Superfast IT Founder and Managing Director, James Cash, was recently interviewed by Matt Bradfor-Auger from Finally as part of the 'Engine Room' manufacturing and engineering company spotlight. James talks about the evolution of IT in manufacturing, highlighting how cybersecurity is a game-changer in technology today. During the interview, James also gives his 3 quick wins for manufacturers to get ahead with cybersecurity:
Welcome to the engine room
30-Second elevator pitch
What is your favorite quote that you like to live by?
What is your view on the future of UK manufacturing?
What is the biggest lesson you've learned during your time in the manufacturing industry?
Top 3 quick wins for manufacturers' cybersecurity
Watch the full interview:
Matt: Hello and welcome to the engine room. I'm here with James Cash, the owner of Superfast IT. James, how are you doing today?
James: I'm good. Thank you Matt. Thanks for having me.
Matt: You're very welcome James you might recognise from doing an industry insights article for The Engine Room, I think it was either last week or the week before now. James, I have to say in the article, one of the things that probably jumped out at me the most and was probably the most terrifying point was that 47% of manufacturing businesses were hit by a cyberattack over the past 12 months.
James: Yes, they can range from, compromised passwords and email mailboxes right through to, production being stopped due to ransomware attacks. But yes, there's a whole range of attacks, very prevalent in today's times, unfortunately.
Matt: Especially with everything moving online. Production isn't happening necessarily from home, but with more office staff probably working from home more frequently, I'm sure some companies will be having a more flexible approach. Cybersecurity is something that is going to, or should be at least, quite high on their priority list, right?
James: Yes, definitely, especially now. I think at the start of lockdown people were panicking to get people up and working from home. Cybersecurity took a back seat for a lot of businesses at that time. People working off their kid's laptops and iPad, working on their home networks, and companies scrambling just to get people working. But now, that's got to change. We need to circle back and look at the security side of things and make sure they're protected. We're seeing attacks all over the place now and read about them in the news. It's pretty commonplace.
Matt: And it's a compliance thing, right? There's that whole thing with, from [my perspective] a marketing perspective, GDPR too. Any sort of data breach is going to have massive repercussions for any company, right?
James: Yeah, obviously there's the compliance in terms of data protection and risk of fines if you don't have appropriate cybersecurity controls in place, but also from your customer's perspective. A lot of manufacturers work in supply chains for bigger companies and those companies will naturally enforce cybersecurity controls down through their supply chains to make sure that they're protected themselves and not exposed to a supply chain attack.
Matt: Absolutely. So obviously you've seen some of these company spotlights before. So in the first part, we're going to jump into your 30-second elevator pitch. Are you prepared?
James: Yes! I am going to keep it short because I don't think anyone has ever listened to it and elevator pitch for more than 10 seconds. I'm going to try and go for a record time.
Matt: OK alright, I think the record, if I remember rightly, is around about 15 seconds. So your 30 -second elevator pitch, whenever you're ready...
James: Many small manufacturers don't have the time or the expertise to make the most of the technology that's available to them. Superfast IT provides you with a complete team of specialists so you can harness the full power of IT and make it a competitive advantage. We're the IT support company that helps you win at business.
Matt: That was close. That was 17 seconds - it was good! I can't be completely sure that 15 seconds is the record, but that's got to be close.
James: I'm sure I could hone it...
Matt: Well, we'll bring you back for a second one, just to see if you can do better! I've gotta be honest with you, the number of people that get under 30 seconds - I could probably count on one hand!
Matt: So next section; the first question of 'The Big Three' questions - what is your favorite quote that you like to live by?
James: OK, so my favorite quote is one by Winston Churchill is: "If you're going through hell, keep going". I think it's relevant to the pandemic and encapsulates the British Bulldog tenacity. I share it with my team a lot and I use it myself as well.
Matt: That's it, that is a really good one. It has to be said, there's something to be said for just staying the course and keeping going. Sometimes it can be difficult as you know to see the light at the end of the tunnel, but you have just got to keep going, right?
James: Yes, definitely
Matt: So question two. This is probably quite related to your favorite quote, to be honest. But what is your view on the future of UK manufacturing?
James: Well, I think it's positive I'm and technology is going to bring about a lot of change. I used to work at Rover 25 years ago when I first got started in IT. I worked in the purchasing department within a small IT team. There were 350 staff in huge open plan office and they only had ten computers, all in the bank in the centre of the office.
