Information and system security is a rising concern for manufacturing businesses. As the sector increases its reliance on technology to connect, communicate and collaborate, criminals are launching more sophisticated attacks to steal data or hold businesses to ransom. By Nicholas Lennon, Country Manager Mimecast Australia.

Many attacks target email systems that operate as a primary communication tool for manufacturing businesses – but can also be a potential point of vulnerability. These attacks may disrupt the email systems themselves, potentially annoying employees and customers and raising questions in the minds of customers, suppliers and partners about the targeted manufacturers’ resilience and performance. In fact, a recent Mimecast/Galaxy Research survey of IT managers across a range of industries put the financial losses from an email outage anywhere from thousands of dollars to hundreds of thousands of dollars. However, despite the potential cost, only about half of IT managers believed their systems (including email), were highly prepared for outages.

Yet the damage caused by email disruption pales beside the damage that email can cause as a vehicle for more sophisticated and nefarious attacks. Viruses and other malware can disrupt core business systems, steal resources and data, and force organisations to dedicate valuable time and resources to detecting and removing them. Unsurprisingly, the Mimecast/Galaxy Research survey found that nearly all IT managers were aware of the threats posed by viruses, malware and outages.

However, the poll also found about two-thirds of IT managers across all industries were aware of the threat posed by email-borne ransomware, which can encrypt files and bring business operations to a standstill. This finding is deeply unsatisfactory as it indicates nearly one-third of IT managers are not properly educated about a threat that has caused extensive damage to businesses in Australia and overseas. The poll result is also quite surprising given that the research also reveals nearly one in three businesses have been targeted by ransomware.

While many businesses can recover from a ransomware attack by restoring systems and files from backups, the costs can still be considerable. They may include lost productivity, reputational damage and potential fines for failing to meet customers’ production targets.

Even more worryingly, the research revealed only about half of IT managers recognised ‘spear phishing’ as a genuine threat. Spear phishing occurs when attackers send fake emails to targeted groups of people to trick them into revealing information or downloading malware.

For manufacturing businesses, this finding is of serious concern. Reports indicate that companies in this sector are among the top targets of spear phishing, and the potential damage can be considerable. According to Wired magazine, a report issued by Germany’s Federal Office for Information Security revealed that a spear phishing attack had compromised the systems of a steel mill and caused extensive damage.

Using traditional security approaches to mitigate the threat of email‐borne attacks is no easy task for businesses in manufacturing and other industries. IT managers need to combat both the social engineering and technical elements of these threats. This means helping educate employees, contractors, partners and customers not to click on links in emails that appear to be legitimate.

The technical element may be even harder to address as traditional anti-spam and anti‐virus solutions may not recognise threats presented by links in the body of a fake email. While web proxies may pick up malicious links, they cannot protect all of the devices that employees and customers use to connect to the web. In addition, malicious emails are increasingly being crafted to be indistinguishable from messages sent by legitimate organisations.

The lagging awareness of email threats in manufacturing and other businesses is reflected in typically low levels of investment in email security. According to the research, around half of all businesses spend less than $10,000 per year on email security, and among organisations with up to 50 staff with email access, two-thirds spend less than $10,000 per year on email security. While larger organisations tend to spend more on email security, about one‐fifth of organisations with in excess of 200 staff spend less than $10,000 per year on email security.

The survey also showed that many Australian businesses are implementing a cloud‐first strategy, including a shift to Office 365. Nearly 20% are already using Office 365 and a further 29% plan to migrate within the next two years. But as Office 365 adoption grows, Microsoft and its customers become bigger targets for hackers and cybercriminals. What will happen when Office 365 goes offline, is hacked, and your data is lost. Indeed, the research found that the risk of potential Office 365 email disruption was the biggest concern for 46% of respondents. Office 365 customers need to have a plan B.

So how can manufacturing businesses minimise the risks presented by email disruption and threats? The answer lies in multi‐layered, cloud‐based security services that can protect against traditional and advanced threats before they reach the network. By adopting a ‘zero-trust’ approach that treats every email as possibly malicious and checks links ahead of users clicking on them, a business can thwart the intentions of criminals. And in terms of addressing the ‘one lock to pick’ concern around the shift to Office 365, additional third-party cloud services are the only way to properly mitigate the risks here. These approaches will reduce risk and enable IT managers to focus their resources on adding value to the business.