Longtime NHL coach and living legend Scotty Bowman once famously claimed that “statistics are for losers.” For a game filled with numbers, that was a pretty bold statement. Around the same time, business author Peter Drucker, a legend in his own right, argued the opposite point, saying “if you can’t measure it, you can’t improve it.” There is certainly something to be said for “the bottom line” — the final score of a game is ultimately the most important number.
But a compelling case can be made that a winning game, a winning team, or a winning organization is comprised of many discrete elements, and that by seeking to measure and improve these key elements, the overall system will benefit accordingly. Our contemporary Moneyball sports world rendered Bowman’s statement a quant anachronism. Similarly, in the business world, managers and executives increasingly look for metrics that help them understand their areas of responsibility.
“Running the numbers” is not a substitute for successful management, but can be a valuable tool in its execution.
On that note, the National Institute of Standards and Technology (NIST) published a list of “20 Cybersecurity Statistics Manufacturers Can’t Ignore” which details some of the critical numbers that separate winning companies and organizations lost to the nefarious designs of malware, hackers, ransomware and the varying forms of cybercrime. From this list, a few highlights immediately come to the fore. By listening to the information embedded in the data, organizations can act quickly to mitigate the biggest threats that they didn’t know they had. A good manufacturing cybersecurity strategy can address old problems, predict new ones, and keep all operations cyber safe.
Ransomware Remains a Primary Threat to Manufacturers
The impact of ransomware on businesses has been monumental. According to NIST, 1 in 5 small or medium-sized businesses (SMBs) report that they have fallen victim to a ransomware attack. This makes ransomware the number one threat to organizations. Ransomware is unique among attacks in that it does not seek merely to damage the resources within a network. Rather, a ransomware attack encrypts company files, making them inaccessible to the organization and its users. Access to the decrypted files is only provided once payment to the assailant has been made.
The effects of ransomware are immediate. When a company gets ransomed, all operations affected by the encrypted files come to a grinding halt. This has a cascading effect across the organization as it struggles to stay open during the crisis. This often results in delayed production, late shipments, confused inventory levels, and frustrated customers. To cope with the outage, the company normally resorts to a handful of painful workarounds that are difficult to unravel and clean up once the ransom has been paid.
Ransomers Attack & Manufacturing Cybersecurity Teams Rally
In DoD environments where data cyber security is key, the impact to a company’s reputation can be detrimental. As such, it is no surprise that a ransom situation can cause an organization to go out of business entirely. Worse still, the costs are increasing. According to NIST, over the course of a single quarter in 2019, the average ransomware payment went up by 13% to $41,198. The impact on an SMB’s cash flow should be self-evident. Hackers know no limit when it comes to ransomware targets, attacking companies of all sizes. For that reason, there is no reason to believe that your organization can hide under the hacker’s radar. Therefore, manufacturers across the nation are increasing their investments in enterprise risk management and security solutions.
Microsoft Office is a Primary Vehicle for Malware
Microsoft Office has been a mainstay of organizations large and small. But the security risks of Microsoft files in an unmanaged environment are considerable. According to NIST, 38% of malicious file extensions come from Microsoft Office formats such as Word, PowerPoint and Excel, making this the most common set of file extensions. Microsoft’s Office suite has long been entrenched in the daily life of SMBs and manufacturers. Shop schedulers frequently define and redefine priorities using spreadsheets, SOPs utilize document formats for process control, and presentations to a company’s staff routinely take the form of a PowerPoint presentation.
While these file formats are common, they are far from invulnerable, and the robust capabilities that Microsoft created within each format provides opportunities to embed hostile code that can detonate once the files are saved within the network parameters of an organization. And file sharing across the manufacturing community is widespread. It is common, for instance, for vendors and presenters at manufacturing conferences and trade shows to hand out flash drives containing promotional materials. Manufacturing cybersecurity policies need to include these activities because should these files be infected, the consequences of introducing them to an unprotected company network could be catastrophic. As such, companies need to take care in managing the devices that connect to network, and the safety of the files they contain.
Social Media Accounts Become a New Target
Social media is widespread, and manufacturers are increasing playing along in order to get more visibility for their products and more interactions with their customer base. But with the proliferation of online social interactions comes increasing risk. In fact, 63% of MSPs anticipate that hackers will increasingly target social media accounts, according to NIST. Similar to Microsoft Office, social media toolsets have increasingly found their way into organizations. Initially thought of as a distraction, these toolsets have become embedded in many organizations, allowing for more collaborative communication between suppliers, customers, individuals, and groups.
Like the Microsoft Office suite, social media platforms have been enhanced and expanded, with new capabilities added on a routine basis. But a single compromised account can compromise an entire network when accessed from within the network’s parameters. Worse still, given the continually evolving nature of social media platforms, the threats are similarly evolving. Business owners need to understand what role social media will play in their organizations, and how these platforms can be leveraged without excessive risk. Manufacturing cybersecurity measures should take into account all accounts, including those on Twitter, Facebook, and similar online social meeting grounds.