If they wanted to send an email or raise a purchase order, they would have to go and sit at one of these computers. Obviously, things have come a long way since then. I was involved in putting a PC on every desk [at Rover]. Today, there's a lot of new technology; artificial intelligence and the Internet of Things (IoT), for example, but I think that manufacturers need to focus on, from technology point of view, is cyber security.
We see a lot of stories in the news with manufacturing companies and gas pipelines being shut down. A lot of businesses and manufacturers think that they're too small to be targeted and that it won't happen to them. It's the big companies that hit the news, but criminals attack indiscriminately.
They're trying doors and windows [into your business] looking for weaknesses and when they find it they will exploit it. National state countries will also target smaller businesses because they present an easy route into larger companies. Smaller companies can be used in supply chain attacks, such as with prominent tier one defense contractors. We've seen stories in the news of blueprints for Apache helicopters being stolen.
Matt: Wow! Is that something you see a lot? It'll be very easy, and I suppose it's probably a common misconception for smaller companies, to think who's going to attack us? Because we're a two person, five person, 10 person team - no one is going to care about us. But I suppose that's the easiest access point, isn't it?
James: Yes, smaller businesses will have weaker security than a company that's got 10,000 people and multiple sites and an IT team. They probably have more rigorous controls in place than a lot of smaller organisations. That's what we're trying to bring to our clients' security up to the same level of security as a larger company.
Matt: Smaller companies need to start thinking like bigger companies in terms of how they secure their data, especially if they are part of, as you say, part of a wider supply chain.
James: These days every company is a technology company and every company depends on technology to run. If if you haven't got that reliable secure infrastructure in place. Then you're going to run into problems.
Matt: OK, so last question of 'The Big Three' is what is your biggest lesson that you've learned during your time around the manufacturing industry?
James: I would say probably the biggest lesson for me was seeing how a small manufacturer was brought to its knees through a ransomware attack. The IT company that they were using hadn't got sufficient controls in place. They were down for a couple of weeks. They lost a lot of data because their back-ups have been compromised and it had a huge negative effect on their business.
That brought it home to me that it's not just something that's in the news anymore. This is happening to businesses a few miles away from us. Every company needs to sit up and take notice. Back then, five years ago, when we came across that company, I was thinking, well we've never had a client hacked - it is something that you see on the news or in the movies, but this is happening on our doorstep now.
Since then it's escalated massively and there are more stories in the news and you know more companies being here.
Matt: Sure, and I suppose when it is those smaller companies you know it's almost as if the smaller companies need to be more aware of cybersecurity because if they get hit, they don't have the back-up that bigger companies might have. It could wipe them out if they had a breach - it could kind of destroy the company, whereas a larger company might have, loads of cash and revenue that they can go 'OK, we'll take the hit and it's absolutely fine'.
James: Exactly. I was speaking to a company that had been hit by a cyberattack. They were a solicitors firm with 50 staff. They were wiped out for days because they had got two IT staff to get around 50 machines and a bunch of servers to carry out the recovery - it's no mean feat.
Matt: Yes, I can imagine.
Matt: OK, so next section is our question of the week and this week our question is what are the top three quick wins for manufacturers when it comes to cybersecurity?
James:
My first tip is to get a competent authority to carry out a security audit and risk assessment. This is the first step in securing an organisation is to understand what you need to protect and where you might be vulnerable.
So don't just assume that because your IT company is doing some stuff or you've got an internal IT person, that your business is protected. When we do these type of security audits we come across lots of companies that have insecure, outdated and vulnerable IT systems.
My second tip is that if you've got blue-chip customers, you can expect to have security standards enforced on you through your supply chain. One of the starting points for them is often Cyber Essentials. So if you don't have the Cyber Essentials accreditation in place already, that's something that you should really look at.
If you, for example, work with a prime, OEM or large Tier One supplier, such as BAE Systems or work on a government contract, a lot of those companies are stipulating that as a basis, basic level of compliance, you need to have Cyber Essentials framework in place.
My third tip: Manufacturers don't have machinery with computers connected to your main IT. So a lot of machinery these days has a computer that's involved in the control of the machinery. That piece of equipment might be expected to last for maybe 20 years, but the computer software is never updated.
