Human Error: A Growing Cybersecurity Risk for Metalworkers
How improved internal security practices and a focus on human error can help protect your business from cyberattacks.
Posted: October 20, 2022
Since the onset of the pandemic, businesses across all industries have seen a significant increase in cyberattacks. In fact, a recent survey conducted by the Manufacturing Leadership Council found that, as of 2022, nearly 50% of surveyed manufacturers have been a victim or target of cyberattacks.
Most operations understand the implications of cyberattacks—and your IT department has likely put some safeguards in place. Regardless, attacks still happen. As an underwriter, I help evaluate risks, and I’ve found that the most significant vulnerabilities among manufacturers are often caused by individuals within — or with close relationships to — the organizations themselves. A recent study from IBM found that 95% of cybersecurity breaches can be traced back to human error.
Without greater awareness of their actions by employees, they may not follow best practices that could prevent physical or digital access to a device or account. One mistake could lead to a hacker finding their way into your network, encrypting your systems, and either halting production or demanding a ransom.
Phishing attempts and malicious software might be in the news, but don’t overlook unauthorized physical access to your devices. To help reduce such vulnerabilities, listed below are recommendations to help your team stay vigilant about protecting your metalworking operations from cyberattacks.
Keep a Close Eye on Equipment — and Who’s Using It
If you’re a small- to medium-sized manufacturer, you likely trust your employees with your business information and technology. However, many scenarios could lead to the unauthorized use of your equipment, including:
- Open office doors and manufacturing bays
- Devices that aren’t properly stored or locked away
- Unsupervised visitors, including cleaning crews or maintenance personnel
- Identity theft and fraudulent impersonation
Most breaches caused by human error can be avoided through common-sense security measures, such as:
- Not letting third-party individuals (e.g. cleaners, network repair personnel) work on or near systems unsupervised
- Locking laptops and other mobile devices when not in use
- Enabling the session lock feature on operating systems to lock screens after several minutes of inactivity
- Using privacy screens or positioning computer displays so information isn’t visible to people passing by
- Properly disposing of old technology by electronically wiping any data-containing devices and physically destroying them
- Requiring individual user accounts for each employee
- Removing administrative privileges from employee accounts (unless they’re essential) to help prevent the installation of unauthorized software
If you haven’t reviewed your IT equipment protocols recently, examine the physical security of your technology. Identify which areas leave you most vulnerable and implement new practices to help protect your business.
Create a Reliable Team
According to guidance from MEP National Network and the National Institute of Standards and Technology (NIST), employees and third-party personnel are primary sources of security incidents. Because they’ve been given access to important business information and systems, they can easily cause harm — deliberately or unintentionally.
Conducting comprehensive background checks and cybersecurity training can make a significant difference in your efforts to minimize the risk of a breach. Before hiring a new employee:
- Perform a complete, nationwide criminal background check and, if possible, a credit check on all prospective employees — especially if they’ll handle business funds.
- Contact prospective employees’ professional references to verify the dates they worked for a company and other specifics to help ensure their honesty.
- Call the schools they attended and verify their attendance and graduation. This is particularly important if their role has specific education requirements.
Comprehensive training can help mitigate the risk of human error. Train employees immediately after they’re hired — and at least annually after that so they understand IT security policies and their responsibility to protect your business’s information and technology.
Employee training should cover:
- How to recognize and react to phishing scams.
- What they can and cannot use business devices for (e.g. checking personal email).
- How to properly manage and store customer or business information.
- What to do in case of an emergency or security incident.
- Basic practices surrounding equipment — including physical storage and security.
Everyday conversations, meetings, or company newsletters can reinforce your team’s understanding of cybersecurity. Revise your technology policies and procedures annually — and when you make operational changes or introduce new devices.
Protecting your operation from cyberattacks starts from the inside out. Improve your business’s safety culture by setting high standards for how devices are used, managed, and monitored — and train your team to abide by those standards. Doing so can leave you less vulnerable to data breaches and costly downtime, so your business can operate seamlessly in a world of rapidly changing technology.
These recommendations are just a start. Be sure to talk with your insurer or a local cybersecurity expert to discuss in greater detail how to best protect your business.
Subscribe to learn the latest in manufacturing.