Area Development
{{RELATEDLINKS}}AD: According to a study from McAfee and the Center for Strategic and International Studies, cybercrime costs businesses worldwide more than $400 billion annually. Is the U.S. more vulnerable than other nations?

Clinton: Actually, the U.S. industry’s cyber defense is generally better than that of other nations. According to the Ponemon Institute, U.S. business investment in cyber security has basically doubled to approximately $100 billion a year over the last five years.

However, this spending has not been evenly spread over all enterprises, with some making a rather impressive effort to protect their electronic information and systems, while others have made minimal, and often inadequate, investments in cyber security.

AD: Is this just an IT problem?

Clinton: No, cyber security is not a technology problem — it’s an enterprise-wide risk management issue that corporations need to address in a holistic fashion. Actually, people are the number-one cyber vulnerability. Technology is just HOW cyber attacks occur. In order for us to solve the cyber security problem we need to address WHY they occur, i.e., the economic incentives all favor the attackers. Cyber attacks are cheap, easy to launch, and profitable. Cyber defense methods are generally a generation behind the attackers, and law enforcement is virtually nonexistent — less than 1 percent of cyber attackers are successfully prosecuted.

AD: How are manufacturers affected by cyber threats?

Clinton: Successful cyber attacks threaten operational uptime and productivity. Threats may come from industrial spies, criminals, disgruntled insiders, “hacktivists,” or terrorists and affect profitability and business viability for manufacturers in a number of ways, e.g., theft of intellectual property or sensitive data; damage to manufacturing processes or products; damage to manufacturing systems or shutting down operations with denial of access attacks.

AD: Can threats come through the manufacturer’s supply chain?

Clinton: Yes. Modern companies often have increasingly complex supply chains, with multiple choke points or opportunities for compromise — identifying where a vulnerability is introduced or a compromise occurs can be daunting. Threat actors can, and do, exploit vulnerabilities along the supply chain in order to access private systems and steal secrets. Small businesses along the supply chain with little or no IT staff are increasingly used as easy first targets and stepping stones to get lucrative information.

{{SIDEIMAGE1}} AD: Is there an added risk when manufacturers use cloud-based technology?

Clinton: Cloud-based technology, if implemented haphazardly and without appropriate oversight, may also introduce new security risks to manufacturers’ information and systems, possibly eroding confidentiality, integrity, or availability of data. One study found that 62 percent of IT professionals professed to have “little or no faith” in the security of data placed in the cloud, including 48 percent who had already put their data in the cloud.

The manufacturing industry is becoming increasingly aware of the cyber security threats it is facing. Unfortunately, simply being aware that there is a threat is only the first step in addressing it, and there is no one size fits all solution. AD: Is there any way to secure company information on employees’ personal devices used to conduct business?

Clinton: While the use of personal employee-owned devices makes securing company information more difficult, there are measures that can be taken to mitigate some of these risks. According to the AFCEA Cyber Committee 2013 report on practical cyber security investment, these measures might include restricting employees from installing certain applications on devices brought into the company network, ensuring that the operating system and software applications utilized on these devices is patched with current updates, and restricting administrative privileges.

AD: Are the added costs of recovering information taken into account?

Clinton: Yes. These costs are very large, but cleaning up in the wake of a cyber-incident can actually be more expensive than the direct impact of the crime itself. In addition to more tangible costs dealing with incident response — including things like PR campaigns or legal costs — there are other post-incident costs that are less tangible. These costs might include damage to the company brand, reputational loss, etc.

AD: Do today’s manufacturers invest enough time and money in securing their proprietary information and processes?

Clinton: The manufacturing industry is becoming increasingly aware of the cyber security threats it is facing. Unfortunately, simply being aware that there is a threat is only the first step in addressing it, and there is no one size fits all solution. Each entity needs to do its own risk assessment (including risks associated with the partners/vendors it is interconnected with) and install a program suited to its unique risk posture.

AD: What procedures constitute an effective security program?

Clinton: The Internet Security Alliance recently prepared a Handbook for Corporate Directors that outlines the process we recommend for corporate entities to build their own effective security program. Since the Handbook was published in June it has been endorsed by the U.S. Department of Homeland Security, the Institute of Internal Auditors, and the U.S. Chamber of Commerce.

AD: Are there other costs to industry of cybercrime besides financial? What are the long-range effects?

Clinton: In a highly competitive global economy, business advantage often comes from insights or proprietary products that result from corporate R&D. If competitors are able to gain this insight through cyber theft of IP or business process information, it not only eliminates the competitive advantage for the original company which did the R&D but it also provides a massive disincentive for future R&D, thus inhibiting innovation and growth. Cybercrime is essentially a tax on innovation that slows the pace of growth by reducing the rate of return to innovators and investors.