Cybersecurity and Your Forge
LEGAL EASE ... Forging and the Law
When the topic of cybersecurity comes up, many of you might ask why we should consider it. You might think that your forging operation is not a tech company, so why worry about cybersecurity?
In our increasingly data-driven world, nearly every company is a tech company by default. Your forge may have already been a target for “phishing” schemes via e-mails that lure employees to unwittingly opening infected files, possibly allowing worms or viruses to enter your business computer network.
More sophisticated “spear phishing” schemes have been found to mimic typical communications that we receive on a regular basis and are quite familiar to us. For example, some attacks look very similar to a request to complete a wire transfer from a familiar bank. The e-mail address of the sender can also be familiar to the target, but perhaps one letter in that e-mail address has been changed or is missing. An otherwise responsible employee might quickly read the e-mail request and then comply with the familiar directions, not noticing that one or two small details are different than the normal e-mail request. In these instances, employee education and awareness can help prevent a good bit of nefarious activity and act as a barrier to those wishing to gain access to your computer systems and processes.
Other areas also deserve consideration for cybersecurity protection, and these areas often do not require participation from staff members within your operation. Think about some of the electronic information that may be located on your servers or is otherwise within your control. Data stored during your manufacturing process, which includes information about particular production runs or individual forgings, operating schedules, standard operating procedures (SOPs), engineering data regarding alloy formulations, 3D models of molds, etc. This data can be valuable to others, or sometimes others simply want to be malicious and destroy the data that you control. Each forging operation should take steps to assess potential infiltration points and then control access to business servers and computer systems as needed.
We also need to consider the gold mine of data that is often searched for and illegally taken from many computer systems: personal data. Consider whether your servers or other computer systems store data such as Social Security numbers, payroll information, birth dates, health conditions, etc. Human-resources files can be a significant prize for hackers, and we need to consider as many potential modes of attack as we can in order to help prevent personal data being taken and used for nefarious purposes.
As an example, a big-box retailer within the last few years was subject to a cyber-attack that enabled outside parties to gain access to credit card and debit card information of customers. In the scheme, an electronic device infected the point-of-sale card readers and then sent the information to an outside computer.
How did the card readers get corrupted? It appears as though the big-box retailer has automated, electronic billing procedures with its vendors. One vendor, an HVAC contractor, was infected, and the electronic device, or bug, made its way through the automated billing system to the retailer. Neither the HVAC contractor nor the retailer had an adequate automated gatekeeper within the billing system to prevent the electronic bug from transferring itself into the retailer’s computer system.
From the retailer’s computer system, the electronic bug was able to install itself on the point-of-sale card readers at many, if not all, of the retailer’s locations. From that time until discovery of the problem, the offending electronic bug was able to read each card used to purchase goods and transmit that information to an outside computer.
In hindsight, prevention of and solutions to the problem seem obvious, but it can be difficult to pinpoint each potential entry site for computer worms and viruses in our increasingly interconnected electronic world. The point is that we don’t want our forges to be the first link in a chain of electronic infestations that make their way up and down a supply chain. We should consider how our electronic data and information can be susceptible to infection and tampering in order to protect ourselves and others. Proactive steps now can prevent potential damage and embarrassment down the road.
It is a good idea to consult a trusted IT specialist or even an attorney who is experienced in cybersecurity issues to determine how best to protect your operations from these attacks. Some IT professionals can even provide a standard list of concern areas that you can use for your forge and provide to your vendors and customers. However, please keep in mind that a standard list provided to a vendor might provide little return information. It might be best to tailor the list to particular concerns to be considerate of your business associates’ time and efforts.