Cyber risk digital resource guide

A strategic guide to strengthening your defensesplantemoran.com

ContentsNot worried about cybersecurity?

Think again: you could be held personally liable 1

Cybersecurity is like a sponge:

5 ways to contain your data 6

Webinar

Cybersecurity — what you don’t know could hurt you 9

Podcast

The Internet of Things: Removing the physical boundaries of cybersecurity 10

Contact us 11

1 Plante Moran

Don’t let a cyber incident bankrupt youNot worried about cybersecurity? Think again: you could be held personally liable. Cybersecurity threats permeate every aspect of business. While these crises may not be as widespread among automotive suppliers as in other industries, it’s only a matter of when. And the impact to your organization could be catastrophic — from severe financial losses to personal liability and lawsuits.

There are multiple entry points in a vehicle that need to be secured through the car-building process, from design to assembly. Thus, cybersecurity needs to be addressed by each cog in the wheel, and at the same level with OEMs. If not, the safety of all vehicles can be in jeopardy. Now is a great opportunity to get ahead of potential threats, and evolve your security, and control frameworks to meet the changing landscape.

2Cyber risk digital resource guide

Think you’re safe? Picture this: someone hacks your network, accesses the design of an electronics component for an upcoming car model, and inserts a bug (i.e., malicious code). Your infected component is then installed in new cars during assembly. Months, possibly a year, go by with the malicious code embedded in the component and installed in multiple vehicles without being noticed. When exploited, the malware affects car safety, including brakes, anti-collision features, and airbag deployment, leading to widespread accidents resulting in severe injuries and even death.

The cause of this crisis is traced back to your component and the weaknesses in your company’s security practices. Not only is your bottom line at risk due to negative consumer sentiment and OEMs dropping you as a supplier, but your company, your board of directors, your top management, and you personally, may be found liable as well. Without the right protection and protocols, this is a wholly possible scenario.

3 Plante Moran

A comprehensive cybersecurity plan can position your company to be a supplier of choice to OEMs. Documenting how you’re prepared to protect data and respond to threats can give you a leg up on the competition.

It won’t take a major crisis like this to adversely affect your company. Intellectual property theft, fraud, and phishing attempts can all affect various areas of your business. You’ll feel the impact from:

CUSTOMERSYou could face a large financial impact with the loss of current and future business. OEMs and other customers may cancel contracts or choose to not work with your company on future projects. Furthermore, many OEMs are requiring documentation from suppliers that outlines their ability to protect data and respond to threats. Can your company meet such contractual obligations?

REGULATORYAre you meeting regulatory requirements for GLBA or SOX? If your company handles consumer financial data, are you following guidelines for protecting customer account information or social security numbers? Also, if your company is publicly held, then you, or your management team, will need to affirm that your company has proper internal controls in place to prevent financial statement risks.

SHAREHOLDERSExecutives and even board members can be named as defendants in the event of a cybersecurity breach. You can mitigate this risk by having clear documentation of the controls your organization had in place to prevent and respond to attacks.

BRAND/CONSUMERSThe slightest fear of safety, or even mistrust, from leaked GPS information can turn the public tide against your company, severely impacting your brand and bottom line. Even if an incident affects another supplier, your company can still feel the impact from negative consumer sentiment if you can’t reassure the public you’ve taken all the necessary steps to prevent or mitigate risks.

4Cyber risk digital resource guide

What can you do now?

Don’t let a crisis spur you to action — now is the time to be proactive, not reactive. The solution lies in engaging people, processes, and technology to strengthen your cyber defenses. And you don’t need to overhaul your entire organization at once if your budget isn’t increasing in tandem — a little bit at a time will help your organization prepare for and respond to future threats.

Here are seven steps to get you started:

CONDUCT A RISK ASSESSMENT.Weigh all risks that can impact your company, including which individuals could be held liable in the event of a breach. Are you going to mitigate, transfer, or accept the risk? Consider your whole business — not just OEMs. They may be your biggest customers, but an attack that originates at a smaller client, such as an aftermarket supplier, could infect your entire organization.