You wouldn't normally keep the computer that long, so we have to take extra steps to protect these things by isolating them on the network. We would recommend that manufacturers have segregation on the network, such as using something like VLANs or firewalls to protect that equipment from the main computer network and make sure that either those machines couldn't be damaged in an attack, or if they were compromised, the machinery's computer couldn't be used to access data on the main corporate network.
James: So they are my three quick wins: getting a security audit from a competent authority, getting the Cyber Essentials accreditation and segregating your network for your industrial equipment.
Matt: Excellent! Well they are brilliant tips, really actionable and I have to say that last one, about updating the software, is something that you don't really think about, right? If you've got a computer attached to a machine, it's probably something that a lot of people wouldn't think about. Well, that's going to be attached to my network so it's an access point.
If it's not being used for surfing the Internet, for example, I suppose there is the misconception, I'm not using it for that, so it can't be accessed right?
James: They might think that, but it could be that another machine on your network is compromised and that allows access to your machinery. We have clients with machinery that is a big oven, heating metal and that's controlled by computer equipment. Some of these are very old and you wouldn't want that oven going into overdrive overnight because someone decided to mess with the settings. Or for that machine to be compromised because it's running Windows XP, for example (an operating system that is long supported by Microsoft and not getting security updates).
Matt: So I think one of the things that is probably going to come up, not an objection, but, 'this will never happen to me' or 'why would someone do that?' Why would someone want to, as you say, turn up an oven or access a small companies network to change settings on something? What's the purpose?
James: You have really got to look at who the threat actors are now. The biggest issue at the moment is cybercriminals. And this is serious, organised crime. It's not a kid in the bedroom, as you might think of as a computer hacker. They're looking to impact your business by either through financial fraud by compromising an email system or an accounting system; changing bank details, extracting money from your account, or that of your customers or suppliers. Or they might be looking to encrypt your data to prevent you from having access to it so that they can extract a ransom from you.
There are also nation-state actors, which might be just looking to compromise your system to then gain access to one of your customers. Or they might be looking to cause economic disruption to a supply chain. North Korean hackers or Chinese nation-state-sponsored attackers could be looking to infiltrate companies in the UK so that they could potentially use and steal intellectual property (IP) or, just disrupting those businesses to disrupt our economy. It gives them a political advantage.
Matt: Yeah, that's going to be quite a huge concern. And although it's maybe not something people think about, it is something that goes on.
James: There's also still going to be traditional bedroom hackers, but there's going to be organisations involving themselves into something called 'hacktivism', targeting companies based on some kind of political, or ideology like animal rights. If a company was involved in animal testing, then they might be targeted. We've had a client targeted because they're involved in dairy and one of the farms in their supply chain had something to do with badger culling. They got caught up with hacktivists who were targeting all those in that supply chain.
There are various different things that motivate different people that can all lead to businesses suffering from cyberattacks.
Matt: I mean, it's worrying. It's not all doom and gloom as such, but when you stop and think about how vulnerable everyone is to a cyberattack it does make you stop and think. We all think that we're that we're safe because we're just one person or we're just a small company. But when you are part of, as you say, a bigger supply chain, then you're connected to the other businesses.
And if you are vulnerable, then it's something that that you need to be thinking about.
James: I think you can take some comfort from fact that the majority of cyber-attacks are, mitigated by following good cyber hygiene. If you keep your systems updated, have a password policy, configure things in a secure way and use anti-malware software, don't let people have administrator rights - all the stuff that's included in Cyber Essentials, you can prevent around 80% of cyber-attacks. Then you know you need to look at things like data back-up and application whitelisting.
You can make your business pretty hard to attack and that's what you want to do. You can use the analogy of home security. If you've got an alarm, a German shepherd, a high fence, CCTV system, and locks on your doors, attackers are probably going to move along to the next house. You're going to make you make your business a tough nut to crack. You might still get attacked, but you reducing the likelihood and also you reducing the impact of that attack, should you get one.
Matt: Well this has been really eye-opening really interesting chatting with you. James James Cash owner of Superfast IT thank you so much for joining me. In the engine room today, have a good one.
James: Thank you, Matt.
Here at Superfast IT, we offer two cybersecurity packages and Cyber Essentials for manufacturing and engineering businesses.
Make the next step by scheduling a meeting with one of our experts to discuss your cyber security and we can provide you with a hassle-free, great value business solution.
CYBERSEURITY FOR MANUFACTURERS