When it comes to cybersecurity for manufacturers, the numbers don’t lie.
Cyber security solutions are technological processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Over the years, they have become a necessity in order for industrial firms to succeed. Manufacturing supply chains are often interdependent and integrated. Security within the entire supply chain will lessen any vulnerabilities that could impact the company as a whole. Manufacturers must prepare for a cyber security breach by way of proactive measures.
Has a hacker already gained access to your sensitive data?
All companies have private data that ranges from non-secure to highly secure information. This applies if you have one user, a million users, a million customers, or a supply chain with 500 million endpoints. This applies if your data is exclusive to networks outside of the United States or if you are global in reach.
Regardless of the size of the company, all companies include the following data within their protected systems, and this is the type of data that needs the highest level of endpoint security:
Social Security Numbers / Information
Bank Account Information
Is your supply chain or customer data on the dark web?
If you have suffered a data breach in the past, the data included personal information, such as phone numbers or other personally identifiable information (PII). Leakage of such information could be fatal towards the growth of a company and its workers. Such sensitive information needs to be secured with proper cybersecurity measures. For companies that do not ensure these measures, the chances of survival within the digital world are slim. The only practical solution is developing ways to combat or prevent cyber risks.
Understanding Manufacturing Cyber Security
In order to stay safe in a world where digitization is key to success, manufacturing companies have to stay prepared. The best way to prepare, understand and manage cybersecurity risks is by considering all areas that could be breached by an attack. By looking at such risks in a business, and from a legal standpoint, owners may aim to formulate regulatory procedures in order to avoid the damage that a cybersecurity attack can impose on their company. In order for a manufacturing company to not only exist but thrive, they must first UNDERSTAND:
Understanding the risk: First, one must understand that hackers aim to steal, exploit and disrupt the company’s work. This may not necessarily be a personal attack and therefore it must not be treated as one.
Narrowing down risks: Manufacturing companies utilize technology for a multitude of sectors within the company. Therefore, narrowing down where the weakest aspects of cybersecurity are would help avoid data loss or operational risk significantly. If an attack is successful, it is also helpful to know where the root of the problem may have begun in order to stop it.
Data access control: Data is one of the most important factors in cybersecurity. The reliance on a single password, as security for data information, leaves manufacturing companies unshielded from hackers. Implementing a series of security measures by ranking importance of data can establish a hierarchy that prioritizes confidential data. Making sure only limited personnel has access to the data will lower the risk as well.
Enterprising the risks: Since cybersecurity risk is such a prevalent aspect in technology, manufacturing companies must include a prevention plan in their enterprise. This includes spending the necessary funds to prevent any harm towards the company’s technology.
Readying for the worst: Another tactic is assuming that every cybersecurity breach will be crippling towards the company. This prepares staff through proactive methodology and technology.
Setting key roles in an incident plan: Defining roles in advance with a detailed plan will enable everyone to know exactly what is required of them in case of an attack. This will help in a time when it is necessary to move quickly. Everyone will remain organized and on task.
Training all employees: Manufacturing companies need to train all employees to know how to avoid human error, which is one of the highest risk factors within cyber attacks. Through training, proper communication can be established between IT (Information Technology) and OT (Operational Technology) workers. The creation of a community culture will enable proper guidance and action on security shortfalls.
Administering the company’s policies wisely: Cyber attacks in manufacturing companies range from light breaches to severe damages that shut down operations. Therefore, ensuring that effective policies are in place is essential. The entire company needs to understand the severity of even a small breach. Policies should be updated as new threats emerge. Staff should be informed of any backup strategies in place and also of planned disaster recovery steps.
Never forget the basics: Manufacturing companies should have a basic response plan in order to outline expected and anticipated actions. Routinely changing user passwords and checking all systems for vulnerabilities should be common occurrences.
Decoys for intelligence gathering: Deploying white collar hackers is another method that could prevent vulnerability to cyber attacks. Companies should place themselves in the mind of the attacker in order to gain more knowledge on how one may think. Therefore the company can counter the attack before a breach is successful. Using decoys allows manufacturers to actively identify and analyze trends in their system that need to be addressed.
The latest technology, including managed application hosting in the cloud, provides new openings for risk and reveals a general lack of effective security in companies of all sizes, across all industries. The manufacturing industry is particularly vulnerable due to complex applications and third-party software integrations. Manufacturers also have challenging compliance regulations that require intensive documentation and reporting. Small business IT solutions help manufacturers looking for partners who will help them grow without the burden of cyber risk.
