Getting ahead of cyber risk

Given its focus on innovation and an increasing reliance on connected products, the manufacturing industry is particularly vulnerable to cyber risks. To assess the landscape, Deloitte and MAPI conducted a cyber risk in advanced manufacturing study. Led by Deloitte’s Center for Industry Insights, the study is informed by 35 executive interviews and 225 survey responses collected in collaboration with Forbes Insights. The study examines six emerging themes and offers manufacturers insights into what they should do to be secure, vigilant, and resilient in addressing cyber risk.

Six key themes for cyber risk in advanced manufacturing

Executive and board engagement

While senior management is committed to improving the company’s cyber risk profile, 42 percent of cyber risk executives indicate obtaining funding to support key cyber initiatives remains a challenge. Due to the growing severity and sophistication of cyber-attacks, nearly half of executives lack confidence their organization’s assets are protected from external threats.

What manufacturers should do

Establish a senior management-level committee with board member representation dedicated to the issue of cyber risk.
Review cyber breach incident management framework and establish escalation criteria to include board members.

Talent and human capital

Manufacturing executives indicate that four of the top 10 cyber threats their organizations face are directly attributable to internal employees. The lack of skilled talent in the cybersecurity function represents a significant challenge for manufacturers.

What manufacturers should do

• Establish a cross-functional team of key stakeholders in the cyber program, including IT, OT, R&D, Finance, and Risk.
• Perform regular internal phishing tests as an assessment and awareness tool to help employees better identify these attacks when they occur.
• Implement threat, behavior and audience-based, concise learning programs with active user engagement to maximize attention and retention.

Intellectual property

35 percent of executives believe IP theft was the primary motive for the cyber-attacks experienced by their company in the past 12 months—second only to financial theft (45 percent of survey respondents). Theft of intellectual property ranks as the second most important future cyber threat facing manufacturers. IP theft also ranks closely with consumer data as the top sensitive data concern for manufacturing companies.

What manufacturers should do

• Protecting sensitive data requires a comprehensive data protection strategy, executive support, and investment of time, talent, and funding.
• Organizations may also need to make some strategic business decisions based on the risk tolerance.

Industrial control systems

Almost one-third of manufacturers have not performed any cyber risk assessments specifically focused on the ICS operating on their shop floors. This could pose a significant risk to their operations. Nearly two-thirds of companies that have performed an ICS cyber risk assessment used internal resources, potentially introducing organizational bias into the assessment process.

What manufacturers should do

• Create an overall inventory of all connected devices including ICS that are attached to those network segments.
• Arrange a cross-functional security team that includes representatives from global information security, engineering, and operations.

Connected products

Close to 50 percent of manufacturers have mobile apps in their connected product ecosystem, and 76 percent of companies choose WiFi to enable data flows between their connected products. Over half of manufacturing executives said the connected products their companies produce are able to store and/or transmit confidential data including social security and banking information.

What manufacturers should do

• Prior to release, be sure to assess the value add for new connected product functionality.
• Maintain an open line of communication with legal.
• Determine whether cyber threat monitoring and wargaming simulations/resiliency exercises are comprehensive enough to cover top cyber risks.

Industrial ecosystem

Today’s evolving business environment is subject to increasing digital expectations from clients and customers, and new cybersecurity requirements being put on suppliers. Many manufacturers are just beginning to assess cyber risks related to key third parties in their innovation network, subcontractors, supply chain, and other critical business partners.

What manufacturers should do

• Define requirements for third-party cyber risk management up front in key contracts.
• Increasing monitoring and assurance activity over third parties could significantly reduce overall cyber risk.
• The drivers for third-party engagement are increasingly shifting from a focus on cost to a focus on value.

Emerging cyber risk themes

Given the highly connected environments manufacturers work in, and the pace of technological change they face, cyber risk is a top-of-mind industry issue. In fact, nearly half of the executives we surveyed lack confidence they are protected from external threats, and it is increasingly important for organizations to assess their organization’s risk profile and preparedness in the event of a breach or cyberattack.

Six key cyber risk themes above emerged in the study as critical to manufacturers’ abilities to capture the value associated with the new frontier of technology, while appropriately addressing the dynamic cyber risks, in order to protect and enhance value over the longer term.

Top 10 questions boards should be asking

1. How do we demonstrate due diligence, ownership, and effective management of cyber risk? Are risk maps developed to show the current risk profile, as well as timely identifying emerging risks we should get ahead of?
2. Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading key cyber initiatives related to ICS and connected products?
3. Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
4. Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
5. How do our cyber risk program and capabilities align to industry standards and peer organizations?
6. How do our awareness programs create cyber-focused mindset and cyber-conscious culture organization wide? Are awareness programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected products?
7. What have we done to protect the organization against third-party cyber risks?
8. Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
9. How do we evaluate the effectiveness of our organization’s cyber risk program?
10. Are we a strong and secure link in the highly connected ecosystems in which we operate?

Board reporting infographic

Please click on the infographic to enlarge.

Please click here to download the infographic.

Be Secure.Vigilant.Resilient.™: Top 10 next steps

1. Set the tone. The CISO cannot be an army of one. He or she needs to be appropriately supported by the leadership team and management to accomplish key cyber risk objectives for the company.
2. Assess risk broadly. Perform a cyber risk assessment that includes the enterprise, ICS, and connected product, and ensure any recent assessments were inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products, and third-party risks related to industrial ecosystem relationships.
3. Socialize the risk profile. Share the results of the enterprise cyber risk assessment, and recommended strategy and roadmap with executive leadership and the board. Engage in dialogue as a team related to the business impact of key cyber risks, and prioritize resource allocation to address risks commensurate with the organization’s risk tolerance, risk posture, and capability for relevant business impact.
4. Build in security. Evaluate top business investments in emerging manufacturing technologies, IoT, and connected products, and confirm whether those projects are harmonized with the cyber risk program. Determine whether cyber talent is resident on those project teams to help them build in cyber risk management and fail-safe strategies on the front end.
5. Remember data is an asset. It is important to change the mindset in manufacturing from a transactional mindset to the fact certain data alone may be an asset. This likely necessitates a tighter connection between business value associated with data and the strategies used to protect it.
6. Assess third-party risk. Inventory mission-critical industrial ecosystem relationships, and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
7. Be vigilant with monitoring. Be vigilant in evaluating, developing, and implementing the company’s cyber threat monitoring capabilities to determine whether and how quickly a breach in key areas of the company would be detected.
8. Always be prepared. Increase organizational resiliency by focusing on incident and breach preparedness through table-top or wargaming simulations. Engage IT as well as key business leaders in this exercise.
9. Clarify organizational responsibilities. Be crystal clear with the executive leadership team on the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team with responsibilities to bring it all together.
10. Drive increased awareness. Get employees on board. Make sure they are appropriately aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP, and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.

Please click here for the full report.