Cybersecurity is a complex topic no matter what industry vertical it is applied to. In order to reduce that complexity, it helps to frame cybersecurity in the context of the business. For manufacturers, there is a familiar concept that can be used: begin with the end in mind.
So, what does the end look like in terms of cybersecurity? Incident response. The dizzying landscape of cybersecurity solutions, vendors, and managed services typically revolve around the prevention of a cybersecurity incident. While an ounce of prevention is worth a pound of cure, cybersecurity is fundamentally a risk management process, and a quick scan of recent headlines will show that absolute prevention is an impossible task. In fact, some of the largest companies in the world with elite cybersecurity operations begin with the assumption that, despite their formidable talents and budgets, their defenses have already been breached.
That may be a reasonable assumption for international conglomerates, but is it reasonable for small manufacturers? Absolutely. The 13th annual Verizon Data Breach Investigation Report (one of the most highly respected and eagerly anticipated reports every year) breaks down over 150,000 cyber incidents collected from more than 80 research contributors across 16 industry verticals, including manufacturing. According to the report, manufacturers are unique in that they are consistently targeted by both organized cybercriminals as well as nation state actors rather than one or the other. Overall, the very fastest incident detection and response times are measured in days. Twenty five percent of breaches included in the 2020 report are measured in months or more.
Cybersecurity incidents are inevitable, but their impacts can be greatly mitigated with proper response planning. Ransomware can either be an existential threat to the company or an annoyance resulting in unexpected downtime all based on how well a company plans with the end in mind. Managed service providers may be able to detect an incident, but they are rarely able to respond. Companies often find themselves in legal trouble not for experiencing an incident, but for a lack of reasonable steps in planning for and executing incident response. Soon DoD suppliers will find themselves unable to bid on new contracts without integrating robust incident response requirements into their overall security programs. It is telling that of the 12 paragraphs in the primary DoD acquisition regulation for cybersecurity only one is dedicated to “adequate security” while five are dedicated to incident response and reporting.
Failing to keep the end in mind while managing cyber risk can easily lead to the end of an organization. CMTC has tremendous experience helping manufacturers reinvent cybersecurity programs large and small. Don’t hesitate to reach out for more information on the topics discussed here; in the 2020 Verizon DBIR; or simply for help demystifying and understanding the complex world of cybersecurity.