Understanding the cybersecurity risks for SMEs

The key to cybersecurity lies in taking the right steps, involving the appropriate individuals and partners, and cultivating a culture of cybersecurity throughout the organization. greenbutterfly/iStock/Getty Images Plus

With seemingly constant news reports highlighting cyberattacks on large companies and institutions, it is understandable why manufacturing companies, both large and small, have concerns about cybersecurity. However, hacking is not necessarily the primary concern for most businesses. Small to medium-sized machine shops often face challenges in knowing where to begin when it comes to cybersecurity.

One of the biggest misconceptions about cybersecurity is that it requires highly technical expertise and the addition of new employees to oversee a security program. However, the key lies in taking the right steps, involving the appropriate individuals and partners, and cultivating a culture of cybersecurity throughout the organization.

For smaller shops that may not have dedicated IT or security teams, the focus should be on optimizing processes and leveraging the skills and talents of employees effectively. Many employees possess cross-functional skills, and whether they are operations technologists or technical specialists, they may already possess or can quickly acquire basic security principles. Implementing a training program to provide all employees with a foundation in security and safety is an excellent approach to instilling a cyber culture within the business.

By establishing a cybersecurity culture that aligns with specific skills and roles, you can significantly minimize potential vulnerabilities that may be targeted by malicious actors or cyberattacks.

Risk Exposure

One of most significant areas of risk is the growing reliance on the Internet of Things (IoT). The more interconnected your shop becomes, the more vulnerable it is to cyberattacks.

Whether devices connect to public or private networks, this heightened connectivity exposes you to potential threats from malicious hackers, competitors, or other entities seeking to gather information.

In addition, there are risks associated with third-party suppliers and partners. These risks become more pronounced as you adopt various technologies and collaborate with multiple partners. It is crucial to identify and address any gaps or issues that may arise from using third-party technology.

Larger companies often have third-party risk programs in place to assess and mitigate risks. However, smaller shops typically do not perform such assessments. They often prioritize financial and business risks over cyber risks.

Increased IoT connectivity and reliance on third-party suppliers are two prime targets for nefarious entities, as they are often seen as easy targets.

Where to Start

To begin, start by looking at your technology partners and the programs and systems you are using. Each of your technology partners will have best practice cybersecurity advisories.

A crucial step in enhancing security is to secure your infrastructure and network by ensuring correct configuration. Thinkhubstudio/iStock/Getty Images Plus

If you are working with Microsoft, for example, their systems are designed with secure configurations in mind. While they may have default settings initially, there are guidelines available to automatically input secure configurations and follow best practices. Additionally, technology partners offer specific advisories to address unique risks associated with their systems or software. By collaborating with your partners, you can implement necessary mitigations to enhance security.

Obtaining a third-party view is also crucial. Across North America, countless compliance and best-practice policies are available. Consider engaging individuals from finance or compliance departments because they have expertise in compliance and jurisdiction. Conduct interviews with key stakeholders, particularly the head of infrastructure and network, to explore existing cybersecurity measures.

Evaluating security through an asset management lens will provide a clearer understanding of the current state of affairs and the areas of concern.

This doesn't mean relying solely on security-focused products. Instead, understanding how you handle cybersecurity and gaining clarity on your approach are important starting points. When considering operational technology or implementing IoT, numerous reference architectures and perspectives are available to guide you.

Assessing how these best practices are being implemented in the broader manufacturing community will help determine whether these policies fit within your shop.

There can be a bidirectional communication within the community regarding the applicability of certain elements or programs to smaller shops, as well as assessing the cost-effectiveness of implementing specific initiatives. While the agencies delivering the policies may not always consider this perspective, it’s important to evaluate cost constraints when implementing policy standards.

Mitigating Risk

One effective way to mitigate cybersecurity risks is by conducting a maturity assessment – whether through a reputable IT consulting company or by utilizing trained professionals in-house.

While large enterprises tend to conduct assessments more frequently, small shops should aim to have an assessment conducted yearly, with a specific focus on business maturity. The assessment should also include a three- to five-year road map.

