In 2024, a mid-size metals distributor in the Midwest was hit with ransomware. Their systems were locked for 11 days. They could not access inventory records, customer orders, or financial data. They shipped from memory and paper for a week and a half, losing an estimated $800,000 in revenue and spending $120,000 on incident response and recovery.
This is not rare. Manufacturing and distribution companies are the second-most-targeted sector for ransomware attacks, behind healthcare. Steel service centers are high-value targets because they process financial transactions daily, hold customer data, and often run on older systems with known vulnerabilities.
The Vulnerabilities
Legacy systems without security updates. A Windows Server 2012 running a 15-year-old ERP has known vulnerabilities that are trivially exploitable. If the system is connected to the internet (even indirectly, through the same network as email and web browsing), it is exposed.
Weak access controls. At many service centers, multiple employees share the same login credentials. The accounting manager's password is on a sticky note under the keyboard. The admin password has not been changed since the system was installed. These are not hypothetical scenarios. They are common findings in security assessments of small and mid-size businesses.
Email phishing. The most common attack vector is a phishing email that tricks an employee into clicking a link or opening an attachment. The email might look like a purchase order from a supplier, an invoice from a carrier, or a notification from a bank. One click installs malware that spreads through the network.
No backup or recovery plan. Many service centers back up data inconsistently or not at all. When ransomware encrypts their files, they have no clean backup to restore from. The choice becomes: pay the ransom (typically $50,000 to $500,000, with no guarantee of data recovery) or rebuild from scratch (which can take weeks).
Basic Protections
Multi-factor authentication (MFA) on all accounts. MFA prevents stolen passwords from being used to access systems. It is the single highest-impact security measure and costs nothing for most cloud platforms.
Regular, tested backups. Back up all critical data daily. Store backups offline or in a separate cloud environment that is not accessible from your primary network. Test the restore process quarterly. A backup that has never been tested is a backup that might not work.
Employee training. Annual cybersecurity awareness training for all employees. Focus on email phishing recognition, password hygiene, and reporting suspicious activity. The training does not need to be technical. It needs to be practical: "If an email asks you to click a link to verify your bank account, do not click it. Forward it to the IT contact."
Software updates. Keep all systems updated with the latest security patches. If your legacy system no longer receives security updates from the vendor, it is a liability. This is another argument for migrating to modern, actively maintained software.
Network segmentation. Separate your operational technology (warehouse systems, processing equipment controls) from your information technology (email, web browsing, ERP). If an employee clicks a phishing link on their office computer, network segmentation prevents the malware from reaching the inventory system or the processing controls.
The Cloud Security Advantage
Cloud-native platforms have a structural security advantage over on-premise systems. Cloud providers (AWS, Google Cloud, Azure) invest billions annually in security infrastructure, monitoring, and incident response. Their security teams are larger and more specialized than anything a service center could build internally.
A modern cloud platform also handles updates automatically. There is no patch to install, no server to maintain, and no version to upgrade. The security improvements happen in the background, continuously, without requiring action from the service center.
This does not mean cloud systems are invulnerable. But the security posture of a well-designed cloud platform is dramatically better than a 15-year-old server in a warehouse office closet. For service centers evaluating technology decisions, security should be a factor, not an afterthought.