PERFORM A GAP ANALYSIS.Next, determine what controls you have in place to address the risks impacting your company, and identify weaknesses. Lock down easy access points and unnecessary services. Consider blocking email attachments to and from external addresses. Encrypt all devices and make sure third-party applications and vendors that access your systems have strong and reliable security measures in place.

ESTABLISH A FORMAL CYBERSECURITY PLAN, AND DOCUMENT YOUR CONTROLS.OEMs want to know their intellectual property is safe with you. They want to know how you’re prepared to protect their data and respond to threats. There isn’t a standard framework across the industry, which makes receiving and responding to requests from OEMs and/or regulators difficult if you don’t have a formal program in place. Your plan should include security policies, user controls, operational controls, change management controls, policies for protecting intellectual property, encrypted transmissions, encrypted storage, and limited access, among others.

CREATE AN INCIDENT RESPONSE PLAN.Maintain a formal, written, and current cyber incident response plan in the event of a cybersecurity issue. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. This includes hardware theft, such as a stolen laptop or smartphone, or network breaches. The plan should include procedures for reporting incidents within the company, communicating with customers, and contacting law enforcement and the media.

12

3

4

5 Plante Moran

Don’t let a crisis spur you to action. Schedule a complimentary discussion with our cybersecurity experts.

CONDUCT SECURITY AWARENESS TRAININGS.As connectivity to the shop floor increases, plant managers, back office support and administration, marketing, engineers, and management all have varying levels of access to networks and data. Educate everyone in your organization regularly on security policies and controls, relevant information, and risks to the company. Having staff who are diligent about strong passwords and who don’t click on links in emails can significantly reduce the threat level to your organization.

TEST AND MONITOR.Intrusion detection monitoring 24/7 is a must-have these days. Hackers are becoming increasingly sophisticated and, without your constant surveillance, they can hide out undetected, accessing company and customer information. In addition to continuous monitoring, you should conduct so-called white-hat hacking or penetration testing. Do this at least once or twice annually to see how your cyber infrastructure would hold up to an attack.

PROTECT YOUR LIABILITY.Look into cyber liability insurance, which may help recoup some of the significant expenses associated with a breach. That said, as with any insurance policy, it won’t mitigate your risk.

A comprehensive cybersecurity plan will help your company prevent and prepare for any potential threat. These documented policies, procedures, and user awareness will protect not only your company, but your personal liability as well. Don’t wait for a cybersecurity event to affect your organization. Take control and get ahead of potential threats before it’s too late.

5

6

7

6 Plante Moran

Cybersecurity is like a sponge: Five ways to contain your data.It’s tempting to imagine your computer systems as airtight vaults, impenetrable and immune to cyberattacks. But this would be a risky move. In reality, IT infrastructure is more like a sponge.

All organizations absorb and retain digital data. Like a sponge, IT infrastructure is porous, often with gaping holes. Data can leak out of these holes when things don’t go according to plan: a staff member might lose a laptop, a system might experience a configuration error, or sensitive information might accidentally be published online. But in today’s world, a more prevalent scenario is what happens when the sponge is squeezed — when a hacker causes a breach that results in a damaging data leak.

Here are five ways to contain your organization’s data:

ALWAYS ENCRYPT SENSITIVE INFORMATION.When a federal computer system was hacked in December 2014, the personal data of nearly 4 million current and former federal employees was compromised. Regardless of whether the hack itself could have been prevented, encrypting this sensitive information from the get-go could have limited the breach.

Due to the high cost of encrypting stored data, you may decide to be selective when it comes to what data to encrypt. You’ll want to consider the data’s sensitivity, as well as the level of security controls that limit access to it. But when data moves outside your control, encryption is a must for confidential information. A company relinquishes control of its data every time a staff member sends an email or takes a laptop, iPad, or other device out of the office. Encrypting these channels and devices protects the information they carry, so that the only consequence of a stolen laptop is a mere loss of hardware.

1

7Cyber risk digital resource guide

TAKE PASSWORDS WITH A GRAIN OF SALT.A major online retailer was the victim of a large data breach in 2014, when hackers gained access to 145 million user passwords. The company had encrypted the passwords on its network but still instructed customers to immediately change their passwords to further reduce the risk of unauthorized activity.

