Even though GDPR is a little over a month away, a report from EEF, the manufacturers' organisation, has revealed that a large number of manufacturers either do not have visibility over their cyber infrastructure to assess cyber risk or don't have tools in place to carry out cyber risk assessments.
A survey carried out by The Royal United Services Institute and incorporated in a detailed EEF report titled 'Cyber Security for Manufacturers', has revealed that not only have 48 percent of manufacturers in the UK suffered at least one cyber security incident, potential vulnerability to hackers is also holding back a large number of them from investing in digital technologies.
According to the report, a lot of steps have been taken by manufacturers of late to conform to the standards of the digital revolution and to keep pace with the rapidly changing industry. 91 percent of manufacturers surveyed are now investing in digital technologies, 51 percent of them have successfully resisted cyber attacks so far, 62 percent of them are training their staff in cyber security, and in 55% of such organisations, cyber security is now managed at the board level.
However, the adoption of digital technologies comes with its own challenges. According to the report, while 41 percent of manufacturers do not believe they have access to enough information to even assess their true cyber risk, 45 percent of them feel that they do not have access to the right tools for the job.
At the same time, 12 percent of all manufacturers have no process measures in place at all to mitigate against cyber threats. Such lack of processes could result in huge fines in the event of cyber attacks once GDPR comes into force.
"The 4th Industrial Revolution represents an unprecedented opportunity through interconnectivity. But that very openness brings with it increased risk. Cyber-vulnerability is a major barrier to business and growth; threatening loss of data, theft of capital and intellectual property, disruption to business, and impact on trading reputation.
"Manufacturers must urgently take appropriate steps to protect themselves. Our sector is already a significant target for malicious activity in cyberspace, which impacts businesses in a variety of ways. Increasing digitisation means that the challenge is likely to both broaden and deepen," said Stephen Phipson, chief executive of the EEF.
"A comprehensive approach to cyber-security is not something that manufacturers can afford to ignore – with the sector now the third most targeted for attack. Only government systems and finance are more vulnerable, yet manufacturing is amongst the least protected against cyber-crime," he added.
The report highlighted various shortcomings as far as the preparedness of manufacturers in negating the impact of cyber attacks is concerned. Even though 48 percent of them admitted that they had suffered cyber incidents, the true count could be much higher considering that a lot of cyber attacks and intrusions go undetected due to the absence of monitoring tools or mechanisms.
Even though 35 percent of manufacturers said they are fully investing in digital technologies, a equal number of them are inhibited from fully investing in such technologies due to cyber security concerns. "This suggests that opportunities to enhance productivity and growth are being missed and some businesses risk falling behind in the race to digitise," the report said.
The hesitation in adopting new digital technologies is also fueled by the fact that 37 percent of manufacturers do not feel confident enough of demonstrating their cyber security credentials to customers and clients. This is especially true for manufacturers of IoT products as such devices completely rely on internet connectivity and the use of Wi-Fi and Bluetooth for their functioning.
Lack of urgency
Another reason for such lack of confidence could be the lack of urgency demonstrated by organisations as far as strengthening their cyber security is concerned. While 15 percent of manufacturers are not aware of GDPR, another 29 percent are neither reviewing or changing their cyber security arrangements in order to comply with the upcoming legislation. As many as 34 percent of manufacturers have not included cyber security on their risk register as well.
"We are seeing an increasing state-sponsored element to the attacks between nation states, where companies infected by malware may be collateral damage rather than the direct target of an attack. However, while state-sponsored cyber crime might not always target a specific business, it is often aimed at the economic undermining of a rival.
"Thus, private sector businesses, including manufacturers, will continue to be targeted by cyber attacks (both generally and specifically) and these are likely to get more sophisticated. This requires constant vigilance and evolving defence. Certainly, as 2018 progresses, we expect to see a refinement of these modes of attack," said Romaney O’Malley, Head of Industrials Segment at AIG UK.
Commenting on the results of EEF's survey, Tim Erlin, VP at Tripwire, said: "It’s important to distinguish between cyber attacks on manufacturers and cyber attacks on industrial control systems. While they may be related, they’re not the same thing. Any organization with connected computer systems may fall victim to cyber attacks across a broad spectrum of technologies, but attacks on the systems that control a manufacturing plant floor are much more specific. Of course, manufacturing isn’t the only industry using industrial control systems.
"We have seen a rise in attacks on control systems themselves, and the impact on the business of these attacks can be very direct. At the same time, cyberattacks, in general, continue to plague organizations around the globe."