Cyber security incidents put manufacturing companies at risk of shutdown
Zero-trust cybersecurity policies have become the most essential risk management strategy. The only way manufacturing companies can stay safe is by making sure they are secure on all ends. The first step is understanding the risks, then making the effort to make sure a security breach does not occur. This process utilizes security audits and penetration testing to gain full vision of all system vulnerabilities. In the chance that a data breach does occur, cyber protection and cyber insurance are critical for survival.
Prevent a Cyber Security Breach with Best Practices
Chat with us now to schedule a penetration test to see if your data is secure.
A very typical software selection process begins by clicking on “I am interested” after reading about a software product. Someone replies, and pretty soon a salesperson has you convinced their product will have you living the Life of Riley.
Is that narrative oversimplified? Maybe, but all of us have followed that process at times and possibly even with enterprise-level software products such as Enterprise Resource Planning, or ERP solutions.
A simple selection process can work because there are many very good systems on the market, and they are flexible enough that good value is there for many businesses. None of us knows what we don’t know. Choosing an off-the-shelf software could lead to an 80% or even 90% satisfaction, but the 100% solution we hoped for could be beyond reach.
Software Selection First Steps: Look Inward First
Rather than taking a chance, consider yourself, your business, and your co-workers. You might have had past success at developing workarounds to resolve little shortfalls in software. The cost wasn’t too high, and the work still got done. There is nothing wrong with this approach and possibly a lot right. The workaround gave someone in your business a successful win. You did not need to pay any additional money to arrive at your satisfactory solution.
The Old ERP & the New ERP
On the other hand, you might want to replace an ERP that your business has used for many years, and although it began as off-the-shelf, you have modified and customized it over the years. Your users are comfortable with the software, and their work gets done well. That legacy system is not available now and can no longer be maintained. Do you want to get another similar system and begin again to modify and customize it?
Software in the Cloud
Today we need to consider the platform in addition to the software itself. In the past, companies bought software and installed it on in-house servers and managed the system internally. However, many ERP systems run in the cloud now.
Cloud-ready software, like SYSPRO or Prophet 21, requires substantially less money up front and the maintenance is provided as a part of the ongoing fee. For many the total cost of ownership is much less than running a system on your own server.
There are several varieties of cloud, beyond cumulus or cirrus. A very common option is a shared system provided by the software company. The software is a single instance and each multi-tenant customer has secured storage for their own data. You set your own configurations and can personalize user interfaces. But little or no customization is available, as that single instance is shared. Integration of other systems might be possible, but automatically updating files or uploading data from another system will be tightly controlled by the software cloud managers.
A second option is single tenancy where you have your own instance of the software in the cloud and your data is similarly secured. Here your options to customize or integrate are a little more flexible, but the ongoing cost is higher.
The third option is to purchase the on-premises version of the software but install it in a cloud server. With this option, the system is yours to customize or integrate as your business needs. But the system is yours so that your business also must manage ongoing maintenance. You have many options related to the software and to the platform.
Consider carefully how your system will work best for your needs and with your style of operating. Only after knowing your own business and its culture and style should you begin a search for your future software.
Compliance acronyms often become the “inside jokes” of an industry, a sort of alphabet soup, but the language of business governance can quickly result in confusion. Clever letter combinations echo the rules and regulations of businesses, especially for companies in manufacturing and distribution. Compliance is a company-wide issue that affects everyone from owner to customer. With that in mind, here are three ways to reduce the stress of compliance management by making the rules of the road everyone’s business:
1. Know the compliance acronyms that affect your business
2. Optimize your ERP for reporting and metrics tracking
3. Bring in experts when compliance involves advanced cybersecurity, data privacy regulation, or highly sensitive record management
Rules and regulations serve to keep your data protected. Here are a few of the most common regulations that govern business data:
GDPR (General Data Protection Regulation)
Information that leaves the European Union must comply with GDPR even in countries that are not part of the EU. With comprehensive regulations for security and privacy in data handling, GDPR essentially protects your company from a security breach. If you draw any traffic from the European Union, you must follow the rules of general data protection regulation (GDPR).
HIPAA (Health Insurance Portability and Accountability Act of 1996)
HIPAA compliance is very common, yet many medical facilities miss important steps necessary to meet the fine print of HIPAA laws. All organizations that interact with medical practices in any way must comply with HIPAA. Health and humans services organizations obviously fall within HIPAA privacy rule, but HIPAA violations are seen across industries as more companies host data subject to these health information laws. Small businesses often fail to comply because of limited in-house expertise, which is why 2021 is moving more and more owners toward partnership with a small business IT provider that offers compliance care.
Here are a few of the types of companies that must process data in ways that comply with HIPAA rules and regulations:
Failure to comply with even a single HIPAA security rule has resulted in fines of 1.5 million for small companies and up to 16 million for large scandals. Large scale security breaches are common, and everyone handling or interacting with the medical industry needs to be ready for a cyber attack. Physical theft, such as mobile device theft, is also common, so in-house strategies must include data protection from employees and other on-site actors such as third-party consultants.
