EEF in partnership with AIG. AIG Viewpoint by Romaney O’Malley
Read AIG's VIEWPOINT
Manufacturing is a significant target for cyber-criminals. This can result in the theft of sensitive data, the disruption of access to systems or operational technology, or industrial espionage for competitive advantage. In our survey of manufacturers, 48% said that they have at some time been subject to a cyber-security incident, half of whom suffered some financial loss or disruption to business as a result. There seems little doubt that many more attacks will have gone undetected.
Download the full report on EEF's website
Moreover, cyber-related risks for manufacturers are only likely to deepen and broaden with increasing digitisation. While 91% of businesses surveyed say they are investing in digital technologies in readiness for the 4th Industrial Revolution, 35% consider that cyber-vulnerability is inhibiting them from doing so fully. This suggests that opportunities are being missed and some businesses risk falling behind in the race to digitise. The result must not be that the UK falls away from the vanguard of manufacturing excellence.
Across our sector, maturity levels are highly varied both in terms of awareness of the cyber-security challenge and the implementation of appropriate risk mitigation measures. 41% of manufacturers don’t believe they have access to sufficient information to confidently assess their specific risk, and 45% are not confident they are prepared with the right tools for the job. A worryingly large 12% of manufacturers surveyed have no process measures in place at all to mitigate against the threat.
EEF welcomes the steps the government is taking to improve national cyber-security resilience. But, to date, no priority has been given to the specific needs of manufacturing. This must change. There needs to be a particular focus on the requirements of our sector, recognising that a one-size-fits-all approach for business is insufficient and, equally as importantly, comprehensive security cannot be the exclusive domain of large businesses who can afford bespoke end-to-end protection.
The impetus for change is coming from manufacturers themselves. The need to have demonstrable cyber-security safeguards in place is becoming ever more necessary to operate in the business environment. 59% of manufacturers report that they have already been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain. For the 37% of manufacturers who report that they could not do this if asked to today, business will become increasingly challenging.
However, while some manufacturers are only at the beginning of their cyber-security journey, as this report shows, sensible precautions and a proper cyber-security business plan are in reach of all. These measures will provide the confidence businesses need to invest in digitisation, and the credibility to operate in the sector as a trusted supplier.
At the beginning of 2017, AIG cyber experts predicted it would be a year of business interruption and extortion through cyber crime, a prediction that proved correct. This year we expect that theme to continue, albeit in a more targeted way. So what does this mean for manufacturing firms, asks AIG’s Head of Industrials Segment, Romaney O’Malley?
Over the past 12 months it has become clear the cyber threat landscape has evolved, with attacks becoming more sophisticated and more broadly disruptive. Our cyber claims statistics back this up, with encryption ransomware extortion and other extortions leading the way.
Widespread ransomware outbreaks were followed by the first of the much expected worm versions of ransomware in May; the high profile WannaCry and NotPetya ransomware incidents impacted businesses around the world, including a number in the manufacturing sector. Production in the automotive, oil and gas, farming and food industries were among those that were brought to a halt while companies worked around the clock to restore and recreate data that had been encrypted by the malware.
The attacks themselves were not necessarily motivated by financial gain, but by a desire to inflict damage and commotion. And it was this disruption that was responsible for the bulk of the cyber business interruption losses, with the cost of WannaCry estimated at $8 billion, according to cyber security firm Cyence. It was also a busy year for cloud services being hacked and data being held to ransom, or the company owning the data being extorted.
We are seeing an increasing state-sponsored element to the attacks between nation states, where companies infected by malware may be collateral damage rather than the direct target of an attack. However, while state-sponsored cyber crime might not always target a specific business, it is often aimed at the economic undermining of a rival.
Thus, private sector businesses, including manufacturers, will continue to be targetted by cyber attacks (both generally and specifically) and these are likely to get more sophisticated. This requires constant vigilance and evolving defence. Certainly, as 2018 progresses, we expect to see a refinement of these modes of attack.
As companies set their cyber security strategy, it is important to understand the changing threat environment and be clear which risks pose the biggest danger to your organisation. A quick glance at AIG's cyber claims for 2017 shows the prevalence of ransomware, data breaches due to hackers, security failures due to unauthorised access, impersonation fraud and finally data breaches due to employee negligence.
Many of these cyber risks have a human element and it is important to make sure staff are trained to identify security risks, such as phishing scams and signs of fraud. Statistics suggest that in excess of 80% of all cyber losses have a human element, whether malicious or erroneous, such as clicking on a link or losing a laptop.
In AIG's experience, manufacturer's vulnerabilities can be linked to the age of their equipment and the networked nature of production facilities. Just as sprinklers and fire doors are installed to prevent the spread of fire through your property, so too should strong security measures be taken to ensure a networked building cannot be hacked and exploited. A compromised thermostat could easily spoil food or pharmaceutical products if turned up by just a few degrees.
As discussed in this report, physical damage resulting from a cyber intrusion is an exposure for manufacturers. We know there are botnets out there scouring cyberspace for insecure devices, as demonstrated by the Dyn DDoS attack of 2016. We also know that many of the networked devices, collectively referred to as the Internet of Things (IoT), were not always designed with security in mind.
These vulnerabilities are further magnified by the average age of production equipment within many facilities. Industrial equipment that is ten years old - or older - was never designed to be part of a networked environment. These legacy components can exacerbate the threat as the production environment becomes ever more connected.
Cyber insurance is more than just an exercise in transferring risk to the insurer. Most cyber insurers offer a comprehensive package of pre-loss services to help you to carry out a cyber health check. These are important as they can assist in highlighting gaps in your cyber risk management and help identify what security measures should be prioritised; be they technical, processes or people (or a mixture). These also provide a measurable benchmark, which can be used as evidence of your cyber credentials and cyber risk maturity.
It is important to stress test your insurance policies in this way to see how they would respond to a cyber incident. It is possible, with support, to work through various cyber scenarios to determine where such gaps exist and whether a standalone cyber policy is needed.
It is worth going through the exercise, even if ultimately the decision is to take the risk on your balance sheet. Companies will be better placed to determine what cyber security best practice looks like for their organisation, bearing in mind that even with the right technology and employee practices cyber breaches will still occur; it is a case of when, not if.