10 cyber risk precautions for manufacturers
November 28, 2016Cyber security and risk management are important to manufacturers, but challenging to address. There are no easy answers to this growing concern.
Manufacturers must take a holistic view, starting with becoming educated about the risks and possible solutions. To help companies understand what can do about cyber risk, Deloitte and Manufacturers Alliance for Productivity and Innovation (MAPI) released the Cyber Risk in Advanced Manufacturing study.
“Given the highly connected environments manufacturers work in, and the pace of technological change they face, cyber risk is a top-of-mind industry issue. In fact, nearly half of the executives we surveyed lack confidence they are protected from external threats, and it is increasingly important for organizations to assess their organization’s risk profile and preparedness in the event of a breach or cyber attack,” the study reports.
An article by MAPI says, “Study results indicate nearly 40% of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38% of those impacted indicated cyber breaches resulted in damages in excess of $1 million."
The authors of the Deloitte/MAPI study suggest that manufacturers take these 10 steps:
- Set the tone. The chief information security officer (CISO) cannot be an army of one. He or she needs to be appropriately supported by the leadership team and management to accomplish key cyber risk objectives for the company.
- Assess risk broadly. Perform a cyber risk assessment that includes the enterprise, industrial control systems (ICS), and connected products, and ensure any recent assessments were inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products, and third-party risks related to industrial ecosystem relationships.
- Socialize the risk profile. Share the results of the enterprise cyber risk assessment and recommended strategy and roadmap with executive leadership and the board. Engage in dialogue as a team related to the business impact of key cyber risks, and prioritize resource allocation to address risks commensurate with the organization’s risk tolerance, risk posture, and capability for relevant business impact.
- Build in security. Evaluate top business investments in emerging manufacturing technologies, Internet of Things (IoT), and connected products, and confirm whether those projects are harmonized with the cyber risk program. Determine whether cyber talent is resident on those project teams to help them build in cyber risk management and fail-safe strategies on the front end.
- Remember data is an asset. It is important to change the mindset in manufacturing from a transactional mindset to the fact certain data alone may be an asset. This likely necessitates a tighter connection between business value associated with data and the strategies used to protect it.
- Assess third-party risk. Inventory mission-critical industrial ecosystem relationships, and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
- Be vigilant with monitoring. Be vigilant in evaluating, developing, and implementing the company’s cyber threat monitoring capabilities to determine whether and how quickly a breach in key areas of the company would be detected.
- Always be prepared. Increase organizational resiliency by focusing on incident and breach preparedness through tabletop or war-gaming simulations. Engage IT as well as key business leaders in this exercise.
- Clarify organizational responsibilities. Be crystal clear with the executive leadership team on the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team with responsibilities to bring it all together.
- Drive increased awareness. Get employees on board. Make them aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.
Read the full study.