© Wipfli LLP 1

Manufacturing and Cybersecurity:Emerging Risks and Leading Strategies

Date or subtitleBob Cedergren, Partner

© Wipfli LLP

© Wipfli LLP

Agenda

Cybersecurity threat landscape Business risks Top hacker “attack” techniques 10 Tips to protect your company Compliance Requirements for DoD Contractors Tools and resources Q&A

2

© Wipfli LLP

Wipfli Firm Foundation

• Founded in 1930 in Wausau, Wisconsin, by Clarence J. Wipfli

• 87-year history of client service

• More than 1,900 associates

• 47 U.S. offices – CA, ID, IL, MN, MT, PA, VA, WA, WI – and two offices in India

• Over 60,000 clients

• Wipfli is ranked in the top 20 among America’s 100 largest public accounting firms

3

Our Mission“To contribute to the success of our associates and clients.”

© Wipfli LLP

Wipfli Cybersecurity Practice

4

Comprehensive Governance, Risk,Compliance, and Testing

© Wipfli LLP

Notable Data Breaches

5

© Wipfli LLP

But What About Manufacturers???

Since 2016, 310 breaches made public affecting 6.5 billion records

Examples:

• ABM Industries (New York, NY) – Hacked 11/17

• Kimberly-Clark (Neenah, WI) – Hacked 11/17

• Pratt Industries (Conyers, GA) – Hacked 5/17

• Northrup Grumman (San Diego, CA) – Hacked 4/17

• And there is more……

Organization of all types are affected and can be the victims of cyber threats

6

© Wipfli LLP

Business Has Changed

7

Big DataMobile apps

Compliance

BYOD

Outsourcing

© Wipfli LLP

Cyber Risk Trends

Big business – More highly skilled hackers (cyber gangs/organized crime) who are financially motivated

Cyber crime is currently outpacing traditional crime in the United Kingdom in terms of impact, spurred on by the rapid pace of technology and criminal cyber capability, according to the UK’s National Crime Agency

• The bad guys are getting better

– Tool kits

– Crimeware as a service

8

© Wipfli LLP

Cyber Risk Trends

New platforms create new cyber attack opportunities The Internet of Things (IoT)

• Cars• Smart home devices (e.g., security systems)• Medical devices (e.g., scanners, insulin pumps, implantable defibrillators)

• Embedded devices (e.g., webcams, Internet phones, routers)

9

© Wipfli LLP

What is Your Gold?

What do you have that someone else may want? Supplier list Bank account information Trade secrets Employee listing Intellectual property Prospect list New product release M&A information New technology

Knowing this is key to implementing a cyber program!

10

© Wipfli LLP

Cybersecurity Business Risks

Damage to Critical Business RelationshipsUnauthorized access to client data could be devastating to relationships.

Risk to Operations & RevenueOperational stability could be impacted by a cyberattack.

Impact of Breach on Growth StrategyA breach that includes IP roadmap or M&A plans would be expensive, time consuming and may derail growth plans.

Brand & Reputational RiskCurrent security posture could be embarrassing to executives and may damage the our brand.

Compliance & RegulationNon-compliance with client and prospect cybersecurity requirements would impact ability to compete.

© Wipfli LLP

Email Scams – Phishing Targets

12

In the last five years, there has been a steady increase in attacks targeting businesses with fewer than 250 employees

© Wipfli LLP

Cyber Risk Trends – Business Email Compromise (BEC) Scams Attacker targets a senior executive (e.g., CEO, CFO) Attacker gains access to victim’s email account or uses a “look-

alike” domain to send a message tricking an employee to perform a wire transfer

Wire transfers are typically $100,000 or higher Businesses should adopt two-step or two-factor authentication

for email

12

© Wipfli LLP

Cyber Risk Trends – Ransomware Example

Employee opens email Personal files (and data

on shared drives) encrypted

Ransom demand to provide key to decrypt

Ransom demand increases after 72 hours pass

Pay in Bitcoin or USD?

Over 4,000 ransomware attacks have occurred daily since January 1, 2016 (300% increase over 2015). Source: FBI

13

© Wipfli LLP

What About Bitcoin?

Cryptocurrency commonly used to pay ransomware demands

Must be purchased on an exchange Fees about 200 – 300 Bitcoin This was ok in the past when the price of one Bitcoin was

relatively smallClosed yesterday (2/28)at $10,747.70 for one BitcoinOne year ago, it was $1260.92Need to have Bitcoin already purchased to meet the

ransomware timeframeDoes anyone have a Bitcoin account to use for this purpose?

15

© Wipfli LLP 16

© Wipfli LLP 17

© Wipfli LLP

Recommendations for Individuals

Go to www.equifaxsecurity2017.com and select “Potential Impact” to see whether your data was involved

Enroll in TrustedID Premier Check your credit reports; you can do this by visiting

www.annualcreditreport.com or through TrustedID Premier Place a fraud alert on your records Consider placing a credit freeze Consider buying additional fraud protection Monitor your bank and credit card accounts closely

18

© Wipfli LLP

Equifax Impact on Businesses

Additional risk for opening accounts and extending credits; additional verification will be required

Job candidates – Stolen identities may be used on job applications, background checks, I-9 verification, etc.

