Written by Éric Bérard, journalist with MCI magazine, as part of the magazine’s February/March issue.
Written by Éric Bérard, journalist with MCI magazine, as part of the magazine’s February/March issue.
The phrase used for the title of this article comes from Toufik Ouaguenouni, cybersecurity account manager at PROMPT.
Toufik Ouaguenouni
This organization is mandated by Quebec’s Ministère de l’Économie, de l’Innovation et de l’Énergie (MEIE ) to help the Quebec ecosystem create cybersecurity solutions for commercialization, or to help companies acquire cybersecurity certifications.
“Any company in Quebec that wants to apply for a call for tenders, often these calls for tenders will require IT security certification, which is ISO27001 for the best known,” explains Mr. Ouaguenouni in an interview with MCI Magazine.
This means that companies without certification risk missing out on business opportunities, particularly with the USA and Europe.
PROMPT finances 50% of the cost of obtaining these certifications, up to a maximum of $350,000.
The organization also supports companies in other areas of information technology besides cybersecurity. Examples include a brand-new productivity support program for manufacturing companies, a development program for artificial intelligence and quantum technologies.
Cybersecurity challenges for manufacturers
All business sectors are at risk of being targeted by cyber attacks. The manufacturing sector, however, has to contend with potential security breaches that are unique to it.
In the age of industrialization 4.0, anything connected to the Internet can be an entry point for a hacker. This could be sensor-equipped robots whose information circulates on the Web, or even the connected cafeteria refrigerator.
“We’re talking about temperature sensors, for example. All these tools are an access point for hackers”, stresses our guest expert.
He advises companies to carry out a complete sweep of their IT coverage at least once a year. List all potential points of entry to the IT system, in much the same way as a homeowner checks the condition of the roof from time to time.
Outdated software on computers that are seldom used and on which updates are neglected also represents an inviting loophole for hackers.
Employee training
Employees themselves can represent a risk when they use terminals via their personal phones or other obsolete tools that are not protected.
Pixabay
Employees who use company terminals to send personal e-mails using Hotmail-type platforms can also create breaches, even in good faith.
“It’s necessary to train all employees. Not just the technical team, not just the financial team. To make them aware that they have to be careful when using the company’s tools,” says Ouaguenouni.
An employee who clicks on a phishing link and is subsequently redirected to a site that appears falsely legitimate could be asked for his or her password. If he enters it, it’s already too late.
“The hacker has seen the password, he’s going to use it to get into the back of the company to go and drop off his toolbox and then check the whole network and lock it down with ransomware ,” says Ouaguenouni to emphasize ongoing staff training.
One way of doing this would be, for example, to periodically send a fake fraudulent e-mail that employees are unaware of, to see how they react to it.
“From there, you’ll see what percentage of employees clicked on the wrong link,” explains the PROMPT spokesperson.
Telecommuting also presents its share of challenges, but it’s manageable. Among other things, IP addresses can be used to check whether someone is trying to connect to the company’s system from an area where it has no employees.
“If someone connects from Russia, for example, we’d have to systematically block the traffic or report it,” says Ouaguenouni.
Social” piracy
As mentioned above, phishing is a fairly well-known technique which, as its name suggests, consists of going fishing at random.
Pixabay
The latest trend in cyber piracy is “spear-phishing”. In this case, ill-intentioned individuals target a specific person, often a member of management because, by virtue of his or her rank, he or she has access to virtually all a company’s systems.
Pirates are particularly interested in intellectual property.
” Trade secrets are very important from a manufacturing point of view, because at the end of the day, the value of the company is rarely in the material, but rather in how that material was made,” says the expert, referring to manufacturing secrets and the nature of the materials used.
To harass their targets, hackers often use various social networking platforms to extract information from them once they’ve become “friends” with them.
They then exchange fake surveys or funny quizzes that “define your personality”. For example, the victim will be asked what his favorite color is, the name of his dog, a date of birth, his mother’s first name – all elements often found in passwords.
Costly production stoppages
Once a company has been infiltrated, one of the worst threats comes in the form of ransomware.
As the name suggests, this is software that encrypts a company’s data so that it can no longer be used. The hacker(s) will restore access to the computer system only on payment of a ransom.
This can lead to production stoppages costing factories fortunes, and all kinds of administrative headaches. For example, the company can no longer communicate with its suppliers or customers normally, it no longer knows the status of its accounts payable and receivable, and so on.
Some will never recover.
“It’s a factor in closing down businesses. There are companies going out of business-there are significant statistics around that-within six months of a ransomware incident,” notes Ouaguenouni.
Do we pay the ransom or not?
Let’s say the damage is done and we’ve been the victim of ransomware. Do we pay the ransom or not to recover our essential data?
Actually, it depends. It’s case by case.
If a company is strong enough to have back-up systems to recover its data, if it hasn’t lost any trade secrets in particular, it can afford not to pay the ransom.
“It’s going to cost him time to rebuild his servers, it’s going to cost him money because he’ll often have to buy new equipment, but the company’s integrity and survival are not at risk,” says Ouaguenouni.
If a company doesn’t have the capacity or means to recover its data itself, it may be advisable to call on the services of law enforcement agencies such as the RCMP, or a law firm that can offer the services of what is known as a “breach coach”.
“It’s time to rely on a professional to give you the steps to follow, because he knows exactly what to do. He knows how to contact the ransom demanders because, in this world, they know each other,” he says of these experts who are used to dealing with criminal groups.
The coach often even knows the hacker and his modus operandi, if he can be “trusted” to pay the ransom.
“Cybersecurity is an investment when it’s upstream. Afterwards, it’s an expense because it’s too late. We’re just going to spend money on financing cyber hackers or renewing machines”, concludes the PROMPT expert.concludes PROMPT’s expert.
