When cyber breaches occur in a small business, 40% lost a fifth of their customer base, almost 40% lost more than a fifth of their revenue, and close to two-thirds of small businesses that have a major hack are out of business within 6 months.

On Thursday, July 26, MTEC, Fuzehub, HVEDC, The Council of Industry, and SUNY New Paltz all partnered to put together the Hudson Valley Cybersecurity Workshop. The goal of this event was to help manufacturers understand the growing threat of cyber attacks as businesses become more and more connected. The workshop introduced business owners to ideas and resources to help them get started in protecting their assets and understanding that in today’s world, everyone is a target.

Keynote speaker, David C. Stieren is the Division Chief for Extension Services at NIST MEP. Unlike the other speakers for the day, David’s specialty is in manufacturing, not cybersecurity. However, as the Division Chief for Extension Services, his number one priority right now is cybersecurity, and he went on to explain why this is so important in the current manufacturing environment.

If manufacturers are not taking basic steps, and DOD contractors are not taking more advanced steps to implement cybersecurity protections, they will no longer be in business. Cybersecurity needs to be thought of by businesses as a risk management tool, the same way people living in flood zones have flood insurance or hurricane insurance. All businesses live in an environment where they will be prone to cyber-attacks, that is just the way it is.

Companies generally have many insurance policies in place, yet most businesses do not have those same kinds of policies to protect their assets from an information standpoint from cyber-attacks. The most common kinds of cyber breaches happen as a result of employees with a noble intent allowing someone access to something they shouldn’t, ultimately allowing a breach into their system.

Most small businesses think, “I’m not a target”, “This doesn’t impact me”, “It costs too much”, “It’s impossible”, “I don’t know what to do”. David Stieren used a metaphor to explain how backward this thinking really is,

“If I’m a car thief, and I’m walking down the street of a city block looking to steal a car, I’m walking along pulling on door knobs. Which car is the car I’m going to steal? I’m going to steal the car that’s unlocked.”

As everything becomes more connected, hackers are simply looking for infiltration into a network and that has become much easier than it once was. This is why DOD contractors must be compliant with the NIST 800-171 cybersecurity standard because the lowest tiers of the supply chain are the ones that are most attacked. Once a hacker makes it into those systems they can them move up to the larger ones.

There are five core elements of the cybersecurity framework developed by NIST that form the basis to protect businesses from a cybersecurity standpoint: Identify, protect, detect, respond, and recover.

Some of David Stieren’s suggestions in these areas are to teach employees about phishing and the risks of social media, make sure machines are clean, look at how browsers are operating, know your operating systems and use firewalls. Be careful with mobile devices, make sure to use strong passwords and consistently change them. Encrypt when you need to, make sure devices use secure applications, avoid public networks, make backups, secure your wifi and make sure every employee has a user account.

Jake Nihevc, Associate Dean of Business and Cybersecurity Computer Science at Mohawk Valley Community College spoke of cybercrime, information warfare, and cyber espionage, focusing mainly on cyber espionage.

The United States today has more knowledge in one place in one time than it ever has before. By investing in high school programs, community colleges, and universities, we have developed the ability to produce mass amounts of intellectual property. Unfortunately, there is another model for a nation-state that is to steal from everyone else. Other countries have been very successful in doing this which is why cyber espionage is such a major threat requiring us all to take action against. The beginning stages of which are having a professional perform a cybersecurity assessment.

The majority of changes that need to be made following an assessment are investments of time more than money, making policies or changes to existing systems. The cost is generally much lower than businesses initially assume it will be because they think they need to purchase tons of new equipment. Professionals can also help guide as to how to most efficiently spend money if businesses are planning on putting in new systems or making major changes.

Paul Chauvet, Information Security Officer at SUNY New Paltz covered a range of cybersecurity issues including some questions businesses should begin asking themselves:

• Do you have a backup system?
• Is it the most protected, secure thing you have? (because it should be no matter what kind of data you are storing)
• Is anything on your network able to easily connect to your backup system?
• Do you test your backups?
• If you do not test your backups how do you know they are worthwhile?
• Do you know what is accessible remotely on the internet from your company?
• If you do think you know how would you test that? How would you verify it?
• Are you segmenting your critical assets internally? (Target’s Environmental control system was on the same terminal as their POS system and their breach in 2004 came in through a third party vendor)
• Are you using multifactor authentication? (If you’re not doing something to protect your sensitive accounts beyond user account and password, you are not doing enough)

 

The Panel discussion included Jake Mihevc, Paul Chauvet, Robb Engle Vice President of Engineering at Sono-Tek Corporation, Devi Currier Momot CEO of Twinstate Technologies, Geoff Young IT Specialist at MTEC, and Tyler Wrightson founder of Leet Cyber Security.

The panel answered questions ranging from how to identify cybersecurity professionals who know what they’re doing, whether or not to use password managers, whether or not cloud storage providers are trust worthy, to what it would cost a small manufacturer to start implementing cybersecurity. For many of their questions, the answers were not black and white, as businesses have different needs it is really a matter of assessing what would work best for each individual.

 

Thank you to all of the speakers, attendees, and companies who helped put together an insightful morning!

If you would like the see the speakers’ presentations in full they are posted, Here

 

As an MEP center, our goal is to help keep manufacturers productive and secure and we are a great place to start asking questions about how to make sure your data is safe. If you have any questions about cybersecurity, don’t be shy…

Contact Phil VanOss:
phil.vanoss@hvtdc.org
(914) 456-1204