It’s no secret that manufacturers have been hit hard during the pandemic. As if throttled supply chains and spiralling inflation weren’t enough, there’s the mounting threat from cyber attacks to contend with.
The sector accounted for nearly a quarter (23%) of ransomware attacks in 2021, more than any other vertical. But while cyber security leaders may understand well the risks involved in expanding digital transformation projects, sometimes boardrooms are less attuned.
This must change. Only with a proactive security strategy driven by senior leadership can manufacturers hope to head off critical risk to their business, and benefit from all that digital innovation has to offer. As long as the C-suite continues to be unengaged, these transformative benefits will remain out of reach.
Digital investment means digital risk
According to IBM, manufacturing overtook financial services as the most attacked sector last year, after a long reign by the latter. Why? Because threat actors bet that the disruption caused by ransomware would have such a potentially critical impact on downstream supply chains that manufacturers would have no option but to pay large ransoms. Their logic is sound. In fact, the sector is increasingly exposed to threats like these as organisations seek to modernise their IT environments.
According to a separate study published by The Manufacturer, digital transformation is happening apace in the industry. Over two-thirds (67%) of respondents to a poll claimed that they’ve accelerated adoption of digital technologies due to the pandemic, with just 16% pausing such projects. They see technology improvements as key to unlocking operational efficiency, resilience, and productivity.
But with these initiatives comes additional risk, as the corporate cyber-attack surface grows. Part of this is down to the addition of connectivity to legacy OT equipment. Typically, such systems are both challenging to patch and have long product replacement cycles. Trend Micro research from 2019 found that as many as 69% of global manufacturers run outdated operating systems, for example. Why does this matter? Because unpatched software vulnerabilities are a key threat vector. The IBM study found that nearly half (47%) of ransomware attacks on manufacturers in 2021 were down to bugs that the targeted company had not or could not patch.
When OT systems were offline, these deficiencies were largely ignored. But thanks to internet connectivity, remote attackers are now able to probe these machines anonymously from afar. That spells heightened risk for factory owners. They’re also communicating with outdated and insecure protocols, highlighting another potential avenue for compromise.
There are many more. As manufacturers digitalise, they’re hooking more systems up to cloud infrastructure to improve process efficiencies and productivity. But these environments are often misconfigured, and may also be left unpatched. Internet of Things (IoT) devices are also increasingly popular in smart factories, but they too can introduce new avenues of attack for the same reasons. It’s a fast-growing industry where adequate cybersecurity protections are not always built into devices.
All of this could lead to crippling production outages due to ransomware compromise. But that’s not the only threat, as serious as it is. The majority of these attacks also include a data theft element today. That could spell highly sensitive schematics, production designs and other IP falling into the wrong hands. Apple supplier Quanta Computer found this out the hard way when it was last year hit with a $50m ransom demand following a serious data breach.
Do boards ‘get’ cyber risk?
There’s a contradiction at the heart of how manufacturers are responding to these threats, as revealed in a recent Trend Micro study. On the one hand, boards seem to get it. Some 93% of manufacturing respondents told us their senior leaders are concerned about ransomware, based on market events. And a third said they think cybersecurity is the biggest business risk today. What’s more, almost two-thirds (63%) claimed cyber-attacks have the highest cost impact when it comes to business risk.
Yet, on the other hand, 88% of IT and business decision makers (ITDMs/BDMs) in manufacturers said their organisation would be willing to compromise on cybersecurity in favour of other business priorities like accelerating digital transformation and business productivity. This completely misunderstands the role of security in forward-thinking organisations. It acts as an enabler for transformation, not as a block or check on it. It’s not an either/or choice. Instead, effective security is an essential prerequisite for the success of any business initiative and must be designed in from the start.
The fact that the C-suite doesn’t get this may be indicative of a deeper malaise – that leaders are paying little more than lip service to the notion of strategic cyber risk management. In fact, just half of the ITDMs/BDMs we polled said they think the C-suite completely understands cyber risk. The top reasons cited was that it’s a complex and ever-changing topic—which it certainly is. But other respondents pointed to more serious problems. Over a quarter claimed the C-suite doesn’t try hard enough to understand cyber, and a similar number argued that it simply doesn’t see it as a boardroom problem.
