Sign Michigan Banking Job Description Template Secure

Industry sign banking michigan pdf online

I'm Justine Burdette vice president of technical services at the right place and regional director of the Michigan manufacturing Technology Center West office thank you all for joining us today with me are Brian Edwards publisher of mi vis and Ryan Bonner vice president of customer success at bright line technologies we are here today to talk about a topic that is in the news constantly these days cyber security specifically we are going to talk about the weak challenges that face manufacturers today's webinar is the type of educational program that we enjoy presenting there's a timely topic in the business world and we have tried to keep a laser focus on the manufacturing sector we want em MTC to be a trusted resource that can help West Michigan manufacturers analyze operational challenges and then we want to connect manufacturers with our network of experts who help them improve their operations so if you're a manufacturer on today's webinar I invite you to check out the MMT C West website we even learn about our area of expertise our website is MMG C West org so if you are a service provider on today's webinar I want you to contact mmt see us as well to learn how our organization serves the manufacturing community now I'm going to turn things over to Brian Edwards publisher is my bit Brian thanks good afternoon everyone it's something you know we had some delays in our original timing on this we'd like to think that hackers heard we were going to do a presentation about cyber security and they hacked in and prevented us from doing in a timely fashion but we're here now Thank You Justine and good afternoon and everyone just a quick rundown of the agenda Ryan is going to join me now we'll talk and we'll do some QA we were going to do type messages I did get some messages from some of you via email so we'll ask those questions and this is adjusting so this is a really good topic in terms of cybersecurity it's been in the news a lot they grant some more attacks last month there's been a lot over the past year or so with retail healthcare online sites Muzyka target Ashley Madison right there was customer data stolen there so the perception though is that manufacturing blow on the target list and it's actually moving up focuses Ryan will talk about a little bit so we called this a seven hundred thousand dollar manufacturing mistake there was an IBM study I think it's also quoted Comiskey labs they talked about seven hundred thousand being kind of a cost to recover from a cyber attack on a manufacturing company so happy to have you here today so to talk about all of this by way of introduction Ryan Bonner is with bright line they are partner organization with the Michigan manufacturing Technology Center they've been working with Michigan companies to help them understand cyber security but also their compliance obligations in their industry and making sure that they develop plans for achieving that compliance so Brian and his team who work with more and more manufacturers not just in DoD or defense where they're very kind of stringent but also aerospace automotive and other industries as well so you know again Ryan so the notion here is that manufacturing is kind of going up the charts it's rising in popularity with yeah so why is that what's going on there well I think there's a lot of factors driving you know in the pack hacking was really based on how quickly can I make a quick buck or things like that and as the cyber security defenses of different industries have grown and matured especially some of the more targeted industries like like we talked about like retail or health care or some of the big financial institutions they become a harder nut to crack and so hackers of course have moved on from you know industries where the cybersecurity stance is less mature and hasn't been thought through as much and there's more exposure in supply chain so I think what we're seeing a lot of now is manufacturing having not really had as much emphasis to really become better is simply the easier target for a lot of cyber criminals and it's not to say that there is aren't still a lot of dollars to be made an adventure and so I think what we're seeing is really just a lot of the secondary industries that still represent a lot of the employment base here in the States just being targeted out of opportunity more than anything awesome why don't we get to your presentation and we'll take the webcam off of us here so people can just hear your dulcet tones and also then watch your presentations so how good let's go here so that's who we are takeaway yeah so one of the things that we've been talking about with a lot of our customers is trying to determine how a cyber crime is actually going to meet them in their business and potentially create issues or interrupt business operations make them less effective or profitable damaged relationships and so for us you know we look at what are some of the top manufacturing factors or as we like to jokingly call them top menu factors excuse the pun and respond and these are some of the things that aren't really is a cyber crime concerns all these the things that drive your business and so for us you know obviously manufacturers are worried about cost effective production you know you're going to want to make sure that you can remain competitive from a cost and time schedule perspective you know timely delivery is a huge part of that if you can't deliver things for a set price at a site set time if you're not going to remain competitive in the market we all know that internal best practices are also what are going to make your organization good at what they do that's what your operational efficiencies come into effect that's where you develop internal processes or manufacturing procedures that allow you to stand out when you're working with customers and then obviously that all adds up to a solid reputation with your customer base so I when we talk about cyber crime what I really want to look at is I would cybercrime have an effect on these primary factors because at the end of the day if it's not having an effect on