In the second-last day of our Cybersecurity – Identity and Access Management series, Chris Bridges-Taylor shares B&R Enclosures’ cyber story.
B&R Enclosures is an Australian family-owned manufacturing business in operation for over 65 years, now running offices in every state and in several international locations.
Like many Australian manufacturers, B&R is driven to become more globally competitive, and for the past five years the organisation has been on an Industry 4.0 journey. Today, most areas of our factories are linked and along with global digital connectivity, B&R achieves flexibility and transparency in decision making and services its diverse markets with integrated systems that support continuous improvement.
Conservative by nature, B&R has historically used sound practices and experience to mitigate risks in general, and in the digital environment, but we were caught off-guard when falling victim to cyber-crime. We thought the business was reasonably prepared, and considering we’re a small enterprise by world standards, we didn’t anticipate being a target of a sophisticated attack.
Fifteen months on, we look back and recognise how unprepared we were for the sheer force and complexity of the 2020 ransomware attack.
Australian cyber safety
Throughout 2021, in the year following our attack, $323.7 million was reported in scam losses, according to the Australian Competition and Consumer Commissions (ACCC) Scamwatch data. The data also revealed the ACCC received around 287,000 reports that same year.
These stats should be startling, but aren’t once you start to learn about the world of cybercrime.
Soon after the attack, I learned that cybercrime has become ‘industrial’ in both scale and operation. For the criminals, hacking is ‘just business’. That makes being hacked a real, ubiquitous threat to enterprises everywhere. Regrettably, it is the new reality that Australian manufacturers of all sizes now operate in.
The 2020 cyber-attack on B&R impacted our processes, communication, and information systems overnight. The ‘threat actors’ infiltrated our defences, disrupted operations across the board, and forced the operation back to manual, often paper-based systems. In the absence of a formal plan, our leadership team moved to a mode learned from dealing with other types of business interruption over our long history of working with technology. Even so, no prior event in our company’s history has been as long or demanding as this attack.
First up, key people came together to handle the incident and to collectively understand the situation so we could coordinate appropriate steps for every stage in the months of recovery that followed. During the first week, the senior team re-prioritised resources and engaged all teams to focus on employee care, customer experience and plans to safely rebuild affected systems – things that would in hindsight be much easier had we anticipated this scenario and prepared a Cyber Event Recovery Plan.
As well as input from the organisation’s insurer, B&R reached out for third party support from organisations specialised in this area to gain direction on technical, legal and governance issues. This way, we ensured the business remained operational while, at the same time, had capacity to handle the incident and work on the systems recovery mission.
B&R Enclosures quickly got back to ‘business-almost-as-usual’ thanks to an agile approach and first-class teamwork across the business. Our experienced team modified processes and adapted to new, albeit temporary, ways of working.
Connect and communicate
Internal communication is very important in managing and recovering from these events. Crucial elements include updating employees and establishing milestones to manage expectations, changes in processes, system updates, safety protocols and steps to limit the impact of future attacks. Communication with external stakeholders including suppliers and customers was also essential: B&R took a multichannel personal approach advising them of the event’s impact.
Maintain Customer Focus
The lifeblood of every business is its ability to provide goods or services, whether it’s B2B or B2C. B&R’s ability to receive and process orders and respond to queries was a paramount objective in the days after the attack. Safe, interim systems were quickly put in place to give time for rebuilding permanent systems and adopting extra cyber safety measures.
Rebuild system safety
Rebuilding with extra cyber safety measures needs to be a priority. Having good relationships with your technical suppliers and platform providers helps. Learning how to mitigate both current and emerging cyber risks meant that B&R’s system reconstruction and cybersecurity investment strategy had to be well thought out. This is where the advice of experts is invaluable to guide putting in place security information and event management (SIEM) services, investing in dedicated cyber security staff, and training and designing systems for rapid recovery.
Through unwelcome ‘real-world’ experience, the B&R Board has developed a deeper understanding of cyber security risk and strategic management. Cyber risk management is the same as other business-wide “digital” strategies in that it is not a job purely for the IT department. Similar to health and safety, creating a “cyber safety system of work” needs the Board and executive team to invest and drive strategic initiatives that deliver systems and operational practices that are both functional and cyber safe.
It was cold comfort for us at B&R to discover that cyberattacks “just like ours” were happening “not infrequently” right here in Australia. How different would our experience have been if we knew then what we know now. If we had understood the evolving cyber landscape and how common attacks were becoming, we would have been better equipped. There is no doubt much of the enormous heartache, cost and herculean effort to recover and rebuild we incurred would have been spared.
Today, B&R actively seeks information about the changing cyber landscape, who can help, support and guide our continuous investment in technology, services, people and practices. As an advanced manufacturer, it is an ongoing challenge that we have embraced throughout the business. Everyone has a role in cyber security.
When I speak with other businesses about our journey and about cyber risk, I reflect on how challenging it is to make time to develop a meaningful, practical approach to being cyber-safe. Life running a business is already a busy place, especially if you are an SME manufacturer. By choosing to be transparent with our experiences, the team at B&R hope we motivate our peers to make time to learn about this world of cyber security so that our sector prospers and is prepared to meet one of the biggest business risks of operating in our modern digital world.
Thankfully, there are a growing of networks, from government and NGOs, set up to engage with businesses, eager to help and provide information and guidance, including ARM Hub, AusCert and Australian Cyber Security Centre
An essential first step of any business leader taking on a new challenge is to be informed and engaging with a local cyber-security network is a good way to start.
Chris Bridges-Taylor is Executive Director at B&R Enclosures.
Subscribe to our free @AuManufacturing newsletter here.