POSTSCRIPT: Cybersecurity is a real but manageable risk: treat it that way

Cybersecurity elicits a wide variety of responses from manufacturers across Canada, ranging from complacency to dread. It shouldn’t. Cyber threats are real. But they are manageable. Manufacturers can take steps to protect themselves. Like any process, they need to be continually improved and upgraded. And they shouldn’t cost an arm and a leg, unless, of course, it’s too late and companies are having to recover from a successful cyber-attack.

According to PLANT’s Advanced Manufacturing Outlook Report for 2022, 83 per cent of manufacturers surveyed across Canada know they have experienced some sort of cyber-breach or attack, up significantly from 68 per cent reported last year. That doesn’t count some that may not be aware they’ve been breached in the first place. While 55 per cent of those attacks were phishing expeditions, 28 per cent were targeted external attacks and 19 per cent were breaches caused by a third-party supplier.

Clearly, the threat is real and it is growing. I was surprised when we conducted an audit of cyber-attacks at NGen. Over the period of one month during the summer, we received more than 16,000 emails. Almost 500 of them contained links that could have opened us up to a cyberbreach or worse. Our IT systems prevented most from getting through, but still close to 20 per cent did – and were caught by our staff before they did damage. I can tell you from first-hand experience the threat is bigger than you think.

Yet, the response from many manufacturers seems to be closer to a yawn than real concern. The outlook found that in spite of the incidents that were reported, 20 per cent of companies say they are not concerned about cyber-attacks. Even more surprising is that 93 per cent think they have done enough to guard themselves against attack, although only half have conducted a cyber-security review of their existing systems. Those companies that think they have done enough are being highly optimistic, if not frankly a little naïve. Because if an attack occurs, only one-third of manufacturers have a cyber-breach response plan in place.

Manufacturers are focusing mainly on the security of their internet communications and e-commerce systems. These are certainly important areas of concern and have been front and centre over the past 18 months of the pandemic. But, manufacturing is a complex business and the risks go way beyond phishing attacks and the internet. Any digitally enabled product or process is vulnerable to hijacking. Remember the hackers that took over control of the Jeep a few years ago? The smarter the products are, the more vulnerable they will be. Automation processes are at risk. So too is equipment on the shop floor or that you have sold to your customers. Autonomy will elevate the risks even further.

According to PLANT’s Advanced Manufacturing Outlook Report for 2022, 83 per cent of manufacturers surveyed across Canada know they have experienced some sort of cyber-breach or attack, up significantly from 68 per cent reported last year.

Then there’s the knock-on impact of cyber-problems somewhere in the supply chain. Pipelines or utilities can be shut down – as recent history has shown. Cyber-attacks can shut down production on the part of critical suppliers (not that we need any further supply chain disruptions to deal with). Public sector, financial, and supplier or customer databases can also be exposed, putting your data and IP at risk.

Cybersecurity is not just a technology problem. It is a health and safety issue. It is a legal and liability issue for companies that should have done more to protect themselves, their customers, and suppliers. And it is a business issue if production systems are forced to close, and orders or contracts are lost as a result.

Unfortunately, most organizations don’t take the problem seriously until they are attacked and face the financial consequences. Manufacturers need to get out ahead of the issue. Technology is evolving quickly and so too are the capabilities of hackers. Manufacturers can’t be complacent. No one can stand still.

The key is to be able to manage cybersecurity risks well. What can manufacturers do? Here are some pointers:
Treat cybersecurity as a critical business issue. It’s not just a problem for technicians and the IT team. It demands the attention of senior management and safeguards need to be in place throughout the organization.

Be aware of your internal and external vulnerabilities. Get assistance to conduct a cybersecurity audit of your processes. It doesn’t cost much, and it can provide valuable insights that can help you build more robust and efficient processes, in addition to identifying areas of potential exposure.

Prepare a plan to avoid attacks and to recover in the event of one. Your business may depend on it.

Make cybersecurity a part of your technology deployment and business plan. Don’t avoid adopting technologies that can help your business improve productivity and grow. That would be like deciding not to invest in a piece of equipment because, potentially, it might harm people who are operating it. You know that protections can be put in place to protect the health and safety of employees. The same is true in the case of cybersecurity.

Focus on employee training. Don’t count on security software downloaded from the internet to fully protect you. Technology fixes won’t do the trick by themselves. Hackers are too smart for that. In any event, 95 per cent of all successful cyber-attacks are the result not of technology but of human error. They are errors that can be avoided if your teams know where to look and what to do.

Demand to know the data protection and cybersecurity protocols that your suppliers and business partners have in place.

Treat cybersecurity protection as a process that needs to be continually upgraded and improved.

And finally, connect with resources that can help you understand the risks and deal with them effectively. Sharing concerns and experiences with colleagues is a good place to start. Check out the Canadian Centre for Cybersecurity. That might be a good place to go before considering a consultant.

Manufacturers need to manage cybersecurity risks as part of their standard operating procedures, subject to all the continuous improvement practices they would employ with respect to any other critical process in their business. Cyber-readiness will become even more important as manufacturing goes digital. Proactive planning needs to begin today.
__________________
Jayson Myers, the CEO of Next Generation Manufacturing Canada, is an award-winning business economist and advisor to private and public sector leaders. E-mail jayson.myers@ngen.ca.  Visit www.ngen.ca