There’s no question that cyberattacks continue to escalate in frequency and scope. And manufacturing companies are at greater risk than ever as they share increasingly more processes and information with a widening constellation of supply chain partners. Risk is further compounded by insufficient assessments of the cybersecurity practices of supply chain partners, and other fundamental shortcomings in processes and personnel safeguards.
Taken together, these factors are contributing to a continuing increase in cybersecurity incidents among manufacturing companies. In The Global State of Information Security Survey, PricewaterhouseCoopers (PwC) found that industrial products manufacturers reported a 17 percent jump in the average number of detected security incidents in 2014, compared with the year before. This rise in security incidents comes at great cost: The study of 557 manufacturing executives determined that total financial losses attributed to security compromises jumped 38 percent over the year before.
Given the recent barrage of high-profile—and highly destructive—breaches, it should come as no surprise that incidents attributed to ultra-sophisticated threat actors like foreign nation-states, activists and hacktivists, and organized criminals also increased. Nation-states, in particular, are keenly interested in manufacturing processes, and often attempt to steal intellectual property and trade secrets to advance their own political and economic advantage.
These threat actors were particularly active in 2014. The PwC survey results show that compromises by foreign nation-states and foreign organizations soared 65 percent over 2013. Not coincidentally, the study also found a significant upsurge in theft of intellectual property and trade secrets.
It’s likely that nation-state attacks caught a number of manufacturing companies by surprise. That’s because many did not identify the information assets that are key to their profit and success, such as trade secrets, manufacturing processes and product designs. In fact, PwC found that 39 percent of respondents lack a program to identify sensitive assets like trade secrets and the same number do not have procedures to protect intellectual property.
Theft of digital intellectual property will become a greater concern as more manufacturing companies adopt 3D printing. The reason? 3D printers employ files that provide explicit instructions on how to design a product or part, including what materials to use, and when and how to use them. These digital files are essentially a concentrated trove of trade secrets that, like any other digital document, can be hacked. That’s worrisome because, according to a PwC survey of U.S. manufacturers, two of three companies are already adopting 3D printing in some way, yet most did not consider how to protect their trade secrets.
Employee threat awareness is another concern. The majority of targeted attacks by sophisticated threat actors like nation-states start with a phishing campaign. Many of the most prominent hacks of the past year, in fact, took off when an employee clicked a malicious link or document in an email. That’s why it is absolutely essential that businesses train their employees to detect and avoid phishing attempts. Many do not, however: PwC found that 40 percent of manufacturing companies do not have an employee security awareness program in place.
Another form of knowledge-sharing that is getting a lot of attention is collaboration on security threats and responses. Sharing this type of information can help businesses more quickly detect and respond to threats and incidents; it is also a relatively inexpensive way to gain a fuller picture of threats that result from a far-flung, yet interconnected, supply chain. According to the PwC survey, 55 percent of manufacturing companies said that they collaborated with others to improve security and threat awareness in 2014. That’s progress over the year before, but universal collaboration, including among smaller supply chain partners, will be critical to effective cybersecurity.
A Lack of Visibility into Supply Chain Security
Another overarching cybersecurity liability is a lack of insight into the security practices of supply chain partners. As recent breaches demonstrate, the risks of compromise via third-party vectors warrant a firm commitment to due diligence of supply chain partners.
The security survey indicates that manufacturers are starting to pay more attention to the cybersecurity capabilities of third-party and supply chain partners—but much remains to be done. Consider, for instance, that more than a third (36 percent) of survey respondents did not implement basic security standards for external partners, suppliers and vendors. And just 42 percent perform risk assessments on third-party partners.
PwC also found that many organizations do not conduct compliance audits of third parties that handle personal data of customers and employees to ensure they have the capacity to protect such information. What’s more, a sizable number of manufacturers do not have an accurate inventory of third parties that handle this type of sensitive data.
Clearly, businesses need to step up their assessments of third parties and supply chain partners. It is also essential that they stipulate the right to assess a supply chain partner’s security capabilities in contracts. Experience shows that organizations that do not legally plan for due diligence when executing contracts may not be allowed to perform adequate assessments when necessary. Also consider that as much as 20 percent of security spending is estimated to occur outside of the information technology (IT) function on services like cloud computing. Contracts executed outside of IT may not allow for due diligence and, in fact, they may require important information security and privacy safeguards.
Not all compromises can be prevented, of course, so a rapid and effective response to security incidents should be a key component of every security strategy. In particular, businesses should implement and regularly test a response plan for third-party breaches. Yet PwC survey results show that more than a third (36 percent) of organizations do not have an incident response process to report and handle breaches to third parties that handle data. In the wake of notable recent breaches that demonstrated how a cyber-attack can have a pervasive impact on a business, many organizations are now looking at building crisis management programs to coordinate an organization-wide response to a cyber-attack.
Getting the Board on Board
If there’s an upside to the recent rash of cyberattacks, it may be that boards of directors are now taking an active interest in cybersecurity. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans.
Supply chain threats often do not rise to the board level—but they should. Businesses should ensure that supply chain risks are on the agenda, and that the board is updated on current cybersecurity threats and capabilities. Yet despite frequent media reports of high-profile breaches, many manufacturers did not yet elevate security to a board-level discussion. Consider, for instance, that 53 percent of respondents say that their board of directors participates in the overall security strategy, and that only 33 percent of manufacturers say that their board is involved in reviews of current security and privacy risks—a crucial component of any effective security program.
As manufacturing companies work with more supply chain partners, ensuring that the board understands and is involved in all layers of threats will be critical to enterprise-wide risk oversight.
Quentin Orr is a partner at PwC. For more information, please visit www.pwc.com/US. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.