these we might just be spinning our wheels getting excited about the idea of cybercrime we can see how cyber attacks cyber incidents a lot of the hacking that's going on today in the manufacturing space is affecting these factors I think it all hits home for all of us so let's think into that first factor we've got this concept of cost effective production so that's obviously going to be an attack that's going to come after access to your financial instruments you know if if you're going to try and be you know the organization that has money in the bank and the ability to practice things like lean production or just-in-time having cash flow on hand is a huge part of that so I actors are a lot more often in the manufacturing space is coming after aspects of your financial transactions that aren't really protected the way they should be so with an ACH transaction what's going to happen is a hacker is going to try and sit on your network and exploit your ACH transactions either in the form of a scam or in a more elaborate hack I mean can I ask about that because you know obviously somebody to the automotive OMS pay they're you know two to two or three to one suppliers electronically how at risk are they so the most common cyber attack that we'll see here is action it feels more of like a scam than an outright hack so what will happen is an attacker is going to get onto your network and they're going to exist as what's called a persistent threat they're babysitting your network watching your emails in and out and waiting for the right opportunity and what they'll do is they will spoof an email address and pretend to be you or or using pepra might account actually just send a legitimate email telling some supplier or upstream customer who's about to issue a payment towards you hate for Friday's payment sent it to this account with this routing permission set thanks thanks for that out of the day and then delete that email you never know that it well now the you know transaction is made the funds are sent and they go to the hacker instead of to the intended recipient your business it can happen in Reverse as well going money that now you have to pay twice you used to see this a lot more in other industries especially in the home mortgage industry you have a title insurance companies about to close on home purchase and someone intercepts that transaction encourages them to make the payment a day early than was originally planned and now you've got half a million dollars for a home purchase just gone and they're crafty I mean we've seen at least one example of somebody sending out you know a w-9 form you know a letter saying we need your new w9 yours you know we need your new bank routing information so it seems all very innocent enough and the trans community mail and I think you called it so it's the more and more we try to get payment electronically and moving money electronic would be more at risk there absolutely absolutely so good inside best practices can help with that but it helps to understand the mechanisms of it may happen payroll it can be just as much at risk you we've seen manufacturers who you know we're doing payroll internally and a hacker gained access to the system and the make more payroll went out changes all of the direct deposit recipient accounts for all of the employees and you've got you know in some cases six digit payroll disbursements that all disappear and go to you know those phony accounts and recovering that can be next to impossible so bank accounts are also a risk just as far as gaining access to credentials and things like that locking companies out of their own accounts and so you know you'll see a lot of situations where an executive will have to be specifically targeted because executives tend to have access to the primary bank accounts for an organization so if they've got your login credentials and they can intercept even two-factor authentication or something like that then they could potentially into a bank account and can create an issue there so that's that's maybe a little more abstract now than ACH transactions for payments but you know those are some of the things that we're seeing how so if you're an executive you should never let anybody know your first pet's name or mother's maiden name or you know the streak of your oh absolutely absolutely so the only thing manufacturing factor we talk about it is timely delivery you know as a manufacturer I can deliver my produced goods out to my customer you know as part of an SLA or on a normal agreed-upon timeline then I'm going to have a better reputation with that customer and I'm going to be more likely recipient future contract awards so this is one of the biggest ways that cyber criminals are creating a negative effect for manufacturers because there's a lot of ways in our age of increased dependence on technology in the manufacturing space that simply interrupting technology is going to interrupt delivery so a big way that that's going to happen is in the form of denial of service attacks and so denial of service attacks are really pretty straightforward any any way that I can interrupt your IT systems from functioning as advertised I I can potentially put you in a bad position and then demand that you need to pay for those attacks to stop or use that as a jumping off point to maybe launch a different type of attack or simply hold downstream suppliers from an upstream you know manufacturer hostage and get a payment out of that larger entity so sometimes you can be targeted not because of any particular value that you the manufacturer hold but the value that you hold to upstream customer reviewers and again so this is this is we're all trying to communicate more and more electronically with our customers there's ERP systems and order systems and other stuff and so this is just basically interrupting their ability to yeah and the way that I do that is I just throw a bunch of bad traffic at your network and then eventually that will just bring everything down and so it used to be that you had to have a lot of resources available launched a bunch of that traffic enough to complete the overall system but in today's day and age where you've got you