'Cyber Risk Is an Organizational Risk, Not Just an IT Problem'

Why manufacturing continues to struggle with cybersecurity, despite the perceptions of industry leaders.

General Cyberattack

The Travelers Companies, a leading provider of property casualty insurance, recently updated their 2023 Travelers Risk Index, and the findings help demonstrate some of the ongoing cybersecurity challenges facing the manufacturing sector. The index found that 25 percent of manufacturing companies admitted to having been the victim of a data breach or cyber event. However, despite the ongoing risk, cyber threats did not rank as a top five concern, with only 56 percent of respondents reporting that they worry a great deal, or some, about these risks.

Additionally, 65 percent of manufacturing business owners reported being extremely or very confident that they would know what actions to take in case of a cyber event. In continuing with conflicting dynamics of the sector, only 57 percent reported to have a cybersecurity incident response plan in place.

To get a better feel for this data and what it means for the ongoing cybersecurity efforts of the industrial sector, I recently sat down with Kirstin Simonson, Cyber Lead, Technology & Life Sciences at Travelers.

Jeff Reinke, editorial director, Manufacturing Business Technology: While other concerns cited by manufacturers are certainly valid, why do you think cybersecurity remains a lesser priority in this sector?

Kirstin Simonson, Cyber Lead, Technology & Life Sciences at Travelers: We surveyed business decision-makers from a variety of industries about their top business concerns. Manufacturers reported broad economic uncertainty (68%) and supply chain risks (68%) as their leading worries, followed by medical cost inflation (59%); the impact of the global economy on their business (59%); the ability to attract and retain skilled staff (57%); and cyber, computer, technology or cloud risks (56%).

There are many reasons why some manufacturers may be less concerned about cyber risk than others. Size may play a role, as smaller organizations may think they donโ€™t have anything valuable enough to attract cybercriminals, and therefore wonโ€™t be a target. Another reason could be that many manufacturers may have a false sense of security because they have already taken some steps to help mitigate cyber risks. 

Though cyber risks were lower on the business risk list for manufacturers, the 2023 Travelers Risk Index found that 87 percent of respondents believe having the proper cybersecurity controls in place is critical to the well-being of their company. This is up six percentage points from 2022, indicating that the industry continues to understand this is a vital business consideration. 

JR: Have you seen any specific vulnerabilities that hackers are taking advantage of that might be especially prevalent in manufacturing enterprises?

KS: Cybercriminals will attack known vulnerabilities and also look for other areas they can compromise. As manufacturers increasingly adopt connected devices, automated machines, AI and robotics, the number of access points also increases, creating more opportunity for bad actors. Many manufacturers have systems that need to run 24/7; so this could make those companies more attractive for cybercriminals to target because thereโ€™s significant incentive for them to avoid or minimize any downtime. 

Published reports indicate that the manufacturing segment continues to experience a significant number of cyberattacks. For instance, according to the IBM Security X-Forceยฎ Threat Intelligence Index 2023, 30 percent of all extortion attempts, such as ransomware, business email compromise or distributed denial of service, focused on manufacturing โ€“ the highest for any industry. 

Similarly, the Microsoft Digital Defense Report 2022 reported that manufacturing had the highest percentage of ransomware incidents (28%) of any industry. Microsoft also found that manufacturers continued to struggle with maintenance and patching of legacy operational technology systems. 

JR: What recommendations would you make in helping manufacturers take the first steps in developing a cyber defense plan? 

KS: A good place to start is making sure proper procedures and protocols are in place, including pulling together a holistic team to lead and manage cyber threats. Create an asset inventory to identify critical points in the network that may be vulnerable. Ensure that the right people have easy access, and that those who shouldnโ€™t have access donโ€™t. 

Invest in tools such as multifactor authentication, which goes a step beyond the typical username and password to positively identify the user, and endpoint detection and response solutions that find, track and potentially stop an infiltration. 

Keep systems up to date. An unpatched vulnerability is one of the easiest and most common methods used to compromise a computer system or network. Enable automatic updates where possible, replace unsupported systems, and test and deploy available patches quickly. 

Training builds employee awareness of any threats and may help expose different ways a business can be targeted. Think beyond your organization and ensure that business partners and vendors also have good cyber policies and procedures in place. This stipulation can be built in as a security requirement during the request-for-proposal process. 

Lastly, have protocols in place in the event of a cybersecurity incident. A solid incident response plan can help an organizationโ€™s operations remain as close to normal as possible after a catastrophic event. The incident response plan may include sections on managing insurance policies and handling internal and external crisis communications, as well as implementing protocols for testing the overall plan regularly.

 Itโ€™s worth noting that, according to the 2023 Travelers Risk Index, only 57 percent of manufacturing businesses have a cybersecurity incident response plan. 

JR: Many manufacturers are using their insurance policies as a sort of cyber defense crutch โ€“ theyโ€™re not worried about losses from attacks because they have insurance. What is your response to that? 

KS: Having a cyber insurance policy in place is certainly an important component of a businessโ€™s cyber defense plan, but not every cost associated with a breach event may be covered by the policy. The limits a manufacturer has purchased may be inadequate, or there may be additional factors that need to be considered.

For instance, while a single breach can result in significant costs that may indeed be covered by a cyber insurance policy, the damage may eventually prove to be much more expansive in the long run. Because availability is such a necessity in the manufacturing industry, any downtime after a breach could lead to missed deadlines, a loss in business and customer confidence, financial and reputational harm, legal challenges, business interruption and potential regulatory impacts.  

JR: Have you seen any best practices in helping stakeholders get more dollars for investing in cyber defense?

KS: Itโ€™s important for the leadership of every manufacturing company to understand that cyber risk is an organizational risk and not just an IT problem. As they routinely evaluate their successes, business goals, operations and risks, protection against cyber issues needs to undeniably be part of the discussion. Cyber criminals continue to adapt, becoming smarter and more creative with their tactics, and just one attack can cause significant damage. 

Iโ€™d recommend that manufacturers consider the bigger picture and conduct a true cost-benefit analysis when considering whether and how much to invest in solutions that can help reduce their cyber risks. Discuss the potential ripple effects that can be felt for months or even years after a cyber event, such as reputational damage, which alone could be devastating to any company.

Business leaders need to consider the cost of not taking action to help avoid these incidents, just as much as they need to evaluate any potential investment in solutions that can assist with cyber defense.

JR: Any closing thoughts?

KS: Cybercriminals need only one opportunity to get around your defenses and cause tremendous harm to your organization. Just because a cyberattack hasnโ€™t happened yet doesnโ€™t mean youโ€™re in the clear. Be sure youโ€™re adequately prepared to defend your technology systems and minimize any impairment if and when your organization becomes a cyber target. 

More in Cybersecurity