• Rebecca Shalom , Partner |
4 min read

For manufacturers, as with other sectors, Covid-19 has magnified the opportunities and the threats of digitisation.

Clients I speak to are leveraging digitisation to support continuous operations, with control systems and operational technology connected through IoT. But while this drives up productivity and efficiency, it also creates potential entry points that cyber criminals seek to exploit.

Ransomware jump

According to software and hardware security business Check Point, the frequency of ransomware attacks jumped by 93% in H1 2021 compared with a year previously. It’s estimated that 1 in 6,000 emails contain malware, with malicious emails up 600% due to the pandemic as cyber attackers try to open up opportunities from mass migration to more remote ways of working.

This is true for manufacturing companies too, because many administrative and support staff have been working from home. What’s more, while production machinery and systems remain on-site, they may now be monitored and maintained remotely, creating a pathway criminals can try to break into. 

Attractive targets

Manufacturers can be attractive targets to cyber criminals because with downtime costing money, the potential to extract ransom payments is high. It’s been estimated that ransomware causes downtime of 21 days on average – the sort of interruption that no manufacturer can afford.

Manufacturers are also a target for attackers because they play a key role in the supply chains of other industries, including critical sectors such as defence and infrastructure. This adds to the imperative for a manufacturer to free themselves from the ransomware and resume operations. It also means that cyber criminals may be able to gain entry to the networks of those strategic businesses using the manufacturer as the back door.

In such a climate, it is simply imperative that manufacturing businesses stay ahead of the cyber criminals. One company I spoke to recently described it as an “arm’s race”. He added that there’s no point in taking any attack personally – you have to appreciate that it’s probably a case of when not if, and make sure you are as prepared and resilient as you can be.

Baseline standards across the ecosystem

Clearly the work starts by reviewing and securing your own systems first – but an absolutely key part of the puzzle is ensuring security right across your ecosystem of suppliers, contractors and partners. There’s little point in protecting the “citadel at the centre” if a hacker can get in via a supplier a few steps further down the chain.

This means having clear baseline standards that all suppliers and partners have to meet. These standards need to be regularly reviewed and updated as necessary. Leading organisations, such as in financial services where cyber security tends to be most advanced, are creating dashboards of critical risks and suppliers that can be reviewed in real time. Relying on annual security reviews of suppliers may no longer be sufficient.

Some clients in the sector are going beyond traditional anti-virus protection software and investing in advanced new solutions such as AI-enabled technology that can discover and block ransomware and other malicious threats. There is a cost to these solutions of course, so this may require careful budgeting and business agreement up front.

Getting behind cyber from the top

This brings us to another key point. Cyber security is not only about implementing the latest technical solutions and protections – you have to get the organisation to buy into the importance of it right from the top. This means at CEO and C-suite level. Once senior leadership is actively behind the issue, you can build a solid strategy and roadmap for what will be an ongoing and evolving journey (rather than a one-time fix or upgrade).

Core components of your approach are likely to include regular testing of your security posture and vulnerability assessments across your network. Legacy systems are likely to be a key area of focus, as these can become the weak points through which attackers get in.

Recognise that good cyber security requires investment – secure the budget you need in advance to keep on maintaining and improving your defences.

Collaborative effort

It is often beneficial to take a collaborative approach. Cyber security is a common problem for all businesses after all. So, put those competitive instincts aside in relation to this specific area and talk to your peer businesses and industry associations. The sharing of knowledge and best practice advice can make a real difference. 

Conclusion

We can expect continued increase in cyber attacks in the manufacturing industry.  So, above all – be prepared. Don’t ignore the problem or just hope it will never happen to you. But don’t try to boil the ocean – no organisation can protect itself 100% from every possible threat. Take a risk-based approach and focus on the most likely threats. Then create a relationship of trust with your suppliers, so you can keep abreast of vulnerabilities across the value chain.  Without doubt, cybercrime is a scourge and a drain on all businesses’ resources – but if you get your approach right, you can mitigate against key risks and introduce a valuable discipline and rigour into the business.