West Michigan manufacturers face widespread phishing, cybersecurity threats

West Michigan manufacturers face widespread phishing, cybersecurity threats

Please see attached.”

That’s the email employees at Grand Rapids-based Kindel Furniture Co. Inc. received from a company vice president in late April. Within a few minutes, two people had tried to open the included attachment and replied back to the apparent sender that they were having trouble.

“It didn’t take long to put it together that she had been hacked,” Dennis Patterson, vice president of finance and administration at Kindel Furniture, told MiBiz. “Something had happened.” 

This cyber attack was the beginning of a monthslong process to protect the company’s data. Luckily, the compromised computers did not contain customer or financial information, Patterson said, but they could have. 

Phishing emails, a type of cyber scam where attackers send an email that appears to be from a legitimate source, are one of the most common breaches of cybersecurity, according to Scott Taber, cybersecurity awareness program specialist at the Michigan Small Business Development Center.

“We get tons and tons of emails every day,” he said. “That’s one of the easiest ways and quickest ways that small businesses are falling victim to cybersecurity attacks.” 

Half of U.S. companies have suffered at least one data breach during the past 12 months, according to a recent report from professional services firm Sikich LLP. Of the 50 percent of respondents who said their companies experienced data breaches, 11 percent said they had experienced “major” breaches.

Still, executives believe their companies can thwart attacks, according to the report. A majority said they are “extremely” or “very” confident in the ability of their companies to prevent or minimize the effects of data breaches.

The report found that many manufacturers — especially those with less than $500 million in revenues — neglect key cybersecurity preparedness efforts. Overall, fewer than 40 percent of companies of this size perform cyber audits, testing, security assessments or phishing exercises on employees.

Phishing email attacks can start to take effect within minutes of an individual opening an email or file. That means prevention is key, according to Taber. The Michigan SBDC offers in-person and online courses for businesses and individuals looking to improve their approaches to cybersecurity.

“Employee training is one of the most important things,” he said. “You can minimize the chances of suffering from a data breach or a cyber incident because your employees are aware that it can happen, they’re aware of what phishing emails look like, and they’re aware of prevention methods.”

After the phishing email attack at Kindel Furniture, the company put its employees through cybersecurity prevention instruction.

“The number one thing is to be aware of every email and get in the habit of almost inspecting it as far as the time it came, who it’s from, the email address,” Patterson said. “If there’s a link, hover over it before you actually click on it.”

Coincidentally, Kindel added cybersecurity insurance just two weeks before the attack, according to Patterson, which resulted in the outside I.T. work, training and new computer costs being covered in full. 

“That insurance is not very expensive,” he said. “It’s necessary for this day and age because this hacking business is getting more and more prevalent and they’re getting smarter and smarter.” 

Companies also can prevent cyber attacks or data breaches by ensuring their devices are updated fully. 

“Whether it’s computers or our smartphones, both those types of devices are susceptible to hacking,” Taber said. 

In May, hackers digitally seized about 10,000 Baltimore government computers that were susceptible to attack because of their outdated operating systems. It was Baltimore’s second ransomware attack in about 15 months. 

Even though the city refused to pay the hackers, the so-called “ransomware” attack — when hackers block access to a computer system or documents until the owner pays a ransom — has already cost the city millions of dollars in data recovery and related costs, according to reports. 

“It’s important to make sure your software is up to date and to restrict access to your employees of what data they actually need to be able to do their jobs, as opposed to granting full access to all the data that the business has,” Taber said. “Only grant access to the data that they need to do their daily job.”

Business and government contractors can access cyber threat assessments through the Michigan SBDC, a process that can pinpoint vulnerabilities, according to Taber. 

“It’s only a matter of time until a vulnerability is found in the firewall that allows someone to get it through,” said David Burrell, I.T./O.T. (operational technology) networking consultant at automation technology firm Siemens Industries Inc. 

Speaking to an audience of manufacturers at a cybersecurity training seminar organized by The Right Place Inc., Burrell said Industry 4.0 has made manufacturers more exposed than ever. 

“There are more devices that are being connected and we’re trying to pull data from every one of them,” he said. “We need to make sure that we have systems that are more reliable, more safe, more secure and safe for the people on the plant floor.” 

A lot of the devices that are being produced as part of the “Internet of Things” are not created with security in mind, according to Taber. 

“There’s a lot of vulnerability for those devices that a hacker could potentially exploit,” he said. “Make sure they’re not on the network that has access to your most critical data. Put them on a separate network to run so that way, if a hacker does try to take over one of those to gain access to your network, it can’t get to the crown jewels of your business.” 

As of last week at Kindel Furniture, every employee had passed the first surprise phishing email test that Patterson set up to evaluate their new cybersecurity knowledge. Still, he isn’t satisfied with the result.

“I’m a little disappointed because the test was asking employees to click on an Excel spreadsheet to provide updated banking information for payroll,” he said. “It was too obvious a phishing email, in my opinion.”

Next time, he said, the test will be more tricky.