The impact of an unengaged board
So, what does this actually mean? Separate research reveals that when board members are engaged and educated about cyber, they ask tougher questions of their CISOs, dig deeper into issues, and join the dots more clearly between cybersecurity and business issues. Such insight is missing if the C-suite remains unengaged. We found that in half of manufacturing organisations, cyber is still treated as an IT rather than a business risk. A similar number of ITDM/BDM respondents agreed that their organisation’s attitude to cyber risk is inconsistent from month to month.
This gets to the heart of the challenge. Even an unengaged board can’t ignore a serious cyber incident. But the truth is that without awareness of the threat landscape and regular updates on risk levels, they’re not going to be thinking and planning strategies to prevent such incidents from happening. Instead, they’ll be reacting to them, in an erratic and piecemeal fashion. This does not make for effective use of corporate resources.
We found more evidence to back this theory. Nearly half (47%) of manufacturing respondents globally told us that cyber was a top area of investment in order to mitigate business risk. And a similar number said their organisation has increased this investment given recent events. But that’s the key: this is a largely reactive measure rather than the kind of strategic, proactive decision-making manufacturers need. The result is that money gets thrown at the problem, and inevitably much of that money is wasted, on duplicate technologies and hastily written plans.
What needs to happen next?
However, there are things that can be done to rectify the situation. Improved engagement and awareness must start with better communication between IT security and business leaders. Unfortunately, at present, this dialogue is neither frequent enough, nor making an impact on the C-suite.
Just 56% of manufacturing IT teams discuss cyber risks with the C-suite at least weekly, dropping to 14% who do so daily. Nearly a fifth (17%) do so quarterly or less frequently. Given the sheer rate of change in the cyber threat landscape, quarterly updates are woefully inadequate. “Little and often” should be the watchwords of IT leaders. Board members don’t want to be overwhelmed with information. But neither should they be kept in the dark if serious business risk is mounting.
Unfortunately, 77% of IT and business leaders claimed they’ve felt pressured in board meetings to downplay the severity of cyber risks. They’re effectively self-censoring for fear of sounding overly repetitive or too negative, with a quarter claiming this is a constant pressure. This will do nothing but create a vicious circle, where the C-suite remains ignorant of their true risk exposure.
The bottom line is that cybersecurity is a fast-changing industry, precisely because defenders and attackers are locked in a perpetual arms race. Corporate risk ebbs and flows with these changes, alongside a patchwork of external factors. That means boards must be updated regularly on their organisation’s risk profile. But this information must also be communicated in a language they can understand.
Manufacturers could spend all the money in the world on digital transformation, but what good is it if their flash new technology is hacked and brought to its knees months after launch? Security must be pitched in these terms—as a means to ensure any digital initiatives are built on a steady foundation. In the first instance, that should mean improving resilience through better risk-based patching and configuration management programmes, tighter access controls and other cyber-hygiene best practices. But it should also include rapid threat detection and response for when threats inevitably sneak through—to ensure threat actors are caught and sent packing before they can do any damage.
It won’t be an easy journey, but it’s an essential one for all manufacturers. It will demand CISOs find a different way to talk about risk. But first, they need a board prepared to listen.
About the author
Bharat Mistry, Technical Director at Trend Micro
Bharat is Technical Director at Trend Micro where he manages technical and customer-supporting teams. He has 20 years of experience as an information security professional and has worked for Alcatel Lucent/Nokia, KCOM and Siemens. Before joining Trend Micro Bharat held the position of Security Technologist in the CTO Office for HP Enterprise Security Services. Bharat provides strategic counsel to clients to drive secure transformation and help CISOs meet critical business objectives. He focuses on major global customers in the Manufacturing, Oil & Gas, Financial Services, Telecommunications and Retail markets. Bharat is also one of Trend Micro’s main media spokespeople and regularly appears at major industry events.
