There have been hundreds of cyberattacks against manufacturing companies in recent years, including high-profile breaches at JBS Foods and Colonial Pipeline. With these in mind, let’s examine what makes attacks on manufacturing companies particularly unique.
In most industries, a cyberattack results in financial damages and back-end closures in certain functional areas (e.g., finance, accounting, e-mail). Those are concerns for manufacturers, as well.
However, there is an extra layer of complication for manufacturing organizations, as they often cannot keep operations going following a cyberattack. When a manufacturer is breached, it typically takes down the entire organization – the production line, the facilities, the distribution, everything. So, in many ways, a cyberattack is a “perfect storm,” often more devastating to a manufacturing organization than it is to companies in other industries.
As a result, cybersecurity needs to be an extremely high priority for manufacturing organizations. If for no other reason than because hackers know manufacturers have a lot to lose in a cyberattack, making them more willing (in many cases) to pay hefty ransoms.
Another important element to this discussion is the older technology that manufacturers tend to have. Sometimes older technology is less susceptible to cyberattacks because it’s not as automated or digital. On the other hand, older technology typically has fewer security protections, which can open a manufacturer to outside attacks. The vendor that created the technology may no longer exist, or may not put out updates on that technology, leaving manufacturers with an archaic system to defend against sophisticated, modern-day cyberattacks.
Consider also that manufacturing employees are focused and measured on efficiency and productivity. As a result, management often wants to avoid implementing complicated security controls and other technological roadblocks because those can potentially frustrate employees or slow down production.
All of these factors, among others, have contributed to a drastic shift in the cyber insurance market for manufacturing companies. Not only has it become much more expensive to purchase cyber insurance in recent years, but those pricy insurance premiums now offer organizations significantly less coverage than before. The end result, as noted above, is basically a perfect storm.
How to Weather the Storm
My colleague, Mike Cullen, recently authored a comprehensive article in which he outlined several leading practices that organizations can implement to combat the recent increase in cyberattacks and the rising costs of cyber insurance. Below are a few key points that are particularly applicable to manufacturing organizations:
- Engage leadership and the board to support new investments through frequent reports on the cybersecurity program – It’s vital to educate leaders about why cybersecurity is a critical risk for manufacturers.
- Train your people to be aware of cyber threats and how to protect themselves and the organization – Or better yet, put in controls that stop malicious threats from reaching your employees in the first place.
- Develop and test a robust incident response plan to deal with the most likely cyber incidents (e.g., ransomware, account compromise via phishing) – Because manufacturers are such an attractive target with so much on the line, they must have a documented incident response plan that allows the organization to restore its systems quickly.
With any manufacturing company, it is not simply about implementing leading practices. It’s about having a strategic understanding of the level of risk the organization is facing and the level of risk the organization can handle. And it’s about deciding which advanced controls to implement, even if they are at the expense of employee satisfaction or production speed.
In short, leading practices always look great on paper. But the manufacturers that thrive from a cyber standpoint are the ones who apply that knowledge to their facilities, systems, employees and overall organization in a way that proves to be effective, efficient and minimally invasive.
Looking to the Future
Manufacturing’s old-school mindset – “If it ain’t broke, don’t fix it” – is finally beginning to change. Manufacturing organizations are beginning to acknowledge the risk in using older technology and are placing a greater importance on cybersecurity.
In many cases, manufacturers are relying on vendors to implement and maintain modern technology with sophisticated cybersecurity controls. Of course, that still comes with risk. Except in these instances, the bulk of the risk merely transfers from organizational risk management to third-party risk management.
At the end of the day, even if a manufacturing organization passes the bulk of its risk to an insurance provider or to a third-party vendor, the manufacturer ultimately is responsible for the business, the operations and the repercussions of a cyberattack.
The days of manufacturers focusing 100 percent on production are long gone. The risk of a cyberattack is always on the horizon. Manufacturing leaders need to be smart and strategic with each key decision, because everyone has the potential to get soaked during a “perfect storm.”
Brian Nichols is a principal in Baker Tilly’s risk advisory practice .