Engage an independent entity to perform a maturity assessment in collaboration with your shop’s own skills. As an outcome, you can expect a comprehensive list of actions that can be implemented over the next three to five years, ensuring the application of safety measures without neglecting cybersecurity.

While some companies prioritize safety measures, it’s just as important to consider cyber risk. As machine shops increasingly adopt digital infrastructure, cybersecurity and safety become intertwined. Therefore, it’s crucial to adjust and allocate your budget accordingly. While safety investments are common, it’s essential to integrate cybersecurity into the overall safety framework rather than treating it as a separate concern.

Following the initial assessment and implementation of the road map, you also should conduct additional assessments on an annual basis to evaluate how risks are being managed. This assessment should determine whether the established processes are effective, identify industry or peer group best practices, and evaluate their applicability.

A yearly peer group analysis can help your shop gauge its level of maturity and its position within the industry. Many small shops lack awareness of their standing and solely focus on daily operations. By examining similar-sized shops with high levels of maturity, you can gain insights into their practices and apply new plans accordingly. Creating a road map and regularly assessing progress are critical steps.

Security typically is considered as a subset of the IT budget and expenses, rather than being holistically addressed across all areas of the business. Businesses often contemplate trade-offs, such as reducing expenditures in other areas to implement cybersecurity measures or determining the appropriate budget allocation for risk mitigation.

It’s important to view cybersecurity as an integral part of your shop’s overall risk management process, rather than a percentage of the IT budget. This requires quantifying the annualized risk exposure and considering the weight of cyber risks in relation to reputational or financial risks. By properly assessing the risk exposure, you can allocate appropriate resources and costs to security, including personnel, management, labour, technology infrastructure, capital, operational expenses, and external service providers.

Without a comprehensive understanding of the risk’s impact, the cost associated with cybersecurity will remain ambiguous.

Additionally, it is worth noting that businesses—particularly in industries like aerospace and automotive—prefer to work with service providers who prioritize security and privacy. This consideration can significantly impact an organization’s reputation.

It’s also important to quantify how cybersecurity contributes to revenue growth metrics, rather than simply considering security a risk parameter and a cost factor. Be sure to ask how security enables growth and revenue trajectory.

Cybersecurity Best Practices

A crucial step in enhancing security is to secure your infrastructure and network by ensuring correct configuration.

Leaving default policies in place is a mistake. While these are general recommendations and best practices, they may not be fine-tuned to address the specific areas of risk or the unique usage patterns within a shop. Achieving security by design and implementation requires finding the right balance between default measures and customization.

Using default settings can make small shops an easy target for malicious actors. As your company expands, the network may grow extensively, making secure configuration even more important in reducing potential attacks.

Patching is another essential measure. Some companies overlook the importance of patching. Whether you're utilizing platforms from Microsoft, Oracle, or any other large organization, it is crucial to regularly review their advisories and apply patches promptly. When cybersecurity incidents occur, especially those targeting smaller shops, the lack of patching or failure to address configuration issues are often the key factors. By prioritizing patching and configuration review, the dwell time for potential threats can be significantly reduced.

Cybersecurity and AI

When it comes to generative artificial intelligence (AI) or large language models (LLMs), prioritizing secure usage is of the utmost importance from a cybersecurity standpoint.

There is always a possibility of unintentional leakage of sensitive information when using LLMs. Ensuring the security of your own internet protocol (IP) and internal-use data can be challenging, particularly for small shops. However, it is important to have a dedicated team on hand that can implement measures to protect against accidental leaks.

Certain situations may arise where specific IP, proprietary processes, or systems—when inputted into LLMs based on an input prompt—could result in information leakage. This data may include customer information, which poses a risk of exposure.

Another critical concern is information access. By securing access to AI models and LLMs, the risk of information poisoning can be mitigated. Nefarious individuals, entities, or even competitors may attempt to manipulate the data set to divert it from its intended use for a particular organization or client.

Securing access is essential to reducing the potential attack vectors associated with AI models and LLMs. It helps safeguard against information poisoning and ensures that data is used in the intended manner for the organization or client it is intended for.

Justin Haney is the North America cybersecurity lead at Avanade, www.avanade.com.