know camera systems and traffic stoplights with computers on them someone can hack an entire city in Ohio and use the entire city's resources to launch a network attack against you there's a lot more resources available for that and so did e OS attacks were about a year ago there was no it was kind of in the news in the media and the business news because people are using toasters and stuff but now this next one ransomware this is kind of the topics du jour in terms of media mainstream media's coverage of hacking that's a little bit about ransomware specifically with manufacturing so if I'm if I'm a hacker and I want to come after your business and I want to have the best possible chance of getting money out of out of the attack ransomware is it so ransomware is devious and simple in its nature when ransomware finds its way onto your network it simply begins to encrypt data and once data is encrypted then once you know the key to decrypt it it's useless to you so all of your production data everything that your systems are built on are now useless to the organization and unless you pay the ransom hence the name ransomware you can't get that data back so what we're finding is that a KERS we used to build Trojan horse malware or a lot of other types of viruses have all almost wholesale moved over to ransomware because it's so effective at getting money out of users and with the advent of these new crypto currencies like Bitcoin I don't have to find a way to get paid in u.s. dollars you know there's a completely digital way to get much out of the users so do you even see some of the more advanced cyber criminal organizations unwanted under customer number you can call and they will walk you through how they've got a depth up to provide them with this coin to pay your ransom so it's pretty it's pretty amazing what we're seeing out there and so this is just a quick rundown of how the DDoS attacks so work you've got generic you know normal traffic that normally you'd expect to see and also you have malicious traffic being from and then just overload system so on this one though the rest of a different went uncontaminated of traffic that your site said put it yeah so our other big manufacturing factor our manufacture is internal best practices I say that this is probably the least valued area when it comes to business is being able to understand this in terms of hacking or cyber security threats what do you mainly value well I think a lot of organizations can draw a line and can say someone's trying to steal or someone's trying to interrupt my business but how about a cyber criminal is trying to put you out of business five years from now scare when your IP exactly exactly and so internal best practices are really what gives you competitive advantage in the marketplace you know we here in Michigan we have a lot of investments made into new manufacturing best practices lean manufacturing having good quality systems in place and so those are things that don't exist everywhere globally not even just looking outside at Michigan but around the world there's a lot of organizations or nation-states or foreign manufacturers who don't have decades of built up experience and how to effectively produce high-quality parts using good best practices so just as valuable as the actual technical data the plans were the things like that that someone could take from you they really are also just as interested in the manufacturing processes you use to develop or produce those those plans and that data in a high quality fashion with a low failure rate and so a lot of organizations are really putting this on their radar so you know production methods are going to be a big part of that and that's that's ultimately going to lead to to overseas reproduction so you know that's how you see a situation where you know you've got an f-150 being made here domestically and if we go overseas we have something that looks a whole hec of a lot like oh well and that's because you know overseas reproduction aims to take the original production files that were used to produce that whether it seems the Machine data or the original plan specs and drawings and and sort of piece that together now you can't always do that without knowing the production methods because sometimes just plans on not sure but you add all those together and you get really close to a completely manufacture so yeah so again it's not just designer parts it's all the IP related to any product that you're making whether it's a car or an airplane part or whatever it's the pricing it's the Billa material it's the production methods the drawing and the supply chain information absolutely the best way that I think that organizations can confirm this is anything you wouldn't want your competitor down the street knowing you can assume that that's going to be a target for cycle assessment so the last factor is really sort of the culmination of all the other previous factors and that's our reputation with with customers so you know if you're having issues with with quality or having issues uptime because you're having business interruptions or you're having issues with cash flow or finances because of a financial act that's all going to put you on shaky ground with your upstream customers are you are you you know financially stable you know those are things that organizations you know are mindful of why did you have that interruption will it happen again you know normally you would meet your timelines now you're not is something changing you know if you know organizations don't always focus on the years of excellent delivery and timelines of quality produce sometimes they tend to focus on the instances where that doesn't happen and if hackers are able to contribute to that happening then they're putting you on less than ideal terms with with your customers I know even and we'll talk about this alone QA because we've got some questions from folks as well as some other questions from our team even some of the the risk management policies have you know if you're hacked it'll cover the IT and the restoring and the all the kind of legal and other issues but even some of those policies pay for like public relations health