Over the past several months, we have seen a string of corporate data breaches. The diverse set of enterprise targets make it clear that no company is safe from cyberattacks and while attacks occur in every industry, the manufacturing industry is in a unique position. Global competition and threat actors looking for a competitive advantage make manufacturer trade secrets a prime target for cyberattacks.
Beyond the value of this proprietary information, the growing prevalence of connected technologies, which increase production and efficiency, unfortunately also create additional avenues for attack. The manufacturing industry as a whole needs to take cybersecurity threats more seriously and increase defenses as these attacks result in financial loss, production downtime and damaged reputations and relationships.
Cyber-espionage: Targeting a Manufacturer’s Trade Secrets
Verizon’s 2018 Data Breach Investigations Report found that across all industries, most attacks are opportunistic, while 86 percent of attacks impacting manufacturers are targeted acts of cyber-espionage. That is because cybercriminals targeting manufacturers are most often trying to obtain the planning, research and development of a manufacturer’s products. Why put in the effort when you can just steal someone else’s ideas? Almost half (47 percent) of manufacturing breaches covered in the 2018 report involved the theft of intellectual property to gain competitive advantage. To put that number into perspective, only 13 percent of breaches across all industries analyzed in the report were motivated by espionage. Manufacturers work hard to remain competitive on a global scale and as competition increases, so does the demand for stolen intellectual property.
Manufacturers have also adopted new innovations such as Internet of Things (IoT) devices and machine learning on a large scale to keep pace with an evolving industry. These technologies increase productivity but they also increase the risk of cyberattack. According to Deloitte’s 2016 Global Manufacturing Competitiveness Index, CEOs say advanced manufacturing technologies like IoT, predictive analytics and smart products and factories, are essential to remaining competitive. In fact, Verizon’s State of the Market: Internet of Things 2017 found an 84 percent increase in IoT network connections in the manufacturing industry between 2016 and 2017. Adopting these technologies is essential for success but this creates a challenge in how to balance the increased efficiency while reducing the security risk associated with connected devices.
So who is carrying out cyberattacks on manufacturers? Verizon’s report found that manufacturing was one of the only industries in which state-affiliated actors were a main threat actor. However, external actors are not the only concern when it comes to cybersecurity in the manufacturing industry. Most external espionage cases begin with some type of phishing attack—cybercriminals send out phishing emails with the hopes that an unsuspecting employee will take the bait. On average, four percent of the targets in any given phishing campaign will click it. Employees can be an organization’s greatest asset but when it comes to a phishing cyberattack, they can also be a significant liability, which is why cybersecurity education is important for employees at any level.
Moreover, employees are not always the victims in cyberattacks—they may also be the perpetrators. Like external threat actors, employees may intentionally steal intellectual property to gain a competitive advantage.
Best Cybersecurity Practices for Manufacturers
There is no doubt that manufacturers are a prime target for cybercrime and they will likely continue to be bombarded with phishing attempts and cyberespionage attacks. Luckily, there are several tactics manufacturers can adopt to stay a step ahead of cybercriminals.
- Data Storage and Access: Keep highly sensitive and secret data separated from the rest of your network. Restrict access to data to only those individuals who absolutely require it to do their jobs. It is also important to monitor that access routinely to ensure the data is not being copied, moved or accessed in a suspicious manner.
- Data Loss Prevention: Implement data loss prevention (DLP) controls to identify and block transfers of data by employees. It is not only state-affiliated actors who can pose a threat—employees may also be motivated to steal secrets, especially those who are terminated or resigning.
- Employee Security Education: Most external espionage cases begin with some type of phishing attack. You should conduct routine security training for employees to lessen the effectiveness of phishing attempts. Also, provide employees with a quick and easy way to report these kinds of attacks and encourage them to do so.
- Security for Connected Devices: Adopt security measures designed specifically for IoT systems, such as a security credentialing service designed to help reduce many of the security threats linked with today’s IoT deployments. Just as user names and passwords allow employees to access various networks and devices, security credentials issued to connected devices enable only trusted devices to communicate with the enterprise infrastructure.
- Multi-Factor Authentication: Thirty-four percent of security incidents in the manufacturing industry in 2017 involved malware. Once a hacker steals an employee’s login credentials, they can spread a virus throughout a manufacturer’s systems. To prevent the spread of viruses to other parts of a network, manufacturers should implement multi-factor authentication (MFA) to access systems, adding an additional layer of security.
Manufacturers face threats from both external and internal actors. Trade secrets are too valuable not to protect and manufacturers cannot afford to get lax in their cybersecurity practices. Armed with the knowledge of where they are must vulnerable, manufacturers will be better positioned to protect their intellectual property and prevent attacks motivated by cyberespionage.
Michael Kotelec Global Practice Leader with Verizon Enterprise Solutions.