The manufacturing industry is undoubtedly a prime target for cyberattacks due to the complex web of supply chains that links companies and suppliers together. According to new research by cybersecurity firm Dragos, an astounding 72% of all ransomware attacks targeted manufacturing in 2022. This represented an 87% increase in overall industrial sector-targeted ransomware attacks from 2021 to 2022. With pandemic-induced supply chain distribution subsiding, the manufacturing industry has a new challenge on its hands, in the form of more frequent and pervasive cybersecurity breaches.
To mitigate these threats, the overwhelming majority of large companies conduct extensive due diligence procedures on suppliers and vendors before they are selected to provide or produce materials, components, services or software. In addition to this, almost every large company’s due diligence process contains an information technology (IT) security diligence section. This is a great start but falls short of a robust, risk-mitigating cybersecurity strategy.
Of course, there is always going to be an element of inevitability in business practices and processes of a supplier changing. But very few companies actually make it a requirement for suppliers to periodically update IT security diligence data. As a result, process changes go unreported and unmonitored. Even when companies do collect IT due diligence data, their spreadsheets or documents are filed on a server and, after an initial review, essentially forgotten. This leaves little to no infrastructure in place when it comes to flagging potentially vulnerable suppliers. This means the door is left wide open for cyber criminals, allowing them to wage war on a company as well as their many suppliers.
Proactivity pays in supply chain cybersecurity risk
There are significant costs to implementing and maintaining ransomware mitigation measures, a figure that is often overlooked by businesses. But these measures have been taking an unprecedented financial toll on companies. The global average for a single data breach in 2022 cost $4.35 million, up from $4.24 million in 2021. In the U.S., it’s nearly twice as high at $9.44M for a single breach. It is evident that simply sitting and waiting for an incident to occur is typically a more costly strategy than taking a more proactive, risk-mitigating approach.
Equally, businesses can’t assume that their suppliers will always “do the right thing,” or share the same values, policies or procedures. Instead, a company must take responsibility, ensuring it monitors its suppliers’ cybersecurity practices and processes. The zero-trust cybersecurity model has therefore gained significant traction in the past year, with the default quickly becoming to deny applications and data, only enabling access after verification. By identifying vulnerable suppliers, a company can take pre-emptive steps to avoid unnecessary security risks before they happen.
Six key steps to minimize cybersecurity risk
- Mandatory cybersecurity disclosures: A company can only be as strong as its weakest link when it comes to security. A company must therefore ensure it incorporates all suppliers and vendors into its processes, irrespective of the product, software type or service they provide. Remember, the smallest links in the chain can cause the greatest collateral damage. This can be avoided through clear cybersecurity disclosures.
- Extensive analytics: Analytics should be designed to highlight which key areas are most vulnerable within suppliers’ processes. The analytics in question must not be superficial and should be detailed enough to pinpoint the deficient process areas. Though useful, it would not be sufficient to indicate a supplier’s “cybersecurity risk” through a single number. Rather, the analytics should instead identify weaknesses in a specific process that the supplier implements such as employee onboarding, destruction of sensitive material, etc.
- Implement corrective action: It is commonplace for companies to have processes in place which assist suppliers addressing their own process issues, whether they relate to quality, delivery, service or something else. A commonly used process is a “corrective action report,” in which the company details problems it has identified in their processes. Also included in the report are the steps the company expects a supplier to take to address the given issues. A similar system can be implemented for cybersecurity process issues in which deadlines are given for enacting measures and actions the company may take should the supplier not proceed with the appropriate actions also being specified.
- Incentivize suppliers: While traditional incentives for suppliers around increased business work well, other incentives are worth considering. Suppliers can be given awards, preferred status and referrals that help them win additional business.
- Regular data refresh: Companies may be inadvertently leaving themselves open to cyberattacks if the latest information from their suppliers is outdated. Though implementing extensive analytics and processes are useful, it is clear that more is needed to ensure that the most up-to-date information is held by a company. A company should therefore implement data refresh as a part of its standard process, usually every six months.
- 24/7 risk monitoring: An early warning system should be a key priority for companies. Connecting information on vulnerabilities and security incidents with data collected from suppliers allows companies to create a degree of foresight to deal with emerging problems. If a supplier does suffer a security incident, or should a new vulnerability be detected in a software system that a supplier uses, the company can act instantaneously.
Cyberattacks against the manufacturing industry will continue to gain pace, due in part to the rapid digitalization of the space and through an increase in hybrid and remote working. This persistent vulnerability means supply chain management professionals need to work alongside both their in-house cybersecurity team, as well as reputable third-party companies to help survey suppliers about cybersecurity. This will ensure they can effectively assess cyber risks across the entire supply chain. With cyberattacks becoming more and more sophisticated, this is quickly becoming a necessity for business survival.