How to reduce the risk of cyberattacks – 10 tips for manufacturing companies

The number of cyberattacks is increasing every year and threat actors are constantly looking for weaknesses in systems and practices. For manufacturing companies, disruptions are not only an IT problem – they affect production, delivery times, quality and ultimately customer relationships.

What are the biggest security risks and what can companies do to become more resilient? Here we delve into the subject with Max Dahlberg Sälldin, IT technician at Monitor ERP.

Brief summary

Nowadays cyberattacks pose a real threat to production, delivery capacity and the long-term competitiveness of businesses. But with clear structures, awareness and shared responsibility, manufacturing companies can protect themselves against attacks.

The following 10 tips will help you reduce the risks:

1. Train staff to recognize phishing attempts.
2. Keep operating systems and applications up to date.
3. Use multi-factor authentication (MFA) on all user accounts where possible.
4. Install and maintain reliable antimalware protection (EDR/XDR).
5. Ensure isolated and functioning backups.
6. Implement strict access control.
7. Use a company portal to collect all approved applications.
8. Establish a clear IT policy and guidelines for AI use.
9. Make business plans regarding continuity and recovery in case of incidents.
10. Create a business culture where everyone wants and dares to take responsibility for IT security.

Train staff on phishing

Phishing, where fraudsters pretend to be a trusted actor to acquire sensitive information, is the most common form of cyberattack. The methods vary between e-mail, SMS and phone calls and are becoming increasingly sophisticated. However, e-mail phishing is still the most common method. Opening the wrong kind of e-mail or link can have far greater consequences than a single office computer crash. In the worst-case scenario, an attacker can gain access to entire company networks and affect production systems. The human factor is more difficult to defend against than other types of data breaches.

"Stress or lack of experience can increase the risk of clicking on something you shouldn't. Unfortunately, this is something that can happen to anyone, even someone with years of experience in the IT department," says Max.

It is possible to filter out many of the phishing e-mails, but the filters do not catch everything. Being able to stop and see the warning signs is important.

"Does this person usually contact me? What does they want and is it reasonable? There are a number of red flags that you can spot if you know what to look for."

To be able to recognize the warning signs and understand the risks, training is key. Training can be provided at different levels of intensity and difficulty, for example through simulated phishing e-mails sent to all employees.

Manage updates and maintenance

Phishing e-mails are often the reason behind a company being hit by so-called ransomware attacks – where malware locks a user's files or systems through encryption. The attacker then often demands a ransom for the company to regain control of its files/systems. The advice from authorities and experts is never to pay such a ransom. Either way, the consequences for the individual company can be significant. In addition to data loss if the ransom is not paid, ransomware can have serious financial consequences due to downtime and production interruptions. In addition, customer and public confidence can be severely damaged. Threat actors actively look for companies that have not patched their systems to the latest version and therefore have known vulnerabilities in their software.

Therefore, to protect against ransomware attacks, it is important that software and operating systems are up to date, but also that a reliable and up-to-date anti-malware system (EDR/XDR) is in place. EDR (Endpoint Detection and Response) is a security system that monitors and analyzes activities on clients and servers. XDR (Extended Detection and Response) builds on EDR but collects and correlates data from multiple parts of the IT environment, such as endpoints, identities, networks, e-mail and cloud services.

"The purpose of these systems is to get a comprehensive picture of threats across the entire IT environment, detect attacks that are otherwise difficult to see and automate responses across multiple systems simultaneously."

Multi-factor authentication on all user accounts where possible

Max highlights multi-factor authentication on all user accounts as a priority action for all businesses. There are several authentication methods to choose from. The recommended solution is an authenticator app that generates time-based, one-time passwords or approval via real-time push notifications, rather than sending out passwords via SMS or e-mail. An authenticator app requires an attacker to gain control of a pre-configured device to access a specific account. With the computational power of today's computers, using just a password is too fragile. A 10-character password takes only a few minutes for an attacker to crack.

"Most of the time, the attacker will also have ready-made lists of commonly used passwords that they try out first. Passwords need to be longer and contain both upper and lower case letters, numbers and special characters to be secure enough. If you also have multi-factor authentication on top of that, you get pretty far," Max explains.