because it's if you could hack it's largely about how you respond to it and so that really gets right to the reputation piece right and I literally absolutely it it's going to it's going to happen to lots of companies so it's it's really like so many things in life and businesses how you respond to the bad thing happening and they're willing to include some PR services absolutely so that if an insurance company has identified that PR services are needed to recover it you better believe they've got some some data to back that up so fail delivery timelines we talked about another thing that we haven't talked about is if someone steals your IP and starts producing your parts overseas and then we can mosey into the supply chain for your upstream customer I those counterfeit products are most likely going to be associated with your company's quality and so those are those are areas where you have to be able to protect against that now we've seen a lot of strides made and a lot of industrial sectors for unique traceability of parts and products as they're produced so that's good but depending on where you're using system that supply chain you may not have a lot of credibility to be able to show that that was the case so those are things that we always encourage organizations to be mindful of and then the other thing is this more often than not the part that you're going to produce for an upstream customer is going to require some context you're going to need to know about the assembly that goes into or the overall system is a part of and as a result of that your customers oftentimes going to share more information with you that is required just for the produced part but that will contribute to your overall quality and so when you have an aggregated amount of really important IP and information that belongs to your customer on your networks and then your network is somehow compromised and that information is taken that's going to more often than not create ill will with with an upstream customers it's found that you're the source of that act so and then the result that we're seeing in a lot of spaces in manufacturing right now is that customers tend to react and blame the supply chain and with some of the reason in a lot of cases what sometimes unfairly you know if it varies and so what you're going to see is whether or not there's existing regulations in place you may see those regulations begin to tighten in your industry you may see individual customers or industry groups or advocacy groups start to co-author new cybersecurity standards they want to see lived out in their supply chain and so in those types of situations you no longer get to pick how or when or through what means you secure your networks provide better security now you've got a dance to someone else's drum as it works and do things the way that they would like to see things done and a lot of times what we'll see is that the the more broadly written cybersecurity standards that they may ask you to adhere to in order to be part of their supply chain is not always going to be custom tailored just for the type of manufacturer you are so sometimes you end up having implement standards that are a bit heavy-handed let's just it that way so that's that's not in the long run in the long term those standards can be a good thing because a rising tide raises all ships but it's always better if you can do that on your own terms and have been dialogue with your customers in the possible again and I think you'll talk about this a couple slides here but so certainly if you're a supplier to the Department of Defense that's been changing in terms of the requirements of regulation the contractual part of it but in industries like automotive medical device office furniture and I know we have many attendees from those industries that have registered for this it's very fluid right now in terms of what the regulations are going to be and what the quality or the expectations are going to be from the automotive and other OEMs correct absolutely and what you'll see is you know a lot of these industry sectors have done a good job of latching on to appropriate quality standards and compliance and regulatory standards for a lot of other areas what we're starting to see is that now individual areas like automotive or aerospace or medical devices they are all jumping onboard with cybersecurity standards now and we don't know exactly what all of those are going to look like yet but but I want your best guess I thought I made a good one again as you know we've got we work mostly with automotive customers how much of this stuff Navin applies to me so so patently we're seeing a lot of cross talk from the aiag and the automotive manufacturers to the effect that automotive the big six let's call that are really looking heavily at sort of falling into lockstep with a lot of the upcoming government regulations that are already being imposed at a federal level for some of the other types of manufacturing that's being done for GSA Schedule contracts or for defense contracts and so whereas it may not end up being called the exact same thing we're starting to see the automotive the big automotive automakers really saying we really need to have security in our supply chain we like what we see on the government side let's sort of synthesize that into what we do here in automotive and take some of those best ideas out of that so if you want to see where that's going you need only read about what's happening in aerospace or that's and and just sort of mentally map that and your best guess is or industries like automotive or medical device that these things come online they will be contractual then will be regulatory it will be contractual between the OEM and the supplier correct correct so you know the government can always do things in the form of administrative law the law we all abide by and private sector is our customers contractual obligations so let's go through maybe a good example of how this all might play out using what one example that we do have which is DoD measures so we talked about in general terms leading up for this what are some of the ways that hackers might contact you looking specifically at defense