Inside the Mind of a Cybersecurity Expert: Q&A With Jay Ryerse

Cybercrime should be a critical area of concern and top-of-mind for manufacturers. For proof, consider that the 2024 IBM X-Force Threat Intelligence Report ranked manufacturing as the most-attacked industry for the third year in a row, and the average cost of a data breach is now $4.88 million, up 10% year-over-year.

Unfortunately, though, cybersecurity and the risks involved aren’t very well understood by those outside of the IT world. Some manufacturing leaders assume their business won’t be targeted. Others think the protections they have in place are enough. Some simply don’t think it’s worth spending additional resources to fix their vulnerabilities.

That’s why we’ve invited cybersecurity expert Jay Ryerse, Certified Information Systems Security Professional (CISSP), to sit down with our own John Schweizer, general manager of Aptean’s discrete business unit, to discuss the matter in depth in an upcoming virtual event, “Outsmarting Cyber Threats – Expert Insights on Securing Your Business,” premiering March 13.

You can register now to make sure you don’t miss out. To pique your interest, we spoke with Ryerse to learn about the realities of cybersecurity in the manufacturing space and identify some simple steps you can take today to better prepare your organization on this front.

Q: Why are manufacturers in particular at risk of cyberattacks?

JR: The reality is, businesses of all types, in every market, are facing the realities of cybercrime today. If you trust the FBI stats on the number of attacks happening on a daily basis and the impacts they have on businesses, it’s growing every month and has been for years.

Manufacturers are regarded as easier targets because, in general, manufacturers are not spending money on cybersecurity. They think, “Oh, it won't happen to us. There's nothing anybody wants in our system. Nobody cares about us.”

But that's not how a threat actor actually thinks about it. They think about what the loss of revenue is when the business they’re targeting is down. By launching a ransomware attack and encrypting all your devices so you can't function, the threat actor makes it so that you can’t work, and meanwhile they hold the keys to decrypt the data. From there, it’s a question of what the cost per day will be to the business given that they’ve entirely lost production.

The reality is there's not a lot of budget for cybersecurity, and because of that, some manufacturers end up cutting corners. Business leaders think, “I can go buy a new production machine to manufacture products faster, or I can go spend money on cybersecurity.” Where do you think they’re going to spend the money?

And the users in the production facilities, they don't understand what a cyberattack looks like. Sure, the business leaders and IT team might know and understand the impact because they’re put through training. But the people on the factory floor, the vast majority of them have never been through a cyberattack.

We know that it takes an average of 66 days to get back to normal after a typical cyberattack today. Sure, you might get operational faster than that, but getting back to normal operations takes 66 days. I can't fathom that, and I feel sorry for businesses that don't hear these stories soon enough.

They always think, “It's not going to happen to us. We're too small. They don't want what we have. They don't care about us.” Actually, because threat actors can cut off your revenue by locking down production, they care about you a lot. You just don't know it.

Q: What is the biggest cybersecurity risk for manufacturers?

JR: The biggest risk is probably tied back to users, what we call “identity” in the cybersecurity space. That's the ability of a threat actor to impersonate an employee by acting like them. Once they’ve gained access to a network, they have free rein to take over anything that the employee had control over.

If I want to take down a manufacturing environment, I'm going to go after the people that are working in the manufacturing space, the people that have access to the tools and systems that connect to the production facilities, because I can cause the most harm by killing production. If I take down production, I don't care what the expense is—you or your insurance company is going to pay it to get you back online so you can get back to producing revenue.

Putting on my cybercriminal hat, if I want to break into a business, I'm going to go find that mid-level manager—someone who probably has enough access—and I'm going to go start following them on social media. I'm going to learn about their family and find out everything about them that I possibly can, and I'm going to use that to socially engineer my way into the business.

I might call your help desk and act as that manager, claim I’m on vacation and locked out of my system, then ask if they can help me get back in. If I’ve learned enough about that individual—what they do for a living, who their key contacts are—and can maybe spoof their cell phone number that I find on Facebook or LinkedIn, they’ll send me back a new password. Now I'm logging into your systems, and whatever access that manager has, I now have that access.

From there, I’ll get to their boss. I’ll claim I’m having trouble getting the information I need from someone else and ask them to do me the favor of getting it for me. And that gets me the data I need to get to the next level.

It becomes an escalation of privileges through the levels of the organization, and in three or four days, I could be at a level that gives me enough access to see your global contracts—maybe even payroll or your production systems, whatever would hurt your business most if it was locked down. And if I want to launch a ransomware attack, once I’ve got that one employee’s credentials, I can use them to hit the rest of the network.

Q: What other forms can cyberattacks take?

JR: Think about the employee that gets an urgent e-mail from “the CEO” asking for 10 $1,000 gift cards. They run out and buy them on their personal account only to realize later that it wasn’t really the CEO asking for that. You hear about that kind of thing all the time—those are the easy ones.

What you don't hear about is when an airline manufacturer is looking to buy new equipment for their manufacturing facility, and the attacker gets in between the CEO and the CFO. Both are negotiating for new equipment, so the attacker impersonates the CEO—who happens to be on vacation—and says to the CFO, “Good news, the deal’s done.”

The attacker posing as the CEO provides the wire information, and the CFO sends the money thinking they’re going to get new equipment. But they actually sent $4 million to a threat actor. Does that have an impact on the business? Pretty sure it does.

Another example: I heard about an extortion letter that showed up on one person's desk at a small accounting firm. It was from a very specific threat actor group that's well known that the FBI is trying to monitor. In this instance, there wasn’t a ransom—the company had all their files—but the threat actor had already stolen 350 gigabytes of data to prove they were in the network.

