More than 80 manufacturing plants in the UK have faced cyber incidents, yet a large number of firms in the manufacturing industry do not have either the visibility, the required tools or the necessary manpower to carry out cyber risk assessments. With GDPR around the corner, are manufacturers fighting a losing battle against cyber crime?
The General Data Protection Regulation (GDPR) will come into force on May 25 and will empower the ICO to come down hard on organisations that fail to prevent cyber-attacks due to poor cyber-security protocols and ineffective data security practices. Considering that fines could be as high as four percent of a firm's annual turnover, the manufacturing sector could face an uphill battle ensuring compliance.
So is the manufacturing sector prepared for GDPR?
A recent survey commissioned by EEF, the manufacturers' organisation considers whether manufacturers are aware of real-time cyber risks they face, how prepared are they to recover from a cyber-attack, whether they are aware of the requirements of GDPR, and whether they consider cyber-security important enough to make it a boardroom topic.
According to the survey's results, 48 percent of manufacturers in the UK suffered at least one cyber-incident and while half of them prevented any business impact thanks to existing cyber-security processes, the other half suffered financial losses due to such incidents.
The lack of confidence of manufacturers in their cyber-defence capabilities is telling. While 91 percent of manufacturing firms in the UK are now investing in digital technologies to be at the forefront of the fourth Industrial revolution, 35 percent are not investing fully due to cyber-security concerns. The EEF says this prevents such firms from exploiting opportunities to enhance productivity and growth and also ensures that they lag behind in the race to digitise.
Such inhibition is also because 16 percent of manufacturers don't know much about GDPR and 29 percent of them are not reviewing their cyber-security arrangements to comply with the GDPR. At the same time, 37 percent of them are not sure if they can demonstrate their cyber-security credentials to their customers. Less than 60 percent of them have asked their suppliers to demonstrate cyber-security credentials, thereby signifying that many of them are not serious enough about patching security holes in the supply chain.
As far as assessing cyber-risk is concerned, 41 percent of manufacturers said they do not have access to enough information to even assess their true cyber risk, 45 percent of them said they do not have access to the right tools for the job, and another 12 percent said they have no technical or managerial processes in place to even start assessing the real risk.
There are many other factors that inhibit the cyber preparedness of manufacturers. Cyber-security does not appear on the risk register of 34 percent of manufacturers, and while a bulk of them are struggling with the lack of available cyber-security manpower, 34 percent of them are also not educating their staff in good cyber-security practices. In 45 percent of organisations, cyber-security is not even discussed at the board level which also contributes towards the lack of preparedness for GDPR.
"More and more companies are at risk of attack and manufacturers urgently need to take steps to protect themselves against this burgeoning threat," said Stephen Phipson, chief executive of EEF.
"Failing to get this right could cost the UK economy billions of pounds, put thousands of jobs at risk and delay the supply of essential equipment to key public services and major national infrastructure projects," he added.
Commenting on EEF's findings, Sylvain Gil, VP of products at Exabeam, told SC Magazine UK that many industrial systems are now old and were designed before cyber-threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have.
He added that there is also no practical way of upgrading such systems due to the criticality of their availability and are thus highly vulnerable to cyber threats that could cause shutdown or explosion.
Tim Bandos, director of cyber-security at Digital Guardian, told SC Magazine UK that based on the sheer amount of classified information they hold such as trade secrets and intellectual property, manufacturing companies are one of the most popular targets for cyber-criminals.
"It's recommended that organisations take a KPI (Key Performance Indicator) perspective to cyber-security, by setting goals and metrics to improve security stature. A key benefit of this is the ability to develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets," he said.
Yet another suggestion from manufacturers came from Rob Norris, VP head of enterprise & cyber security EMEIA at Fujitsu who said that since many organisations struggle to put in place the right measures to safeguard employees, customers and the broader business, manufacturers should "adopt a two-pronged approach by complementing employee training and awareness with continued investment in technical and security controls. In doing so, they can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen."
"After all, cyber-crime is not a probability, it is an inevitability and it will be the way in which manufacturers prepare for it however, that can make all the difference," he added.