Anticipating the attack

Apr. 14, 2015 – Several months ago, Borden Ladner Gervais LLP released its annual Top Ten Business Risks round-up with cyber risks topping the list for 2015. The Toronto, Ont.-based law firm noted that “even as organizations invest millions to protect their data, the question is unfortunately when and not if it will happen” — but why is that exactly? How can BLG be so sure all organizations are at risk? Manufacturing AUTOMATION chatted with Ira Nishisato, partner, Commercial Litigation Group, to find out why cybersecurity must be seen as a problem for the entire organization, not just the IT department.

MA: Why did BLG choose cyber risks as the leading business risk of 2015?
Ira Nishisato: It topped our list this year because cyber risk affects all businesses, small to large, irrespective of the industry they’re in. Today, about 98 per cent of all information that is produced is stored electronically and as a result, all businesses have concerns with potential data breaches and security lapses in their IT infrastructure. This isn’t a new [concern]. We’ve seen a tremendous growth in the volume of data that is now stored electronically, so businesses need to be increasingly aware of what they can do to secure information — a critical asset.

MA: What kinds of cyber risks and attacks are unique to a manufacturer?
Ira Nishisato: Manufacturers have always had in their possession confidential and proprietary information, as well as intellectual property. This can be information that belongs to the manufacturer itself or its customers. Some may be [more] secure than others but I don’t think anyone would suggest that their business is immune to cyber attacks. As a result, we advise clients that they should not put their head in the sand and just hope this will not happen to them. We’ve seen [attacks] happen to all levels of organizations: small and large businesses, government agencies, charities and even huge corporations. It’s not a question of if it will happen, but when.

MA: How can a successful cyber attack affect a manufacturer?
Ira Nishisato: [A breach] can turn into a nightmare because so much of a company’s reputation these days relates to its competitive advantage, and the confidential information we’re discussing is really key to the entire value of the [operation]. There are many businesses that for them, a single product or line of products makes the brand. If information like confidential designs, pricing, customer and supplier information, and contracts are leaked, it can be absolutely devastating to the business. Today, information is overwhelming stored electronically and manufacturers need to be particularly concerned that they have appropriate safeguards in place to protect that information.

MA: Speaking of which, what are some cybersecurity best practices a manufacturer can adopt?
Ira Nishisato: In terms of data security, it’s essential that businesses be aware of how and where their data is stored. They need to be proactive in providing security plans and if necessary, seeking expert advice on how that data is best secured. For example, in some smaller, mid-sized businesses, it’s not unusual for there to be a single server where all documents are stored, and virtually anyone can access that information. Some [data breaches] are caused by hackers, but a great deal of them actually involve internal attacks where you may have a disgruntled employee or industrial espionage. There have been cases where an employee leaves a business to join a competitor — which of course [they] are entitled to do — but some actually remove confidential information in the process. In the olden days, you’d have to smuggle out boxes of documents. Today, you can have a single USB key that contains really sensitive information that gets to the core of a business.

MA: How can an employer help reduce the risk of an internal attack?
Ira Nishisato: You need very clear and strict security protocols, so that even before an employee leaves, the business is clear as to who has access to what. Security measures should also be in place to carefully monitor that the appropriate access restrictions are in place. In cases of employee terminations, the business has to shut down internal and external access immediately. There have been [instances] where a business may terminate an employee and shut down their internal email access but neglected to shut down external access and, of course, that can lead to a problem. So much of this comes down to anticipating these risks. In terms of the security of the network, there’s a great deal businesses can do. They can retain experts to come in and study their infrastructure, identify weaknesses in the system, and recommend measures to correct all of that. I think the difficulty is that some businesses can be reluctant to spend money until they have to, but when [you] look at the scale of these risks and just how much damage can be done, taking [these] preventative measures is definitely warranted.

MA: How do you think the face of cybersecurity will evolve? After all, more and more information will continue to be stored online.
Ira Nishisato: Technology evolves in unpredictable ways. Cybersecurity is a bit of a cat-and-mouse game. Greater awareness of cybersecurity risks can result in improved security measures but hackers are innovative and seem able to find weaknesses in any system. We should expect cyber attacks from outside organizations (i.e. hackers) to become more creative and sophisticated, and cyber attacks from inside organizations (i.e. rogue employees) to remain a problem in the future.

***
The case of Anton Piller K.G. vs. Manufacturing Processes Ltd.
It’s interesting to note that the 1975 manufacturing court case, Anton Piller K.G. vs. Manufacturing Processes Ltd., opened the door to civil search and seizure orders — a court order that grants the right to search a premise and seize confidential documents, servers and other evidence without warning. Known as the Anton Piller Order, this order has become common in the digital age, said Nishisato, where electronic data stolen in a cyber breach can be readily deleted and removed from a computer or server.

The plaintiff Anton Piller was a German manufacturer of motors and electric generators used in the computing industry, who worked with Manufacturing Processes, an English agent that sold Piller machines to customers in England. The plaintiff said it supplied the agent with confidential information about the machines, including “a manual showing how they work, and drawings which are the subject of copyright,” as referenced from a transcript of the case’s shorthand notes.

According to Piller, it found out Manufacturing Processes was in secret communication with rival companies about supplying those drawings and other confidential information, so that competitors could manufacture similar power units. Piller was afraid that if given warning of an impending lawsuit, Manufacturing Processes would destroy all incriminating documents and no supporting evidence would be available at the time of the search. In this case, the order allowed the authorities to enter the business premises of Manufacturing Processes in order to inspect, remove and make copies of documents.

To learn more, visit bailii.org/ew/cases/EWCA/Civ/1975/12.html.

This article originally appeared in the March/April 2015 issue of Manufacturing AUTOMATION.