User-managed passwords are the most common form of authentication and also the biggest security weakness. Not only can passwords be cracked by hackers, but they also place an inordinate level of responsibility on users, both to create sufficiently strong passwords and to not reuse them across multiple systems or online sites. As the future moves toward multifactor biometric verification — including fingerprint scanning — we’ll approach a stronger, enhanced form of authentication that reduces our reliance on user-managed passwords.

MONITOR DATA DILIGENTLY.When a major retailer’s credit card terminals were breached in 2013, card data was transmitted to hackers each time a customer swiped his or her card. As a result, approximately 40 million credit and debit card records were stolen. If network monitoring had been focused on the right factors (including traffic volume and source/destination IP addresses), the unusual activity might have been discovered earlier, allowing for a faster response to the breach.

Many companies implement security controls to protect their information systems but forget to monitor them. This is a big mistake, as the porous nature of network infrastructure makes data monitoring a critical step. Fortunately, there are numerous network monitoring tools available that can help you effectively detect breaches on critical servers and databases. Alternatively, companies can also engage third-party vendors to monitor their networks 24/7.

2

3

8 Plante Moran

MANAGE USER ACCESS.The 2014 breach at a global financial institution — which compromised more than 80 million accounts — was rooted in the improper management of administrative access. If a hacker gains access to high-level privileges, he or she will have the ability to bypass implemented controls, making it easy to enter and manipulate the system.

Regularly ask yourself who has access to your networks and to what degree. For instance, what level of access is given to third-party vendors? Has access been terminated for staff who have left the company? As a rule of thumb, about 10 percent of user access is not managed properly — an unsafe percentage when it comes to cybersecurity.

RE-EVALUATE YOUR INDEPENDENT TESTING.In December 2015, a digital toymaker experienced a breach that exposed the data of 6.4 million children and 4.9 million adults. Even more unsettling is that by linking the accounts of children to their parents, the data ultimately revealed children’s full names and addresses. They were alerted to the breach by a journalist from the technology news site Motherboard, who had been notified by an anonymous hacker.

This example is a testament to the importance of independent testing; you’ll never know how effective your security really is if you don’t have an outside party test it on a regular basis. Companies should schedule an independent test at least once a year, but infrastructure changes or regulatory compliance standards may require more frequent testing.

Supplementing an annual test with smaller-scale monthly or quarterly tests of specific areas also reduces delay when it comes to finding and resolving issues. By continually making improvements throughout the year, you’ll have greater confidence that your multitiered cybersecurity strategy is protecting your customers, your staff, and of course — your reputation.

4

5

9 Plante Moran

Webinar Cybersecurity — what you don’t know could hurt you.Wouldn’t it be nice to know if your organization is being targeted for a cyberattack, the way the attack will occur, and the associated risks? Unfortunately, no one can predict when customer data and organizational intelligence will be compromised, which is why you must prepare now.

LEARN HOW TO: • Identify emerging threats and risks

• Determine the potential risk level

• Develop or improve a defensive strategy

• Articulate best practices on ensuring organizationwide adoption

10 Plante Moran

Podcast The Internet of Things: Removing the physical boundaries of cybersecurity.

The Internet of Things refers to a world in which all everyday objects and devices are seamlessly connected through wired and wireless technologies. This is affecting how we do business, which is certainly exciting, maybe even enticing. But it’s important to remember that with every benefit comes risk.

Think you’re safe?

You can be held personally liable in the event of a cyberattack. Learn how to strengthen your defenses and schedule a complimentary discussion with our cybersecurity experts.

plantemoran.comStay in the know: subscribe.plantemoran.com

Please contact us with any questions.

Daron GiffordPartner, Strategy Consulting248-223-3709daron.gifford@plantemoran.com

Raj PatelPartner, Cybersecurity248-223-3428raj.patel@plantemoran.com

Jason ThomasPartner, Assurance248-375-7333jason.thomas@plantemoran.com

Scott PetreePrincipal, Cybersecurity248-223-3898scott.petree@plantemoran.com

Complexity made simple.Change can be daunting. Let us help you balance competing priorities and make smart investment decisions.