PCI DSS (Payment Card Industry Data Security Standard)
Payment data is sensitive data, and is therefore protected by advanced compliance standards. Fortunately, these regulations demand solutions that benefit all businesses. If you collect credit card information for any reason, you must ensure PCI DSS compliance. All credit card information must be encrypted. Data access must be limited and tracked so that information stays in trusted hands.
Information transmission requires firewall protection, cybersecurity software solutions, and proactive security management. The network must be accessed for vulnerabilities, and all software must stay updated, patched, and in compliance with the PCI DSS regulations. A penetration test is the best way to see if your company is at risk of a data breach.
EstesGroup can help you create a compliance plan for your business. Compliance acronyms abound, but the right IT solution will quickly make the rules and regulations of your industry as simple as saying the alphabet.
Every business has financial compliance requirements from many sources.ERP is your primary tool — helping you prepare the required reports easily, timely, and consistently.
Set up ERP to produce the reporting needed.
The first step toward financial compliance is a complete understanding of what your financial compliance requirements are. There are national requirements such as those from standards boards and, in the US, GAAP, or generally accepted accounting principles, is one. Income taxes and securities exchange reports build on GAAP.
Financial reporting goes well beyond national requirements. States and provinces have their own requirements for any business operating within their boundaries. Other requirements at various local levels can be easy to miss, as they come from cities, counties, regional districts, and an assortment of commissions. These have the force of law behind them and require compliance and reporting. Sales and value-added taxes are in this category along with property taxes. Don’t forget trade unions that want reports of payroll and hours by work categories.
Regulations from this wide variety of sources have a common denominator in the requirement of documented processes to collect data and issue reports consistently.
Understand how data is created in ERP and where it is kept.
Once we determine what reporting is required, we move to figuring out how to get the data needed for those reports. ERP systems are based on finance and accounting and many data elements will be there ready to use. ERP is made up from thousands of tables, and some data will be available, but some effort will be needed to find it and extract it for use.
You might find some required data simply is not built into your ERP, but you already collect it in some other database. Here you might be able to create a user-definable field to store that data within ERP where it can easily be combined with other data from ERP. You might also need to integrate some other system with ERP to make the data available.
Ensure that your accountant is part of your ERP selection and implementation teams. Their role is to understand reporting requirements and make sure the ERP you implement satisfies those requirements.
Document the source of your required data and the processes that develop that data. Develop and save reports you design to collect your data for financial reporting. At the same time, develop reporting to satisfy any future audit requirements from the authorities.
Use ERP to manage the data trail.
Data for your reporting will be a combination of static and dynamic data. The static data largely is field names such as ‘date’ and ‘amount’. Dynamic data is that coming from all of your transactions. Your ERP includes many built-in tools to capture normal transactions like sales invoice amounts and purchase order payment amounts. Your unique ERP configuration settings might modify those built-in tools. For example, you can value inventory as LIFO or FIFO, and that setting will modify your inventory valuation, as well as cost of sales.
Since data is the result of all the transactions performed over time, any steps you can take to reduce errors will enhance the accuracy of your reports. Training, self-validations, and management supervision all help improve accuracy. Another method of improving accuracy is to automate as many repetitive steps as possible. When a transaction is automated, once the coding is complete, the results of the transaction will never vary.
Analyze your ERP data and use it for advantage.
You took advantage of the built-in tools available in ERP and you have automated and secured many of your transactions. Now your accountants are free to analyze. Look carefully at the data collected and check it again. Does it best show the results required by financial compliance? How can you improve the report? Is there a message to your management that was hidden but can help improve your business? These are your data; the data do not belong to the agency requiring compliance.
Build an analytics team and use this team to mine your data, seeking ways to help everyone. Your CFO needs a dashboard that displays all of the key metrics in a way that enables fast, informed decisions. Build dashboards to enhance decision-making at every level where any decision is made.
Report consistently across the globe.
Because the data for all financial compliance reporting comes from or through your ERP data, consistency is always maintained. Much compliance reporting is publicly available so that auditors from one agency can easily verify that consistent data was reported to another agency.
Even where comparisons cannot be made, you know the reporting is consistent. A compliance report filed in France is derived from the same data as a similar report filed in the USA. Only the filters are changed.
Because the reports are centralized and accessible anywhere, the headquarters can run a report intended for a compliance agency anywhere in the world.
Every business has financial compliance requirements. ERP will enable us to meet those requirements without undue burden. At the same time, ERP enables consistent reporting wherever we have requirements and provides tools we can use for our own benefit too.
Are you concerned about more than financial compliance?