The Cyber Threat: Just a click away

If you look for a single, crucial note of caution in the U.S. Justice Department’s 56-page indictment of Chinese spies for digitally infiltrating America’s steel industry, you’ll find this: Be careful what you click on.

Sure, the Chinese military marshaled enormous technological resources in its alleged campaign to steal secrets from Alcoa, U.S. Steel, the United Steelworkers union and Allegheny Technologies. But the Chinese didn’t have to pick the proverbial lock: Steel executives and lower-level employees did it for them. They did it by opening scam emails made to look like legitimate business correspondence, then downloading files and clicking links that installed spyware and compromised the oodles of expensive security measures their IT departments had put in place. Therein lies a lesson for companies of all sizes in the metals industry or any other, say cybersecurity experts: Take the threat seriously, even if you have no reason to think you’ll be a victim.

“The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills and technological prowess of their potential cyber adversaries,” writes consulting firm PricewaterhouseCoopers (PwC) in a report earlier this year on cybercrime, noting that more than a quarter of U.S. businesses the firm surveyed lost $50,000 or more to cybercrime last year. Some were household names, such as mega-retailer Target, which saw thieves sneak into its electronic invoice system via a back door and make off with data on 40 million customers’ payment cards and personal information on 70 million customers. Vodafone and Adobe Systems notified millions of customers their data had been stolen. Others found themselves in the crosshairs of ideological groups, like the Syrian Electronic Army, which hijacked the Associated Press’ Twitter account to falsely report a bombing at the White House.

The good news: While smaller businesses can’t easily defend against the most sophisticated hackers, they can buy cheap, effective tools like antivirus and firewall software that defeat many nuisance attacks. A host of companies now offer affordable, comprehensive security packages targeted at small and medium-sized businesses. And some crucial cybersecurity solutions are essentially free: putting into place a formal plan for regularly taking stock of digital assets (such as trade secrets and customer lists), keeping data safe by updating technology and performing regular checks for vulnerabilities, and learning from breaches when they happen.

Small Can Mean Vulnerable

For metals suppliers—especially smaller, privately held ones—the notion that foreign spies would target them might seem far-fetched. Yet small and medium-sized businesses are the most vulnerable and are increasingly targeted by crooks hunting for easier marks that can be plugged into the systems of big suppliers or customers.

The portion of confirmed data breaches at companies with fewer than 1,000 employees climbed to 63% last year from 50% in 2009, according to Verizon. Industrial products companies detected twice as many security incidents in 2013 as in 2012, says PwC. Almost half of small firms report having been the victim of a cyberattack, according to the National Small Business Association.

Larry Ponemon, head of the Ponemon Institute, which focuses on cybersecurity research, says that hackers have in recent years shifted attention to new targets as they’ve increased the complexity of attacks. Whereas once they just stole credit card numbers from banks and stores, now they steal trade secrets and operational data from firms of all sizes.

“It’s hard to get into a bank,” says Ponemon. “But a small hundred-person company somewhere in Kansas that’s a machine shop? They may be a very desirable target because they become the mule, they’re the people who do a [joint venture], they do the just-in-time inventory.”

In one example, says Ponemon, a metal fabricator working on a new alloy for larger defense contractors lost a design document to suspected Chinese hackers. The result, says Ponemon: $180 million of research lost for a few million spent by the hackers.

“They’re not necessarily looking at the Boeings,” Ponemon says of the perpetrators of such attacks. “They’re basically focused on getting into the food chain.”

Security Spending Lag

Metals service centers may face an even greater challenge than most small or midsize firms. Manufacturing lags other sectors in security spending despite evidence hackers are targeting it. New technology, like saws that beam info back to their manufacturers, adds to the potential security risk by opening the code that runs machines to a network connection that can be hacked. Then there’s the reluctance to share information about threats or attacks with rivals—something that the White House is pushing industries to do—who might use the information to their advantage. The fact that many business owners and managers view anything IT-related as a cost of doing business, rather than as an investment in their organization, doesn’t help matters.

Lack of Understanding?

