Cybersecurity challenges are becoming more prevalent and complex for manufacturers as consumers embrace and demand advanced technologies. The costs associated with data breaches are also rising, with an average cost increase of more than 23 percent since 2013, according to the latest research by Ponemon Institute.
Furthermore, external breaches from hackers are only part of the concern. The latest annual Internet Trends report from analyst Mary Meeker highlights that 20 percent of breaches are attributed to insiders with malicious intent. Her report also suggests that many breaches go undetected, with 70 percent flagged to companies by outsiders. And manufacturing executives are taking note of these threats. The latest BDO Manufacturing RiskFactor Report found that 86 percent of public manufacturing companies cited concerns about network and data security in their 10-K filings, up from 78 percent in 2014.
To mitigate exceedingly costly cybersecurity risks, manufacturing companies must examine their technology infrastructure holistically and methodically, considering the various scenarios that could lead to data vulnerabilities and cyberattacks. Manufacturers should review both internal and external risks, and include measures that better protect their not only own data, but also the end users’ data that could be transmitted via their products. Once a preventative plan is in place, a thorough action plan is equally important should a data breach occur. With so many variables at play, covering all the bases is critical to maintaining secure IT infrastructure.
Looking Under the Hood
A thorough evaluation of data vulnerabilities starts with taking a risk-based approach and assessment associated with the applications and infrastructure components of the organization, and identifying the organization’s most valuable and vulnerable assets. For manufacturers, intellectual property and patents are often the most sensitive information. A good evaluation process must take into consideration every employee who has access to data from creation to disposal, and implement the proper controls, layers and value chains in order to ensure maximum protection.
As data assets are identified and classified, companies should consider:
- Whether the data is at rest or in motion;
- Where and how the information is stored and who can access it;
- Potential threats that could expose the data to vulnerabilities; and
- Ramifications to the company if the information is hacked or stolen.
Once this assessment is completed, data must be classified, with each data asset assigned a low-, medium- or high-risk rating so that the proper degree of control can be applied to the data. For example, very sensitive data may be protected with multi-factor authentication using biometrics, such as a fingerprint scanner. Once the protection has been established, threat modeling techniques can then help identify gaps in the data’s life cycle that could expose it to security threats.
Employee education and training are critical to maintaining a secure IT infrastructure, to ensure not only that the staff upholds best practices to keep information secure, but also understands the consequences of lax behavior since internal attacks can and do occur, whether intentional or unintentional. Third-party vendors should also be required to adhere to strict data standards.
Pumping the Breaks Before Racing Ahead
Manufacturers must also assess the ever-growing and evolving data risks that lie within products themselves. Technological innovations like 3D printing and in-vehicle Wi-Fi are breaking new ground in manufacturing and opening doors for producers and consumers alike. However, innovative methods and products also raise questions, and companies must marry their investments in innovation with due diligence to implement proper internal controls and security precautions.
For instance, auto manufacturers have found themselves entering uncharted territory as wireless Internet and other software capabilities are becoming commonplace in cars. Already new litigation is in progress to regulate manufacturers’ activities around the security of user data transmitted via their products. Manufacturers must ask themselves: What kind of equipment malfunction could hackers create if they were to gain access to these systems? How much, and what types of customer data could they pass along to others? What cybersecurity responsibility falls on manufacturers?
Creating user-friendly products that are also embedded with proper controls and security measures may take longer to get to market, but doing so gives the product a long-term competitive advantage. Manufacturers would be wise to make data regulation as integral to the manufacturing design process as the functionality of the products.
Calling the Body Shop
No one is immune from data breaches in today’s complex cyber landscape, but manufacturers are particularly prone to threats. Manufacturing ranks as the third most commonly breached industry, according to the Verizon 2015 Data Breach Investigations Report.
Should a data breach occur, having an incident response plan in place can help ease the pressure in the heat of the moment. Affected systems should immediately be closed off from the remainder of the company’s infrastructure in order to pinpoint the root cause. When a data breach does occur, use it as a learning experience, extracting as much information as possible about how and why the incident occurred. That information can then be used to strengthen IT infrastructure by plugging holes and establishing improved monitoring programs to detect threats. Reaction plans should be tested and updated regularly to ensure any future threat responses are as effective and efficient as possible.
Above all, reporting incidents promptly and properly is essential. Data security incidents can be highly visible and heavily scrutinized, putting the company’s reputation at stake. A proper plan should detail the step-by-step process of reporting the incident and relevant details to all appropriate parties following a data breach. This could include self-reporting information to regulators, or simply letting customers know that their data has been compromised and sharing the measures the company is taking to rectify the situation.
Preventing Accidents
Advanced preparation can make a world of difference when a data breach occurs. Exhaustive and detailed plans can minimize reaction times and keep issues from escalating into a situation that could be potentially damaging to a company’s reputation and competitive edge. Setting regular, comprehensive tune-ups to examine potential problem areas and regularly assessing the impact of future innovations can prevent expensive losses and future damage.
Rick Schreiber is the national leader of BDO’s Manufacturing & Distribution Practice. Shahryar Shaghaghi is a managing director at BDO Consulting and the Technology Advisory practice lead.