In the message, they actually had a “Frequently Asked Questions” section. One of them was “What happens if I pay the extortion?” The answer was: “Nothing bad will happen. We will remove everything we took from your network and leave you be. We will provide confirmation that the data has been deleted. We will help you to close the tactical vulnerabilities that you have and provide some insight on how to avoid such incidents if some other perpetrator is interested in your business. We'll never tell anybody else about it.”

They were basically offering tech support—as an attacker who had already gotten in.

Too many business leaders have never heard of this stuff before. They don't know even know these threats exist, so this is the kind of stuff that I think we should be talking about, as it will open up conversations.

Q: What are some common misconceptions when it comes to cybercrime and cybersecurity?

JR: Your IT teams—and maybe your info security team, if you have one—are probably telling the business leaders, “We've got these problems we need to solve, because a cyberattack would hurt us.” But leaders have never been through a cyberattack before, so they don't really know what that means.

When I'm thinking about the impact of a cyberattack, I'm thinking about the questions nobody ever asks. For example, if all of your systems are encrypted and you can't access them, you need to ask yourself when your next payroll is due. Because if you can't pay your staff, they won't be there to help you recover. But this isn't something we think or talk about.

Many business leaders—the CEO, CIO, CTO and/or CFO—think it's on the IT team to be responsible for it, but they don't provide them with a budget. They’re not thinking about the long-term impact of an event.

See, when there's a cyberattack, the business gets hit, and then they get sued by the government or privacy advocacy groups. They're going to go after the business leaders, because they're the risk managers in the company responsible for establishing budget to protect against cyberattack. Until then, they don’t think it’s their problem—they think it’s an IT problem.

For IT people, when their company falls victim to a cyberattack, they usually lose their jobs. It's pretty common, and it's a career-changing event. But if they document that they showed the business leaders the risk and they chose to ignore it, the risk moves back to the executive team that never wants to own it.

So it's truly a boardroom issue. I don't think small businesses think of it that way, and some big businesses aren’t there yet, either. But that's the reality of it. The people that are going to lose face are the ones at the top, because everybody below them knows that they’ve already identified the cybersecurity problem, yet the leaders didn’t take action.

Another part of the problem is that business leaders often think that they've already spent enough on cybersecurity. They're like, "Don't we have protection for all this stuff?” But there are so many ways to impersonate people within the organization.

Then, there’s the misconception—or at least, the common assumption—that insurance is going to cover it. But so many businesses don't have cyberattack coverage, or their cyber coverage is so limited in scope that it wouldn't actually protect their revenue loss during an outage.

Business leaders need to take responsibility and ownership of cybersecurity and identify the risks, then look for ways to transfer some of that to the insurance company. But you’ve got to have the right people involved and have the right conversations.

Lastly, most people don't realize what the average ransom request is. It’s typically 10% of a company's revenue, so if you are a $100 million-per-year business, you should expect your ransom to be somewhere around $10 million. That gets you all your files back, but the threat actor has already made backups. So even if you do recover, they can sell off your data to all your competitors. They’re going to double-dip on the attack, and they get paid one way or the other, if not both.

Q: What are some concrete steps a manufacturer can take to improve their cybersecurity?

JR: A good first step in being prepared is a vulnerability assessment. You also need to talk to your insurance company and your internal legal staff. You need to understand the implications of these risks and then take appropriate actions to budget for the right security based on your business needs.

Third-party risk is actually another major area. Here, we’re talking about a business’s vendors. All the same questions that you ask your technology provider about how they’re protecting your data, you need to ask those of your vendors too.

To learn more about how Aptean protects our customers’ data, visit our Trust Center.

Q: How is artificial intelligence (AI) changing cybersecurity?

JR: I see huge productivity gains in cybersecurity from AI. It’s improved our ability to look at data and analyze potential threats, so we can see things faster than we ever could before. But at the same time, the threat actors are using AI to automate and improve their attacks.

I spoke at an event here in Denver back six months ago. Before I spoke to the audience, I walked the show floor and saw vendors selling software. All of them were talking about their AI engines and assistants, and I was wondering to myself, “Who’s testing all this?"

I love the Microsoft Copilot tool from a production standpoint. It helps me be more productive. But with any AI, you need to know it’s been tested to make sure that the implementation in your environment is deployed securely and you're not leaking out company information.

There’s a well-known author who tried to let ChatGPT do the first round of editing on their book. They put the whole manuscript into a public version of ChatGPT, and the publisher cancelled their contract and sued them for 10 times the sales revenue of their last book because the author had essentially already released it to the world for free.

We don't know that AI will hurt us. And so just like we were talking about assessing risks, you're going to have to ask a lot of questions around the risks of AI. Ask your insurance company about your coverage. Ask your attorneys, IT and security teams about what it all means and where you could potentially leak information.

Securing Your Company’s Future With Aptean

Clearly, cybersecurity in the manufacturing industry is an increasingly important matter given the proliferation of attacks and the damage that they can do to businesses like yours. If you enjoyed this discussion and Ryerse’s insights, be sure to sign up for the upcoming virtual event.

Virtual events like this one are just one of the ways that Aptean strives to support businesses in our target markets. We’re proud to spread awareness of critical technology issues, help companies safeguard their operations and empower our customers to scale their organizations stably and securely.

Our flexible cloud deployments—available for most solutions, including our vertically focused enterprise resource planning (ERP), enterprise asset management (EAM) and product lifecycle management (PLM) systems and more—offer best-in-class cybersecurity, as well as broader accessibility, improved continuity and automatic updates. What's more, we perform regular monitoring and penetration testing to identify vulnerabilities, so you can rest assured your data is safe.

If you want to learn more about Aptean, our products or our approach to cybersecurity, contact us today. You can also check out our cloud migration cybersecurity checklist for more on this topic.