manufacturers we know what that is and the target is the sort of proprietary information so research and development information but or major products go into production is always a great target for for hackers especially from other nation states also any plans drawing specs and details you might receive in the course of being asked to quote a particular contract or receiving the contract there's a lot of great technical data that can be mined there and repurpose production processes the Sol's might relate to like nil specs that are attached to a specific manufactured part or you some of your internal production run sheets or things that you know helping your team produce effectively and then of course you know the machining of production data if you're translating a 2d drawing into a complete 3d you know CAD file or cam file or CNC machining or things like that that is the finished product you merely need to plug that into you know a CNC router or how to make a piece of melon or yet you've got the part so alluring some of the quality control and testing procedures on the back end you've got the real gem there and so having the preliminary pieces like the drawing suspects to know what that machine piece goes into or what specifications is designed around can also be really valuable sort of reverse-engineer all of these items so the result of this is that you've got in the defense industry duplicated military designs where other nation states have completely exfiltrated all of that data out of subcontractor and private sector manufacturers systems and are now using that to produce these these systems themselves so a good example of that as you know you can look at these two planes from a lot of different angles and I think you might struggle to know which one if it weren't for the flag next to it belongs to the United States and which one belongs to China there are Russian hackers that's what you're saying Russian Chinese you name it and so in this case China has completely exfiltrated and stolen all of the plans for the f-35 Joint Strike Fighter and cannot reproduce that plane without having put any of the money into developing so the other is our current reaper drum which is the most commonly used you AE by the US military the Chinese have not only stolen that particular design they've because of the fact that they didn't have to produce it themselves created five new versions of it designed with all sorts of different capabilities with better armaments than the US version with better flight range with better top speed all these other things that you know are put up a security disadvantage and that's because they didn't have to put the time into designing I mean this you talk about eye items and topics that are hot in the media this will be a hot topic presumably with a president Trump signing in order to pursue how the Chinese are stealing our IP basically absolutely this is this is right at the crux of that I don't even need to show you this - it's for you to know that the Chinese have taken the design for the jambe and put it to their own use so these are some of the examples that you're seeing so when we look at that we've got the ability for let's call this global competitors - you know national security having the ability to rapidly develop countermeasures against us systems or improve upon them and you're also going to see for us as manufacturers increased regulation and security enforcement from the government in an attempt to stop this from happening so that's taken the form of in the defense base new contract clauses that are in 100 percent of all new contracts for community contractors I want to see far as these farlands the defense in Federal Acquisition regulatory supplement it's a set of clauses you'll find in every contract there used to be just about really banal boring things like the format of your Ledger's for accounting purposes or you know how you report at certain distribution statements when you gave your final result back to the government now we're starting to see Colossus baked in that have to do with your ability to report tax to the DoD within 72 hours or large cyber security standards for how you secure systems that you own or cloud systems that you operate out of and how you hand classified data versus unclassified data so there's a lot of things there on dersu mandated security standards built into a lot of these contracts now in particular we're seeing a lot of mandates as a result of the D fire standard for every defense manufactured by the end of this year to have an implemented plan to meet this new mist standard called 800 171 it's a hundred and ten line item security standards and a lot to say about how you secure your systems so really you know we talked about potentially heavy-handed measures before we're starting to see a lot of that and then we're seeing better mechanisms now for the DoD to revoke liability protections given to you as a defense contractor the old way I used to work is that if you're a critical contractor because you take on that risk you get special liability protections no one can sue you without really well-documented you know proof that you were you're being all seasoned well now we've got these standards in these clauses that make it really easy to prove when you're not playing ball which can lead to a loss of liability protections so we're getting exposed backside sort of to our business at this point and then of course this can lead to loss the business from steam upstream prime contractors the debate customers that get debate government contracts and then ask different manufacturers to make this small piece or perform that process this isn't always their idea what we're seeing now is that there's contract clauses that you know potentially all of the supply chain for a new contract needs to adhere to a certain security standard and so when we see that that's not always up to the prime contractor themselves so looking at how we try and get our head around this and fix this I think there are some things that we can do from you know a defensive perspective and on offense to use this as a jumping off point to grow our business and succeed so on offense I think that's