Small-to-mid-sized manufacturers face a long list of challenges. From supply chain snarls to the rising cost of raw materials, there is no shortage of things to keep business owners up at night.
Perhaps the most worrisome, though, is the growing frequency of cyber attacks. The FBI’s latest Internet Crime Report puts the cost of domestic cybercrime at $2.7 billion in 2020 alone. While the world was hunkered down to ride out the pandemic, it seems hackers were stepping up their attacks.
Small businesses are particularly attractive targets. Not only do they have much of the sensitive information cybercriminals want, but they often lack the security infrastructure and expertise of their larger counterparts.
It’s not a matter of ignorance, either; the SBA reports that 88% of small business owners believe they are vulnerable to cyber attacks, but few can afford professional IT solutions, they have limited bandwidth to address cybersecurity, or they don’t know where to begin.
Common Threats
Malicious software (more commonly known as malware) is software intentionally designed to cause damage to a computer, server, client or network. Some common examples include:
Viruses
Viruses are programs intended to spread between connected devices or within a network. In most cases, they are designed to give cyber criminals access to your device or information. Sometimes, they’ll just utilize your computer for profit in the background, never making themselves known!
Ransomware
Just like the name implies, once this type of malware infects your device, it restricts access to that device until a ransom is paid. Ransomware often exploits unpatched software vulnerabilities and has become a hacker-favorite over the past couple years, crippling many businesses from tiny shops to infrastructure giants.
Phishing
These attacks use email or malicious websites to infect your computer or gather sensitive information. Phishing emails often appear as though they’ve come from a legitimate organization or known individual and entice users to click on a link or open an attachment containing malware. Phishing attacks are increasingly convincing and one click is all it takes.
Fighting Back
With the increasing concern about cyber attacks, manufacturers with contracts from the Department of Defense (DoD), General Services Administration (GSA), NASA, and the Department of Energy (DOE) must be compliant with defined cybersecurity requirements to protect Controlled Unclassified Information per NIST SP 800-171, or they risk losing contracts.
In order to help Vermont manufacturers deal with the growing threat of cybercrime, VMEC hosts the Vermont CMMC Collaborative User Group (VCCUG). This closed-door cybersecurity session gives manufacturers a secure forum to discuss best practices and network with business owners who face similar challenges. The sessions are geared around the Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171. These are the government standards for companies that are part of, or otherwise adjacent to, the DOD supply chain.
The program is not a new one. Since mid-2020, participants have gathered monthly as a collaborative group to share experiences and learn from one another. It’s a group where manufacturers can meet with vetted peers to talk about challenges and solutions, discuss providers, and brainstorm relevant, critical cybersecurity topics.
As an example, the group recently addressed Log4j, a vulnerability discovered in Apache Log4j, a Java logging library used in many client and server applications. This particular threat was the result of an Apache system design error impacting the way applications speak to each other. The error left systems open to an “injection attack,” which could trick the application into leaking sensitive information, or executing attacker-provided code.
The VCCUG offers a unique, trusted collaboration with peers in a model that provides significant value. The dynamic is unlike discussions with internal resources (which can have blind spots), or vendors (whose revenue-based motivations can pose challenges). Internal resources and vendors can deliver benefits, but VCCUG is more objective and enables a more expansive approach.
Although there are sometimes smaller, breakout gatherings, the monthly meeting is typically a collection of 15 organizations with one person representing each. The numbers are intentionally limited due to the need to carefully vet each attendee. Moreover, the meeting is a collaboration, not a presentation.
Because of our close working familiarity with manufacturers, VMEC’s role is that of a facilitator. The sessions themselves are not meant to address CMMC or NIST 800-171 certification. For example, VMEC is able to drive meaningful discussion to head off threats similar to Log4j. The discussion is not always that focused; participants may talk more generally about ransomware, or the danger of impersonations, in which someone claims to be a company’s CFO requesting a check, or a supplier with a fraudulent invoice. Those kinds of vulnerabilities, along with viruses, could still result in stolen intellectual property.
VMEC Can Help
If you are interested in learning more about VCCUG or the ways VMEC supports SMEs as they defend themselves against cybercrime, we’re always here. Our community of like-minded business owners, consultants, and experts are ready to help you stop these threats before they can make their way into your networks.