain legal protection if an attack results in litigation. Here are three steps every business should consider to help manage its cybersecurity risks.
1. Reframe the issue.
Rather than looking at cybersecurity as an IT problem, consider it a management opportunity where the C-suite, HR, legal, and others work together to make sure data is secure and that employees, business partners, and customers are safe. Of course, there are technical requirements to review and approve and contract negotiations to engage in, but cybersecurity is much bigger than any subset of these things.
2. Conduct a risk assessment.
Cybersecurity is risk management — something every business understands — and the goal is to bring together the smartest people across a business to think through everything that could go wrong. This could be as simple as a tabletop threat modeling exercise that identifies each asset that could be at risk (you can protect only what you know about!) or as complex as hiring white hat hackers to help pinpoint vulnerabilities. The point is to go through the steps of assessing vulnerabilities and dig deep into the risks so you know what you’re working with.
3. Build contingency plans.
This might include business continuity strategies; timelines for necessary technology upgrades; internal policies that get everyone on the same page; and communications plans that ensure, if an attack happens, you have a proactive plan in place to minimize the fallout. Having a response plan in place and following it are particularly important from a litigation perspective. The Federal Trade Commission has made it clear that failure to maintain reasonable cybersecurity practices is an unfair trade practice, and many companies that have been sued as result of cyberattacks lacked not only in their approach to cybersecurity but also in the response plans they had in place.