McCormack's plastics experience includes a total of 12 years at Dow Chemical Co. and Teknor Apex Co. before a 10-year stint at compounding leader PolyOne Corp. and its predecessor M.A. Hanna Co. Since 2006, he's led his own consulting firm, Rockwood Group Inc. of Avon Lake, Ohio.
Late last year, McCormack began working with Cleveland-based SecureState, a management consulting firm specializing in information security and risk management.
One common scam includes an email allegedly from a firm's CEO, saying that the CEO is on vacation and wants someone to handle a money transfer. Sometimes, McCormack said, the scammers luck out and contact a firm where the CEO actually is on vacation. One manufacturing firm recently lost $250,000 as a result of this ruse, he added.
In another case, malware placed on a manufacturing firm's computer network caused the website of a raw materials supplier to appear to be down when a customer tried to place an order. The malware asked the manufacturing firm's buyer to try and place the order again in 24 hours. When the buyer did so, McCormack said, scammers took the $4.8 million the buyer sent.
Late last year, Plastics News reported on a scam in which injection molder Viking Plastics of Corry, Pa., lost $10,000 when the firm's controller paid into what she thought was a new bank account for one of its suppliers.
Cyber-security also plays a role in mergers and acquisitions. In a blog post earlier this year, McCormack wrote that even with data breaches remaining a steady concern, “far too many M&A teams are ignoring information security as a key piece of data for decision making.
“How secure is the company potentially being merged with or acquired?” he asked. “What happens to the value of the target company if a breach occurs, or is discovered to have already happened? Could that company pose a security liability to whoever is merging with or acquiring it?”
McCormack — who is also a board member with PolymerOhio Inc., a plastics industry advocacy group — said that at his previous career stops, he reviewed data and performed due diligence on hundreds of companies.
“Financials were reviewed, audited, recast and recalculated in every way to determine if this was a good deal for us,” he wrote. “However, even with all of this analysis, when it came to IT, we usually only focused on what systems they were using and how hard it would be to integrate those into our company.
“To be honest, there was never much thought given to information security, or to the vulnerability of the target company to hackers or other technology risks.”
With that in mind, McCormack added that “it's clearly time that M&A teams place emphasis on determining the security posture of a target company as part of the due diligence process.
“No one wants to buy something that could lose all its value overnight,” he said.
SecureState works with client firms to review their security measures. The firm identifies a client's current state of security and then develops a strategic roadmap to get them to their “secure state.”
Doing so includes risk assessments, compliance audits, web application assessments, wireless and mobile device assessments and many other security reviews. The firm also works to develop policies and procedures, including incident response plans, which officials said “are very important in the current age of security breaches.”
SecureState's clients include large retail, healthcare, manufacturing, financial and law firms and insurance organizations. The firm also works with smaller regional companies.
“We've had cases where clients have told us if they had known about some of these cybersecurity issues before hand, they would have walked away from a deal,” McCormack said. “You don't want to buy someone who's been breached and lost profitability and customers.”