going to come together you know a couple of different ways we've got to discover what security practices our customers upstream from us really value and you know how do we how do we align ourselves with that and so what you'll find is that almost every major industry has at least hinted towards some security practices they'd like to see in place or a particular cybersecurity framework or things like that so I would I would take those security practices that that are upstream customers are valuing things like encrypting data or things like having multi-factor authentication when we block in our systems or certain technologies that they really stand buying because they found that historico those prevent security leaks and then try and parse those practices into some sort of framework there's a lot of frameworks out there that you can select but and they're going to take a lot of different formats but for the most part they're they're going to be things like the idle framework or COBIT or my personal favorite the NIST cybersecurity framework which is really flexible and approachable and for the most part helps make sense of a lot it's crazy I know a lot of our readers are really big fans of the NIST protocols here but I mean there's a lot of jargon there so what you know these are you're talking about protocols that are out there and exists and you don't have to write them or invent them who scratch mm-hmm you probably can already find good case studies of how they are implemented especially in manufacturing there's there's a lot of attention paid to that so anufacturing and industrial control systems and medical devices all have good white papers written not only by government agencies of a third party to effective success putting those in place and those can be a good starting point where you get to borrow you know someone else's hundreds of hours of research and use that as you're talking and this like a quality standard would be kind of more of an overarching conceptual kind of approach to things because you know if these are protocols and frameworks that work for you know multi-billion dollar companies how do we bring it down to the kind of smaller and middle market you know kind of manufacturers yeah yeah I think that there's there's no magic bullet that's going to make this approachable for some of the smaller manufacturers but we do have good success stories of where that's happened working with even really really small organizations all the way up through several hundred employees or several thousand plays I think what it comes down to is understanding where sensitive data lives in your organization and on which systems that lives and really paying the most attention to those don't get that don't waste your time looking at things where there isn't sensitive data in goal and then really really understand the business practices that that you have business processes workflows everything from email communications to steps taken by your engineering team how data moves through you're brought to your production teams and things like that if you can get a handle on those you'll figure out really quickly where the biggest risks are for data to potentially be leaked out of the organization or compromised you can really focus those attentions there so for small organizations you should have a much shorter list of things that need to be looked at or secured and things like that so scoping rosy max right so you know we we had done a research poll and it's certainly not scientific we got about a hundred respondents but in a relative to manufacturers who took this poll thirty nine percent said they had been hacked in the last two years another 11 percent said they didn't know if they've been hacked and really when we asked more specifically about what do you what are you most fearful of seventy five percent ransomware and absolutely it is that is that because it's in the media is that like a realistic legitimate fear for you know a manufacturer you know two third phase customer data exposure again how likely is that in the manufacturing sector versus something like retail or health care mmm ACH fraud 16 purse or 59% we're all afraid of losing our money and about half 47% fear I keep that I mean does a you know is that a fairly good snapshot of what people should really be worried about i I think that it's probably pretty accurate um you know when we look at where the the biggest sources of potential problems could come from the the biggest threat is always going to be an insider threat and that's where somebody either maliciously or just accidentally sends the wrong information to the wrong party and when that happens we felt a lot of cleanup to do and and that's usually when the largest amount of overall data accidentally leads the organization more maliciously is exfiltrated on the organization so I think that customer data exposure is a big concern ransomware is is particularly troublesome for a lot of organizations because of the fact that it only needs to happen once one person in the organization on one asset needs to make a mistake once click on the wrong link in able the wrong macro on an Excel spreadsheet and ransomware will find its way into everything else in the system not on the network so I think that's particularly scary for a lot of organizations because we all know that person in the company that might do time and person in our company to be honest with your eye and I grab a finger the keyboard miss send the occasionally no literature and so good awareness and training community pardon actress it certainly is a concern for a lot of organizations so I think that a lot of those concerns are well so that's kind of the presentation part in terms of your slideshow but let's um let's talk a little bit about some of the questions that we got some people have emailed us some questions so let's talk about the cost piece right because certainly this adds a cost to the operation and will throw us back on here so we could do a poor conversational yeah what kind of cost for a you know our companies having to invest in just making sure that they're at a basic level but then even beyond that it's realistic yeah I think that when you're looking