A small packaging company serving automotive, appliance, furniture and medical industries faced ransomware events, costing both business disruption and customer goodwill, twice in the last year. The leadership became convinced of the need to institutionalize a robust cybersecurity program.

​

The company engaged ResiliAnt to develop their cybersecurity risk management program in compliance with the NIST framework.

Key observations

First, the company used a flat network architecture. It meant that all devices were connected to a single segment irrespective of their functional criticality to the organization. The company was also exposed to many human-centric risks, making it more susceptible to cyber-attacks. For example, the organization had weak password management practices and the employees weren’t adequately trained on cybersecurity awareness.

Second, about 65% of all connected assets were found to be vulnerable with each having about 450 vulnerabilities. While OT devices accounted for only 15% of all connected assets, they were the most vulnerable. Many of the OT devices were vulnerable to scanning; in other words, they would either reboot or shut-down if network scanning were performed.

​

Third, while none of the Bring-Your-Own-Devices (BYOD) were found to be vulnerable, they were connected to the same network as other business critical applications. The BYOD devices are often exposed to the external environment when connected outside of the enterprise network. Hence, they bring an elevated level of risk to the organization.