A defence against cyber threats: Six steps to minimise risk in manufacturing
Author : Bindiya Vakil, CEO & Co-Founder of Resilinc
20 January 2023
Bindiya Vakil, CEO & Co-Founder of Resilinc
The manufacturing industry is undoubtedly a prime target for cyber attacks, due to the complex web of supply chains that links companies and suppliers together.
According to new research by Make UK and BlackBerry, more than two in five (42 percent) UK manufacturers have been a victim of cybercrimes in the past 12 months.
Additionally, of those organisations that did suffer an attack, over a quarter (26 percent) incurred substantial financial losses, from £50,000 to £250,000.
With pandemic-induced supply chain distribution subsiding, the manufacturing industry has a new challenge on its hands, in the form of more frequent and pervasive cybersecurity breaches.
To mitigate these threats, the overwhelming majority of large companies conduct extensive due diligence procedures on suppliers and vendors before they are selected to provide or produce materials, components, services, or software.
In addition to this, almost every large company’s due diligence process contains an IT security diligence section. This is a great start, but falls short of a robust, risk-mitigating cybersecurity strategy.
Of course, there is always going to be an element of inevitability in business practices and processes of a supplier changing. But very few companies actually make it a requirement for suppliers periodically to update IT security diligence data. As a result, process changes go unreported and un-monitored.
Even when companies do collect IT due diligence data, their spreadsheets or documents are filed on a server and, after an initial review, essentially forgotten. This leaves little to no infrastructure in place when it comes to flagging potentially vulnerable suppliers. This means the door is left wide open for cyber criminals, allowing them to wage war on a company as well as its many suppliers.
Proactivity pays when approaching cybersecurity risk in supply chains
There are significant costs to implementing and maintaining ransomware mitigation measures, a figure which is often overlooked by businesses. But these measures have been taking an unprecedented financial toll on companies, with this year’s cost expected to reach $20 billion globally.
It is evident that simply sitting and waiting for an incident to occur is typically a more costly strategy than taking a more proactive, risk-mitigating approach.
Equally, businesses can’t assume that their suppliers will always “do the right thing”, or share the same values, policies or procedures. Instead, a company must take responsibility, ensuring it monitors its suppliers’ cybersecurity practices and processes.
The ‘zero trust’ cyber security model has therefore gained significant traction in the past year, with the default quickly becoming to deny applications and data, only enabling access after verification. By identifying vulnerable suppliers, a company can take pre-emptive steps to avoid unnecessary security risks before they happen.
Six key steps businesses should take to minimise cybersecurity risk:
1. Mandatory cybersecurity disclosures
A company can only be as strong as its weakest link, when it comes to security. A company must therefore ensure it incorporates all suppliers and vendors into its processes, irrespective of the product, software type or service they provide. Remember, the smallest links in the chain can cause the greatest collateral damage. This can be avoided through clear cybersecurity disclosures.
2. Extensive analytics
Analytics should be designed to highlight which key areas are most vulnerable within suppliers’ processes. The analytics in question must not be superficial and should be detailed enough to pinpoint the deficient process areas.
Though useful, it would not be sufficient to indicate a supplier’s ‘cyber security risk’ through a single number. Rather, the analytics should instead identify weaknesses in a specific process that the supplier implements such as employee onboarding, destruction of sensitive material, etc.
3. Implement corrective action
It is commonplace for companies to have processes in place which assist suppliers in addressing their own process issues – whether they relate to quality, delivery, service, or something else.
A commonly used process is a ‘Corrective Action Report’, in which the company details problems it has identified in its processes. Also included in the report are the steps that the company expects a supplier to take to address the given issues.
A similar process can be implemented for cybersecurity process issues in which deadlines are given for enacting measures and actions the company may take, should the supplier not proceed with the appropriate actions also being specified.
4. Incentivise suppliers
While traditional incentives for suppliers around increased business work well, other incentives are worth considering. Suppliers can be given awards, preferred status, and referrals that help them win additional business.
5. Regular data refresh
Companies may be inadvertently leaving themselves open to cyber attacks if the latest information from their suppliers. Though implementing extensive analytics and processes is useful, it is clear that more is needed to ensure that the most up-to-date information is held by a company. A company should therefore implement data refresh as a part of its standard process, usually every six months.
6. 24/7 risk monitoring
An early warning system should be a key priority for companies. Connecting information on vulnerabilities and security incidents with data collected from suppliers allows companies to create a degree of foresight to deal with emerging problems.
If a supplier does suffer a security incident, or should a new vulnerability be detected in a software system that a supplier uses, the company can act instantaneously.
Cyber attacks against the manufacturing industry will continue to gain pace, due in part to the rapid digitalisation of the space and through an increase in hybrid and remote working.
This persistent vulnerability means supply chain management professionals need to work alongside both their in-house cybersecurity team and reputable third-party companies, to help survey suppliers about cybersecurity. This will ensure they can effectively assess cyber risks across the entire supply chain. With cyber attacks becoming more and more sophisticated, this is quickly becoming a necessity for business survival.
More information...