“The aging population of the metal service industry really doesn’t understand these concepts well,” says John Bilek, president of Enmark Systems, which provides enterprise software and services to 3,500 clients, mostly small or midsize service centers. Though some customers have suffered attacks in the past, they rarely ask Enmark about security features, which Bilek finds troubling. “They don’t really fully understand their networks.”

As more of the enterprise software that service centers rely on to manage sales, accounting, fulfillment, production and inventory moves from a server locked in a closet to the cloud—remote data centers hosted by providers and accessed via the Web—customers may become even more complacent, says Bilek.

Lawrence Pingree, an analyst at research firm Gartner, says that while software providers are decent at protecting customers’ data, their engineers are more focused on building functional products than dreaming up ways a cyberterrorist could misuse them. “I think a lot of organizations do just what they have to do to comply,” Pingree says. “Their endeavor is not to be the most secure thing out there.”

While relying on vendors makes sense for smaller companies, it shouldn’t lull managers into thinking security is someone else’s responsibility. Peter Doucet, vice president at Invera Inc., which makes the Stratix software that handles inventory, sales fulfillment and production planning for service centers, puts it bluntly: “For the most part, the customers are responsible for their own network security.”

The cybersecurity industry—consultants, software makers, service providers—paints a dire picture, to be sure, but one that is changing as more firms make security a priority and as cybercriminals shift tactics and targets. Security software maker Norton put the total cost of cybercrime worldwide at $113 billion in 2013, up 2.7% from the year earlier.

Don’t Fight Yesterday’s Battles

“Organizations often rely on yesterday’s security strategies to fight a largely ineffectual battle against highly skilled adversaries who leverage the threats and technologies of tomorrow,” writes PwC, noting that more than three-quarters of U.S. organizations it surveyed detected a cybersecurity event in the last year.

Industrial firms are increasingly targeted, too. PwC says the sector saw the average number of security incidents more than double last year, with average costs related to those incidents up 64%, compared with a 25% increase in incidents and 18% rise in costs for firms overall. Networking hardware maker Cisco points out that malware is now directed at electronics manufacturing and mining at six times the average encounter rate for other industries.

Fearful of digital attacks on national infrastructure such as power grids and critical industries, the Obama administration has been pushing government and industry to take steps to better cope with the online crime spree. In early 2013 the White House issued an executive order telling federal agencies to do a better job sharing information on cyber threats with the private sector. This February, the government laid out a standard framework for businesses in critical industries to build cybersecurity programs. The guidelines, which include steps such as including security requirements in contracts with suppliers, testing networks for vulnerabilities and conducting regular security audits, are voluntary. Attempts to impose mandatory security measures have run into opposition in the past: For example, a Senate bill that would have given the government a green light to regulate cybersecurity in critical industries such as energy fell to a Republican-led filibuster in 2012 after the U.S. Chamber of Commerce denounced the proposed regulations as excessive government interference.

Still, efforts to raise awareness—and high-profile heists like the one that hit Target last December—are having an effect. Nearly half of companies surveyed by Carnegie Mellon University in 2012 had board committees tasked with ensuring data privacy and more than two-thirds had established teams to deal with security issues, both up dramatically from 2008.

Getting the Message

North American spending on cybersecurity services is slated to grow 17% each year through 2017, according to Gartner. Firms spent around 5% of their IT budgets on security last year, about a fifth more than they did in 2011. That investment, however, conceals disparities between industries: Insurers and utilities spent the most, while manufacturers and retailers spent the least.

Hacking? Let Me Count the Ways

How do hackers break in? Many ways, and in myriad combinations, making it difficult to find patterns in what little data companies report about security lapses. But an annual study by Verizon blamed cyber espionage conducted by nation-states and denial-of-service attacks—where a company’s website crashes under a flood of bogus hits—for more than half of incidents in manufacturing. These and non-espionage related hacks (some 25%) can be taking advantage of vulnerabilities in software that hasn’t been updated or deploying specially designed malware. Employees making mistakes or acting maliciously make up most of the balance.

