IT and business leaders have rarely seen eye to eye. But rarely has this mattered more than it does today. With manufacturers investing heavily in digital systems to usher in a new era of Industry 4.0, all that good work could be undone if security is not properly designed into projects from the start. The challenge is getting the board to realise this. New global research reveals that, far too often, cybersecurity is still treated as an IT rather than a business risk.
Cyber risk. Credit: Doucefleur / Shutterstock
Credit: Doucefleur / Shutterstock
In short, manufacturing CISOs need to find a new way to talk about risk. And they need board members prepared to listen. Nothing less will do in a post-pandemic era of rapid digital transformation and escalating cyber risk.
The attack surface is growing
That cyber-threats are on the rise is in little doubt. One study claims manufacturers experienced a 300% year-on-year surge in threats in 2020. Threat actors see a target vulnerable on several fronts. They see complex supply chains as a potential means to infiltrate manufacturers’ networks. And they see commitments to downstream partners as leverage which may force ransom payments, in the event production lines can be disrupted.
They’re also well aware that manufacturing is undergoing a digital revolution in Europe and beyond. According to one 2021 study, 91% of manufacturers reported increased investment, while even more (95%) said digital transformation is essential to their future success. This can take many forms—from IoT systems to cloud infrastructure, applications and services. As highlighted in a 2020 Trend Micro study, it can also mean converging IT and OT systems to improve visibility, efficiency and speed on the factory floor. Unfortunately, this also increases cyber risk.
This matters, because now that there’s connectivity, remote hackers can probe for and exploit these vulnerable systems. Our research found ransomware, coin mining malware, and even legacy malware like Conficker still running in many manufacturing IT/OT environments. Coin mining is resource-intensive and could wear out equipment while running up energy costs. And ransomware has the power to lock down whole production lines. But there’s also a risk of IP theft.
The business impact of these threats should not be underestimated. The average cost of a data breach in the industrial sector last year was estimated at over $4.2 million. But some attacks can cause much greater damage. Norwegian aluminium producer Norsk Hydro projected a $75 million loss after a crippling 2019 ransomware outage.
The problem with risk
The cumulative impact of digital investment is therefore to expand the corporate cyber-attack surface. So are boards getting the message? Unfortunately not. Our poll of IT and business decision-makers in the sector finds that 88% of them believe their organisation would be willing to compromise on security in favour of other business priorities like speeding up digital transformation, and business productivity.
Part of the problem is a lack of engagement and awareness among the C-suite. Less than half of respondents (49%) we spoke to think senior leaders completely understand the risks of cybersecurity. Some think it’s because security is a complex topic that is constantly changing. Others were blunter, claiming it’s because the C-suite doesn’t try hard enough to understand it, or doesn’t care.
It’s not that manufacturing boards aren’t spending on cyber at all. Around half of those we spoke to say their organisation has actually increased investment in this area in reaction to recent market events. But that’s the problem. It tends to be reactive spending, which does little to prepare the company for potential future risks. Half of respondents say their organisation’s attitude towards cyber risk is inconsistent from month to month.
A different conversation
This is the opposite of what European manufacturers need. An engaged, cyber-aware board will ask tougher questions and is more likely to release funds for proactive, strategic security projects like extended detection and response (XDR) tooling. Security strategy must be consistent and built into every business initiative because ultimately any digital investment could fail if risk is not evaluated and mitigated at the outset.
Let’s be clear here, cyber risk is business risk. And it’s the job of the CISO to ensure the message gets across. Speaking to the board in business rather than technical language will help with this. But bigger changes may be needed.
Cybersecurity must be formalised with documentation, KPIs and established metrics to help drive that business risk discussion. CISOs should report directly to the CEO to expose the latter more to security issues. Manufacturers could even consider creating a new role of Business Information Security Officers (BISOs) to embed security deeper into business processes. This isn’t just about avoiding the financial and reputational impact of a serious breach. It’s about setting the business up for long-term success. To do that, cyber must be front and centre of everything.
- The author, Bharat Mistry, is Technical Director at Trend Micro.
Back to Homepage
Back to Technology & Innovation