Every day, criminal gangs and foreign nation-states launch potentially destructive cyberattacks against aerospace contractors, financial institutions, manufacturers of all sizes, and every other type of business. Not long ago, gangs went after Las Vegas casinos, shutting down slot machines, and a Chicago children’s hospital, freezing medical records and disrupting care.
Last year, cybercriminals made off with a record $1.1 billion in ransomware payments.
Preventing attacks is expensive, and necessary. The Port of Los Angeles said it fended off an astonishing 54 million cyber-intrusion attempts per month in 2023.
MxD member Rolls-Royce and its suppliers are definitely in the line of fire.
“We’re always really busy,” said Tim Wilkinson, Rolls-Royce’s global head of cybersecurity operations.
A company with the size and geographic footprint of Rolls-Royce is likely to find itself in the targets of adversaries frequently. When you factor in the large numbers of suppliers and third-party companies that a company the size of Rolls-Royce interacts with, the security challenge becomes that much larger.
Wilkinson and other team members defending the Rolls-Royce supply chain say the best strategy for preventing attacks is anticipating the threat. Because Rolls-Royce is a frequent target, any company doing business with Rolls-Royce is also at risk. “They will come to you in order to get into us,” Wilkinson warned. The same goes for all suppliers: Hackers will target vendors to infiltrate a major contractor.
Hackers have different motives. Attacks have come from foreign governments trying to steal intellectual property. Recently, cyber-gangs have been launching ransomware attacks to extort money from organizations. International law enforcement has reported progress disrupting some organized crime networks, but the epidemic isn’t over. The gangs are clever and resilient.
Perhaps surprisingly, the biggest cyberthreat to companies is not from sophisticated computing efforts to overwhelm defenses (such as distributed denial of service attacks). Rather, it’s employees tricked into clicking on a link or falling for a fake email. While many phishing attempts are obvious frauds, criminals are getting more sophisticated. Thieves can produce a beautifully written email with a little help from artificial intelligence.
Humans are never perfect, and despite their best intentions, anyone can make a mistake. The bad guys are using technology to continuously target employees in ways that can’t be detected by automated technologies. Therefore, adversaries often try to “take advantage of the biggest weakness we have, which is our users,” said Steve Cobb, network security administrator at Stein Seal Co., a Rolls-Royce supplier.
Cyber experts say regular training of employees to understand and recognize threats is key to keeping operations safe. IT managers use a variety of means, including crafting their own fake emails, to test awareness. Because phishing isn’t the only danger, one Rolls-Royce supplier asked new hires (who wouldn’t be recognized) to try to gain physical access to unauthorized areas and collect passwords from co-workers by posing as a help desk technician. “They get a little bit upset with me, but it really raises awareness,” remarked Vern Childers, chief information officer at Meyer Tool, another supplier to Rolls-Royce.
Beyond training, Rolls-Royce said companies should embrace standard tech defenses to become as impenetrable as possible. This includes using automated protection and multi-factor authentication, keeping all systems fully updated and patched, and making sure password policies are solid and universally followed. These are not complicated ideas, but that’s the point. Every effort to frustrate hackers diminishes their interest in your business.
“Cyber criminals are in it to make a profit,” Wilkinson said. “If it takes them too long to get into your organization, they’re likely to move on to the next organization.”
A final preparedness step is having a plan in place to react, because a successful attack causes chaos. It may impact systems and customers, and is bewildering. Companies shouldn’t waste time formulating basic responses in the heat of the moment, experts say.
“You need to have already thought about how you’re going to manage the incident so you can focus everything on the incident itself,” Wilkinson advised. “It’s as simple as: ‘Who does the cyber guy call when he thinks something is amiss? When you have your first conference call after an attack, who’s included?’ Define some very rough responsibilities.”
If you follow these principles you’ll stop most intrusions, experts say, and limit the chances of being overwhelmed by the attack that does break your defenses.
This article is part of a series on incident response MxD is doing with its member Rolls-Royce. For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.