Control over backups

Having control over your backups is also an important element. There should be at least one backup that is isolated from the production environment. This is so that it is not possible to encrypt the backups in the event of a successful intrusion attempt, thus preventing recovery of the system. This is also where the question of the advantages of a cloud solution compared to a local installation (on-premise solution) comes in. With a cloud solution, the company does not have to manage its own servers, updates and backups. A reliable cloud provider offers a high level of availability, threat monitoring and data encryption.

With an on-prem installation, this responsibility lies with the company. Having full control over your hardware can be seen as an advantage, but it requires you to have all the necessary IT skills in-house. Unexpected expenses for operation or maintenance may also arise.

"If there is an interruption in services, it may take some time to repair. You may need to order spare parts that take a long time to deliver if something breaks, or hire the expertise needed to solve the problems. This is often a cost that is outside the budget and it can be small or very large."

Monitor ERP in the cloud for a fixed monthly cost

With our cloud solution, you get a comprehensive and secure ERP solution without expensive infrastructure and maintenance costs.

Monitor ERP's cloud solution

Work with strict access control

Max says that many companies can improve by using so-called authorization management (the zero trust model and the principle of least privilege). Zero trust is a security strategy based on the principle "never trust, always verify". No device, user or application should be trusted – whether inside or outside the network. All access to company IT resources should require identification and strong authentication. The principle of least privilege means that users, systems and applications should only have the rights necessary to perform their tasks. This reduces the risk of mistakes, misuse and damage in the event of a breach.

"In general, many companies assign too many permissions. They may not know exactly what each user does and just assign the highest permissions because that's the easiest thing to do," says Max.

Another tip is to use a company portal where you can collect all applications that are approved for an employee to install.

Establish an IT policy

According to Max, the most cost-effective security measure is clearly to have a well-developed IT policy. An IT policy gives all employees control over how company devices and services can be used. Among other things, the policy should regulate password management, the use of company computers and the installation of software. At the same time, it is crucial that the policy is not so rigid that staff start trying to circumvent it. The balance between security and ease of use must work, otherwise you risk creating more problems.

"Try to be responsive and find solutions in consultation with staff rather than banning everything outright. But in the end, it's the risk analysis that determines what you regulate and what you don't," says Max.

Keep production running with a business continuity plan

It is also important to establish a business continuity and recovery plan. The aim is to ensure that production can be kept running during a malfunction or attack, and that all technology can be restored after an interruption. The plan should mention, for example, which systems are critical, how they should be prioritized and who is responsible for what.

"Time is of the essence when limiting the damage of an attack. The business continuity plan ensures that you are prepared and not left in the lurch when something does happen."

Draw up guidelines for AI use

As the use of generative AI tools has exploded, new data exposure risks have also emerged. With so many different services on the market, it is not uncommon for employees to use AI tools without the company's or IT department's knowledge or approval (so-called Shadow AI). The problem with this is that public AI tools save and practice on the data you input, which can have major consequences if, for example, it is source code or other confidential information that is uploaded.

"You need to be very clear about what employees can and cannot do. It needs to be made clear through an AI policy and training what services are allowed to be used and what kind of information cannot be shared."

Create a culture where everyone wants and dares to take responsibility for IT security

Max says that there can be a certain distance between the IT department and other departments in a company. It's easy to think that IT is in control and responsible for everything related to security. Employees may also be reluctant to report mistakes they have made related to IT security for fear of repercussions.

"Make sure to encourage and not blame anyone who reports a deviation or incident. If employees feel comfortable to report, more incidents will be detected and prevented."

The actual process of deviation and incident reporting needs to be simple. For example, there could be a button to report phishing directly in the e-mail client. An employee who reports should be able to expect a quick initial feedback on their case. It therefore needs to be clear who is the recipient and owner of the issue.

Use the reports to learn more about IT security. They can be used for analysis that can lead to improvements of systems and processes. Such improvements should be shared with everyone in the company as an example of how a deviation or incident report has made the company a little safer.