Board directors continue to up their investment in cybersecurity. Seventy-three percent now say their organization requires that third-party vendors meet certain cyber risk requirements—up 30 percentage points from 2016, according to the 2018 BDO Cyber Governance Survey of 145 co-directors at public companies.
This increase in requirements and investment is warranted as manufacturing companies adopt and integrate more advanced technologies into their operations. During 2018, we have seen a 350% increase in ransomware attacks, a 250% increase in spoofing or business email compromise (BEC) attacks and a 70% increase in spear-phishing attacks in companies overall. Further, the average cost of a cyber-data breach has risen from $4.9 million in 2017 to $7.5 million in 2018, according to the U.S. Securities and Exchange Commission.
Risks have grown significantly around cyberattacks, information breaches from third-party vendors and information theft (i.e., personal identifiable information, intellectual property and trade secrets).
To further complicate the cyberthreat landscape, the threat actors are increasingly integrating their efforts between nation-state cyberattack groups, criminal cyberattack groups and hacktivists, resulting in more sophisticated cyberattacks on manufacturers—especially companies tied to critical infrastructure industries.
Manufacturers must focus on three key aspects of cybersecurity:
1. Protecting their business information systems, including email.
2. Guarding their manufacturing information systems , including computer-aided-design and computer-aided-manufacturing (CAD/CAM) systems, as well as securing production machinery.
3. Securing their products that include software and/or internet-connected devices.
Threat-based cybersecurity should be the North Star for manufacturers. Instead of focusing solely on protecting critical data assets or following the basic script of a cyber program such as ISO 27001 Information Security, this predictive approach concentrates investments in the most likely risk-and-attack vectors based on each manufacturing company’s unique threat profile.
To develop and maintain a comprehensive cyber threat profile, you first need to assess and take ownership of your organizational DNA: the data assets and other intellectual property that make your company unique—or a potential target. This involves identifying, managing, accurately categorizing, protecting and optimizing organizational data from inception to final disposition.
As you go through this process, it is important to realize that the data assets you value the most may not be the prime target for a would-be hacker. Your data on performance outcomes, for example, is far harder to monetize on the dark web than product designs, client account information or supplier information.
The next step is to factor in the threat environment to understand current exploits and the most targeted vulnerabilities. The most targeted cyber-attack vectors include email system attacks focused on gaining system access and/or re-routing payments, supply chain attacks and insider-threat attacks.
What does this tell us? To effectively detect and respond to cyber and data privacy risks, manufacturing organizations need to:
Conduct advanced email and network attack detection assessments. This will help you diagnose the real state of your cyber defense to advanced persistent threats on your email system and information/data network
Bolster access controls. Evaluate technical policies, plans, and procedures to protect vital information assets, including implementation of data encryption, multi-factor authentication (MFA), and developing a layered–cyber defense system
Make top-down personnel cybersecurity education and training a priority. This helps ensure all individuals from the Board of Directors and C-Suite are better informed about the nature of cyber-attacks and the appropriate actions needed to create a virtual human firewall.
Create an incident response plan. Include the participation of organization leadership and key personnel from all areas of manufacturing, information technology, business administration and engineering operations
Create an internal and external crisis communications plan. This should align with existing enterprise risk management frameworks
Strengthen monitoring, detection and response services. The goal is to quickly detect cyber intrusions and data breaches, rapidly respond to cyber-attacks and effectively eradicate malicious software.
Evaluate cyber insurance liability coverage to be sure it’s adequate to cover a significant cyber data breach.
Threat-based cybersecurity is a journey spanning the entire corporate lifecycle and requiring an ongoing commitment to cyber defense. Given the growing risk of cyber and data privacy attacks, it is vital to begin developing an approach.
Gregory A. Garrett is head of U.S. and International Cybersecurity for BDO audit, tax and advisory firm.