at most manufacturers the costs are going to come in a few different forms you know you're going to have the monetary costs that we're all mindful of you know if we've got to invest in a couple of new securities since or a specialized piece of software or maybe we've never encrypted our data before we'd like to start doing that those all come with a price tag not only in labor and hardware software but there's there's an organizational technical debt that we take on and so I think that the biggest costs if we're going to look at it from that perspective they come from the organizational costs I'm tasking individuals in the organization to undergo new awareness and training having our operations team have a better handle on their responsibilities really understanding some of the big risks that exists out there and having somebody at an executive level own those risks those all take time and they occupy that space and so I think that those are going to be where some of the biggest costs come from for a lot of organizations certainly there's an investment I mean I think you know and those are the soft cost the hidden cost but but in terms of what what should a company be investing in a small manufacturer mid-sized manufacturer at a basic level and then you know beyond that you know relative to software you know intrusion alert software or you know other mechanisms that are going to help them prevent and if something happens that we're absolutely so the the current consensus in United States commerce is that on average and American business spends three to five percent of revenues on technology and that's not just cybersecurity I mean that's the internet cost that's that could be mobile phones that could be software computers printers all that farm stuff it could be manufacturing equipment technology some of the some of the IT systems that help back that up that can be your ERP um I definitely think that making a decision to invest in cyber security for the first time could certainly take a three percent IRR company to a five percent threshold you know adding you know if the two percent of revenues needed to be spent towards that the goal is always to back that off to shrink that down through more judicious application that we certainly see that happen so if that was to be a good litmus test or how much was the extent I think it is negative plausible that an organization could be spending up to 2% of revenues on on cybersecurity and all of the technologies that go with that the whole being that it could be less I mean that says that's a big number for something that's you know not going to give you any cost savings or cost reduction yeah it's insurance it's definitely a long term play through very few situations where you can say that my cybersecurity practice was a source of revenue well you're consulting yeah yeah but I think that on some level of here with the long-term ability to keep relationships or prevent loss of contracts when I'm talking with government contractors you know multi-year ban on government contracting while still a black's one of them and it's still a huge thing to be worried about and so if I show Mel season some cybersecurity side because I've got these contractual clauses I mean that's a huge loss to to mitigate and prevent against that's a risk I want to do let's talk about risk management you know certainly the insurance companies the risk anagen terms have been talking about cybersecurity you know pretty actively over the past two three years I've talked a little bit about how kind of their approach to ensuring companies against this has evolved and changed over the past two three years sure well I think if you looked at the cyber breach security offerings that were in the market five years ago you'd see insurance carriers who were just asking you questions like how much do you want as measured in hundreds of thousands of dollars and that that that funding would just sort of generally be used for things like paying for customers identity theft protection several years after their their personal information was breached or doing some of things we talked about like you know PR recovery or data recovery later on other get legal costs all of those things I think now what you see is that and from a risk management perspective insurance offerings that mature to the point where they now understand that if they're going to offer you coverage you also need to agree to do certain things and as part of that underwriting process they're going to be asking what are you doing - let's say Creek your data or do business over a VPN connection or how robust are your data backups because the insurance companies realize you can have a great policy but when the statistics are that you know your average small business that has to close as the result of some sort of interruption business I owe more than a week doesn't reopen yeah I mean that's that's something that you can't really insure against easily and so they want to make sure that your business continuity and your disaster recovery is just as integrated into your risk management mindset as cybersecurity faceted data so another question we got and goes to the cost aspect again but are there any sources of funding to help with cybersecurity well I think that on some level there are sources of funding that can help with that I would come at that two different ways from a funding perspective you know I would honestly say that that organizations like the Michigan factoring Technology Center are always out there looking for potential funding sources whether it's an SBIR contract from the government to develop a new and effective way to protect your data or whether it is just some sort of general grant that's available sometimes upstream contractors or customers of yours will sometimes have some sort of fund or way to defray the costs of compliance if you fall into certain categories like maybe you're a critical supplier for a specific part you might have a little more leverage to get some funding for that I would also say that this is probably one of the situations where I can I can categorically say that the government has actually done a lot here need to provide a lot of free