Ponemon divides up data breaches in a different way: Hackers claim a 37% share, human factors such as employees mishandling data take 35% and system glitches that leave data vulnerable to attacks are 29%. Random attacks, like malware that organized crime uses to steal bank account info or hijack computers to send spam, are still prevalent. But more targeted attacks are taking the lion’s share of costs, and those often involve tricking people into giving thieves access.

“A lot of the bad guys rely on the fact that good people in companies do stupid things,” Ponemon says. “They don’t use a secure password, they don’t change their password. They move information on a USB stick to a home computer, they use public cloud services to share confidential business information.”

Such was the case at America’s steel giants when spies allegedly targeted them starting in 2006. According to the federal indictment released in May, five hackers from a special signals intelligence unit of the Chinese military engaged in what tech geeks call spearphishing: taking aim at a specific person at the target company, gathering information about them online—from social media, for example—and sending messages designed to fool them into compromising their employer’s data.

While the hackers’ methods were sophisticated, their means of entry was devilishly simple: emails designed to look like they came from colleagues encouraged the recipient to open an attached file or click on a link. Either action installed malware giving spies entry into the recipient’s computer, from which they were able to access emails, documents and network information.

The Attacks on U.S. Steel and Alcoa

At U.S. Steel, some employees received an email purporting to be from the company’s CEO and containing a link that installed malware. Others, including the CEO, got an email titled “US Steel Industry Outlook.” Senior Alcoa employees received an email that looked as if it came from a member of the aluminum company’s board—though Nissan CEO Carlos Ghosn’s name was obviously misspelled—and contained an attachment disguised as the agenda of the annual shareholder meeting. Ingenious? The files these employees opened would have given your average teenager pause. But phishing scams work like marketing campaigns—send enough to the right group and someone will open it.

“The truth of the matter is cyber threats cannot be addressed by the public alone or the government alone,” says Justice Department spokesman Marc Raimondi, pointing out that companies have traditionally been reluctant to report these types of crimes to investigators. Allegheny and United Steelworkers declined to comment on the indictments. U.S. Steel and Alcoa didn’t return calls.

For Micky Tschirhart, vice president at Scion Steel in Warren, Michigan, the espionage allegations came as a shock. “We thought our industry wasn’t high-profile or strategic enough in the way of cybersecurity to become a target,” he says.

Turning 30 this year, Scion ranks toward the bottom of the largest 100 U.S. service centers by volume and has no IT staff in-house. The firm does not budget specifically for cybersecurity but instead outsources its enterprise systems to Enmark, including standard protections like those that segregate which employees can access certain information. But Tschirhart notes that his firm can be given credentials to view the inventory of nearby steel mills online.

“The vulnerability points of this industry are much greater than any of us executives ever realized,” he says. “That’s what concerns me as the business owner.”

What can smaller firms do? Prioritize, for starters, says Gartner’s Pingree. The new government cybersecurity guidelines are intended for large public companies, not local or regional companies with a handful of tech staff. “Think about it this way: You and I don’t have the resources to possibly stop a state actor if they wanted to get into you,” Pingree says. “We really should be less focused on foreign intelligence agencies and more focused on the real threat, which in my eyes is the advanced fraudsters.”

Though much of the advice (like adding a C-level executive for IT security) from big consulting firms and cyber experts is aimed at mega-enterprises, there are other, practical steps any business can take: Inventory data assets such as intellectual property, identify the most likely risks, put into place a mechanism for rigorously updating software and create an emergency plan should a breach occur. Ponemon favors security training for employees in sensitive positions or departments. The training essentially attempts to fool employees the way a bad guy would—with a scam email, for example—and scores everyone’s performance, then starts with the workers who did worst.

For metals companies that do large transactions, financial personnel might well be the biggest target for thieves, Pingree says. He recommends that small firms consult specialists and opt for a security solution called unified threat management (UTM), a suite of products that protects various aspects of a company’s network without breaking the bank. Dell and Cisco both have UTM offerings, as do specialty players. Big telecoms and software resellers also have their own products, Pingree says.

“You could spend yourself into oblivion with security technologies,” he adds. “You want to deploy reasonable technologies that are able to reduce your risk to an acceptable level.”