PROFILE
Company: Stein Seal Co.
Business activities: Provider of custom seals and precision components for aerospace, marine, and industrial applications.
Employees: More than 200
Founded: 1955
Headquarters: Kulpsville, PA
Cybercriminals are computer geniuses, so the biggest threats must involve complex hacks that bore through a company's defenses, right?
No, says Steve Cobb, who heads up cybersecurity for Stein Seal Co., a Rolls-Royce supplier.
"The biggest threat continues to be social engineering,” which is a non-accusatory way of saying that employees who let their guard down and fall for a scam are the main vulnerability. “The bad guys are using technology to take advantage of the biggest weakness we have, which is our users.”
Q: You said phishing attacks are getting more sophisticated. How?
S.C.: The bad guys are getting better and better. One of the red flags you used to be able to look for was bad grammar, bad spelling. The bad guys have caught on to that. They use very legitimate-looking emails. They’ll grab logos off other people’s websites and put it in their emails. That’s a big part of our training, in recognizing emails. I say to my users, unfortunately, you have to be paranoid.
Q: Stein Seal is a small organization, but you focus full-time on this responsibility?
S.C.: Yes, 95% of my job is cybersecurity. The majority of companies our size have one person doing network administration and management, and then cybersecurity as a secondary responsibility or after-thought. There’s a big swing now in light of what’s happening, the amount of money companies are losing, and the disruptions cybercrimes cause. I think Stein was ahead of the curve.
Q: What about training?
Training is critical, but the trick is you don’t want to have productivity be sacrificed. We do annual cybersecurity training in October, which is cybersecurity month. We do it in small groups but pull people off the shop floors, have them sit down and we get in their face with it. Monthly, we do phish testing, where we’ll send out fake phish emails and see how folks do. Sometimes I’ll do little contests. Part of teaching and learning is keeping it interesting.
Q: Have you suffered an attack?
S.C.: We’ve had some small ones. We had one recently that resulted in a monetary loss. It wasn’t huge. It was social engineering through an email. We weren’t compromised but we were a victim. I don’t want to go into specifics, but it made it very real for us. Someone in our organization was duped by a bad guy posing as one of our suppliers. Their email system was compromised. The bad guy was posing as that business. We thought we were dealing with that company when in fact we were not.
Q: How do you stop a scam?
S.C.: By putting something in place that says, ‘If you get something like this it has to go through a chain of approvals.’ For changing payment information, for example. So If you get an email that says, ‘We no longer accept checks, we will accept wire transfers and this is the bank information,’ that now has to be approved by two people.
Q: Sum up the best defense strategy.
S.C.: It comes down to money. This is something that’s going to have to be a budgeted line item, and it hasn’t necessarily been in the past. This is going to have to be an expenditure on an annual basis. More and more companies are getting hit, and not only one time. That tells you this is a serious thing. This is happening.