resources you know that's not always something you can say about every branch of the government but in this case the Department of security and Miss with the National Institute for Standards and Technology even the govt has been working really hard to create a lot of available resources and tools that whether is training for your employees through the Department of Homeland Security stopping connect program to deal every year for their cyber awareness week or just some of the NIST white papers that have been written on how to develop and build a secure system that you can just grab and read today I mean those are some of the ways that you know you can really cut down on the costs of learning and acquisition of new technology or even maybe not even having to come to a an organization like ours as your first set and having a much more informed conversation in the community what's the one thing that you know that surprises you that people don't do community r1 kind of like this is so simple every company should do it but a lot of companies don't well I think that this is a little bit of an abstract but I think that the biggest thing that constantly astounds me is that that manufacturers aren't willing to put value on their own information of data um they they just don't feel that that what they have is really worth protecting and I think that that's due to the fact that a lot of manufacturers who especially those who have been around for a while it's kind of like a frog oil in your water you don't notice the change but over the decades your organization has has really developed a lot of unique business practices and effective procedures that make you competitive in the market and wanting to protect those when I go from one organization to another and I see a new and unique thing that they do and I'm just amazed to think that they haven't realized what they have inside their organization and that it needs to be protected again it's not just the IP of the product or its design it's the idea of all their processes absolutely represent the real various barriers yeah and there's a reason that not just anyone can just start a business tomorrow and compete right there's got to be a reason for that whether it's the relationships that technologies the procedures whatever those may be on a technical side I think some of the things that I would really wish more organizations would do would definitely be some of the homework aspects of cybersecurity so like finding a way to encrypt your data and your data backups is huge a loft laptop can compromise million dollars in business so not having those encrypted same thing with mobile phones to huge threat uh you know things like a multi-factor authentication which if you're not familiar is you know you put in your username password and then a secondary system will confirm the logging on whether that's a push notification on your phone or a little keychain you've got or a USB key inaudible O'Donnell that dongle will it will save your bacon I mean it really cuts down I don't want to say your zero but it completely eliminates it from a lot of actors the ability for somebody use a stolen password to compromised your systems so those are huge so the last question that we always ask people is what keeps you up at night I'm not even sure I want to know what keeps you up at night you're dealing with some pretty heavy stuff here to be completely honest what really keeps me up at night are the friends family members community members people I've known for a lot of years who work in manufacturing and I'm just concerned that they aren't going to have jobs because the economy changed because of you know shifting markets but because of the shift of intellectual property outside of the normal senses where those are cat you know whether it's to another competitive group or to another nation state or to a different global presence or you know increasing regulations making it untenable for their employer to continue to function as a manufacturer in the regulated space or industry and that's really what keeps me up I mean here in Michigan we do a lot of work in regulated spaces and increasingly more so there's a lot of influx of aerospace manufacturing coming here there's a lot of more military contracts coming here but you know we're not doing missile defense here we're not doing suffer here we're not doing some of the really highly secure but high-dollar industries we tend to do a much smaller dollar amount defense contracting here in Michigan with a lot more people involved and it's those people that I really want to make sure to have jobs going forward so my thing that keeps me up at night is signing away for specifically Michigan manufacturers to be more competitive than manufacturers in other states and other nation states awesome Thank You Ryan this is really good stuff I could talk for quite a while longer but we wanted to try and wrap up in 50 55 minutes so just a couple of housekeeping items we are recording this webinar and we'll be sending it out the length also the right place has a four-step cybersecurity plan a PDF that will send a link to deals with NIFT issues I guess and any feedback at the watch this is welcome will it to do more webinars on manufacturing related topics and perhaps a cybersecurity and other aspects of it as well so thank you for taking the time to watch this thank you to the Michigan manufacturin technology center amenity C West for partnering with us on this webinar they're really kind of a hidden gem in the region for small and middle-market manufacturing companies they provide great technical support to manufacturers the kind of help some small middle market companies help them develop their business leaders effectiveness to drive product innovation to promote operational excellence and to help secure themselves and improve their profitability cash flow so the thing with the MMT C West is that every project starts with the build cost assessment and once they figure out what a company needs they come up with experts like your firm so I would encourage you to check out their website which is WWMT C West org that concludes today's webinar thanks for taking the time to watch I certainly