Cyber-threats are a given today across geographical boundaries, industries and for organisations of all sizes. But one sector perhaps more exposed than most is manufacturing. The latest research from industry body EEF this week revealed that a quarter of firms have suffered losses stemming from online attacks. In many ways, the problems highlighted by the study extend beyond the sector and across Europe. The truth is that cyber-risk, especially linked to the supply chain, is holding back digital transformation for countless organisations.
With many European and global organisations preparing for a new regulatory landscape, they must improve their vetting of partners and suppliers, ensuring baseline cloud and email security standards pass the new guidelines.
Visibility and control
The EEF figures are particularly concerning for UK manufacturing, which is said to represent 10% of the country’s output, 70% of its R&D and employs 2.6m people. Over a third of respondents claimed cyber threats were holding back digital transformation, but the figure could be even higher in more technologically advanced industries. There are lessons here that IT security managers across Europe could learn from.
Visibility was a major issue for manufacturers, with 41% claiming they don’t have access to enough information to assess their risk exposure, while 12% said they don’t have the technical or managerial processes in place to assess risk.
Part of the challenge here must come down to the extended and complex supply chains modern organisations run today — not just in manufacturing but across all sectors. These supply chains can be large, complex webs of interdependencies through which are exchanged products and services; increasingly digital ones too. But it can get difficult for IT managers to keep track of where their dependencies lie. This is a problem when it comes to cybersecurity.
Supply chain under attack
The National Cyber Security Centre (NCSC) highlighted the supply chain as a major cause of risk. Its recently released annual report had the following:
“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”
We’ve seen first-hand with the NotPetya ransomware exactly the damage supply chain attacks can inflict. In the first instance the ransomware was seeded via popular Ukrainian accounting software — high up in the digital supply chain. Once it spread beyond the intended targets it infected companies including global shipper Maersk and logistics giant FedEx, impacting countless other supply chains in the process.' It just takes one phishing email to a contractor and the keys to your AWS data stores or network access could be in the hands of the black hats.' ~@philmuncaster Click To Tweet
The bottom line is that suppliers and partners expose your organisation to huge extra risk. It just takes one phishing email to a contractor and the keys to your AWS data stores or network access could be in the hands of the black hats. They could also provide a channel for ransomware, email fraud and other types of malware.
However, irrespective of who is doing the attacking, it’s vital to start mitigating supply chain risk effectively. In fact, over half (59%) of respondents to the EEF study said they’ve been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain. Unfortunately, just 37% of manufacturers said they could not do this if asked today.
The compliance burden
Aside from the financial and reputational repercussions of a major supply chain breach or related malware infection, organisations must also think about the impact of new laws. Regulators are increasingly keen to enforce greater levels of accountability and transparency in how consumers’ personal data is used and protected by organisations. That means you will have to audit all your suppliers and partners for compliance with the regulation and write this into new contracts with them.
As part of these new contracts, also consider:
- Mandating suppliers to put in place best practice security controls to bring them into line with your organisation. Consider email and web gateways, next-gen firewalls, backup tools, web application firewalls and more…
- Training supply chain staff with anti-phishing awareness programmes, or ensuring that your partner organisations do
- Conducting background security checks on third-party employees
Organisations which get a handle on supply chain risk and lock down threats via cloud and email channels will ultimately be in the driving seat. They’ll stand a great chance of escaping punitive fines and other financial and reputational liabilities stemming from breaches, but they’ll also be able to protect cloud-driven digital investments to accelerate differentiation and growth.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.