More data protection and breach notification laws and regulation Higher scrutiny of security controls by clients and prospects

19

© Wipfli LLP

The total average cost of a data breach was $3.62 million ($141 per record), down 10% from previous year. The size of data breach increased 1.8% to more than 24,000 records. Source: Ponemon 2017 Cost of Data Breach

Cyber crime will cost businesses over $6 trillion by 2021; Source: Cybersecurity Ventures

32% of companies said they were the victims of cyber crime in 2016. Source: PWC Economic Crime Survey 2016.

Average time attackers stay hidden on network is over 140 days. Source: Microsoft

Rising Costs

20

© Wipfli LLP

Protect yourself!

• NEVER share your passwords• Know who you are talking to and authenticate• Be careful what you share on Facebook and other social media• Install a firewall• Anti-virus / Anti-malware• Patch and Update• Use Encryption• Secure websites – https://• Don’t click on links (or send to others)• Never download software or programs from unknown sites• Wireless Security

• Secure home / organization network• NEVER use public network with sensitive information

• Use Strong Passwords (+9 digits, alpha-numeric and special characters) e.g. Br0wnEleph@ntRun

21

© Wipfli LLP

Protect your organization!

22

© Wipfli LLP

Tip 1: Know what you are protecting

Customer database Personally identifiable information

(PII)• Account information• Credit card• Drivers license

Intellectual property Business plans Employee records Financial information

23

© Wipfli LLP

Tip 2: Practice Good Security Hygiene

Complex passwords Firewall, Anti-virus, Anti-malware

• Kaspersky Labs – DHS banned (Sept. 2017)

Backup data Patch and update Limit administrator rights

24

© Wipfli LLP

Tip 3: Perform Security Assessment or Penetration Test

If your password is your name, you deserve to be hacked.

If your password is 123456, you deserve to be hacked.

25

© Wipfli LLP

Tip 4: Train Your Employees

You have to learn the rules of the game, and then you have to play better than everyone else.

~Albert Einstein~

26

© Wipfli LLP

Tip 5: Develop and Test Response and Continuity Plans

27

© Wipfli LLP

Tip 6: Encrypt Whenever Possible

28

© Wipfli LLP

Tip 7: Manage Mobile Devices

29

© Wipfli LLP

Tip 8: Use Multi-Factor Authentication

30

© Wipfli LLP

Tip 9: Prepare to Respond to Client Requests and Compliance Mandates

Security policies SOC 2 reports Due diligence package

31

© Wipfli LLP

Tip 10: Review Cybersecurity Insurance

32

© Wipfli LLP

DFARS Cybersecurity Requirements

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.

DoD Contractors and suppliers (including small manufacturers, must adhere to two basic requirements:

1) Provide adequate security to safeguard covered defense information that resides in or transmits through their internal unclassified information systems from unauthorized access and disclosure; and

2) They must report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.

33

© Wipfli LLP

What is Adequate Security?

34

Full compliance required by December 31, 2017

© Wipfli LLP

Implementation Process

Understand Controlled Unclassified Information (CUI).

Conduct NIST MEP Cybersecurity Self-Assessment (see NIST Handbook 162)

Create Plan of Actions & Milestones (POA&M) to implement corrections.

Build cybersecurity into internal processes that includes continuous monitoring and assessment.

Develop and implement a process to identify and report cyber-incidents to the DoD.

35

© Wipfli LLP

Cybersecurity Essentials for Manufacturers

36

Cybersecurity assessment

Perimeter vulnerability assessment

Internal vulnerability scan

Email phishing/spoof (social engineering)

Employee training and awareness

24/7 incident response and handling

Security policy templates

Monthly Internet perimeter scanning

© Wipfli LLP

Cybersecurity Scorecard

37

• Rapid Assessment

• Result is a Cyber Risk Scorecard

• Provides a baseline

• Leads to discussions on developing a cyber program

• Identifies high-risk areas

© Wipfli LLP

Tools and Resources

NIST 800-171 • http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

Manufacturing Extension Partnership Cybersecurity Resources• https://www.nist.gov/mep/dfars-cybersecurity-requirements

30 Tips in 30 Days• https://www.wipfli.com/form-30-tips-signup

Wipfli Cybersecurity www.wipfli.com/cybersecurity• Weekly Alerts• Monthly e-Newsletters / Blogs

Ransomware: Avoiding a Hostage Situation –• https://www.wipfli.com/insights/articles/cons-ransomware-avoiding-a-hostage-situation

38

© Wipfli LLP

Questions

39

© Wipfli LLP

Contact Information

Bob Cedergren, PartnerWipfli LLP218.740.3902bcedergren@wipfli.com

40

Confidential—For Company Internal Use Only 41

41

www.wipfli.com