To close week one of our Cybersecurity – Identity and Access Management series, we look at some quick, easy ways manufacturers can improve their security, as well as the commercial benefits attached to lifting “cyber fitness”. Brent Balinski speaks to Susie Jones, founder of small and micro-business specialist Cynch Security.
It’s sometimes said that cybercriminals use a “spray and pray” approach. A phishing scheme, for example, might fool a certain proportion of recipients; the more dodgy emails they send, the more password, credit card or other details they’ll get back in return.
For these and other more sophisticated attacks, most of the time the targeting is indiscriminate: big or small business is not the issue.
“Most of the time the attackers are attacking the technology. Most of the time it’s nothing personal. They literally do not care who’s on the other end of the computer,” Susie Jones, co-founder and CEO of Cynch Security, tells @AuManufacturing.
“They just care that you’ve got something that they want and they’ll take it.”
That said, a smaller manufacturer in the defence industry, and one which might be perceived as a weak link in the supply chain, may well be actively targeted.
“They are working with primes, and the more of those sorts of contracts that a small business gets, the bigger the target there is on their back. Because it’s not just the spray and pray, but also the very sophisticated attackers who are very good at their job,” she adds.
“They’re well-funded and they will find out what they need to find out if you let them.”
With the federal government increasing its defence spending, as well as the role of Australian industry in this, more opportunities exist for current and would-be suppliers.
There is also a move underway to improve would-be suppliers’ appreciation of cybersecurity. At the launch of the Working Securely with Defence guide early last year, a department figure of 40 per cent was given for small and medium-sized enterprises applying for work but failing to meet the necessary cybersecurity standards.
Jones’s company is part of efforts to bring SMEs up to these standards, and was part of two pilot programs for defence suppliers last year. The first involved five SMEs and the second 50. The second was delivered with the Queensland and SA state governments and AustCyber’s nodes in those states.
According to Jones, there were two areas where many participants were easily be made more secure. These were multi-factor authentication (which generally combines something you know, something you have and something you are, as the government’s Small Business Cyber Security Guide explains it) and having a documented response plan.
“[MFA] can be a really, really effective way – even if your password is compromised, then if they don’t have access to your phone as well then they can’t access it. So that was certainly something that was low-hanging fruit for many of the participants,” recalls Jones.
“[And] we were able to help them quickly develop a plan so that if the proverbial does hit the fan, they know who to call, they know what to do, they know who is responsible for what. And they had that printed out on a bit of paper so that they don’t have to try and access it on the computer that’s just been locked up from ransomware.”
Jones’s company, which launched in late-2018, is itself a small business, with a focus on small (under 20 people) and micro (under five) enterprises. More recently, this has taken in the role of smaller companies supplying large corporates. This combines SaaS solutions for the smaller companies to increase “cyber fitness” as well as aggregated (and anonymised) information from suppliers presented to the larger business to help it understand risk in their supply chain.
There is a need for smaller businesses to be more front-footed on cybersecurity, according to Cynch, as well as opportunities attached to this.
According to the 2021 State of Cyber Fitness in Australian small businesses, written in collaboration with Cynch, RMIT, Deakin University and AustCyber, two-fifths of respondents had experience of a cybersecurity incident. This was also the main motivator for companies to consider their risk.
So what do SMEs need to do, particularly to be good enough to break into the supply chains of multinationals? Focus on the “Essential Eight”? Meet the right ISO standard? Or work to those of the particular country the potential buyer is based?
It takes time figuring out exactly which to apply, says Jones, but “the answer is essentially ‘yes, all of the above,’ and that a supplier will struggle to be considered without the right accreditation.
“That might be ISO 27001. It might be one of the international standards. Certainly out of The States, there’s a lot of pressure for businesses, no matter what their size, if they’re involved in a supply chain at all, to be meeting the Cybersecurity Maturity Model Certification,” she says.
“And that is no small undertaking for a small business. It is a very large overhead for them to be able to demonstrate that they meet CMMC. But that’s the reality: if you want a piece of the defence pie, you really do need to start working towards all of these different standards and accreditations and really being able to show that you deserve the contract.”
Subscribe to our free @AuManufacturing newsletter here.