Cyber risk in advanced manufacturing
Getting ahead of cyber risk
Given its focus on innovation and an increasing reliance on connected products, the manufacturing industry is particularly vulnerable to cyber risks. To assess the landscape, Deloitte and MAPI conducted a cyber risk in advanced manufacturing study. Led by Deloitte’s Center for Industry Insights, the study is informed by 35 executive interviews and 225 survey responses collected in collaboration with Forbes Insights. The study examines six emerging themes and offers manufacturers insights into what they should do to be secure, vigilant, and resilient in addressing cyber risk.
- Watch the video
- Explore insights and related actions
- Download the report
- Top 10 questions for boards
- Board reporting infographic
Six key themes for cyber risk in advanced manufacturing
Emerging cyber risk themes
Given the highly connected environments manufacturers work in, and the pace of technological change they face, cyber risk is a top-of-mind industry issue. In fact, nearly half of the executives we surveyed lack confidence they are protected from external threats, and it is increasingly important for organizations to assess their organization’s risk profile and preparedness in the event of a breach or cyberattack.
Six key cyber risk themes above emerged in the study as critical to manufacturers’ abilities to capture the value associated with the new frontier of technology, while appropriately addressing the dynamic cyber risks, in order to protect and enhance value over the longer term.
Top 10 questions boards should be asking
- How do we demonstrate due diligence, ownership, and effective management of cyber risk? Are risk maps developed to show the current risk profile, as well as timely identifying emerging risks we should get ahead of?
- Do we have the right leadership and organizational talent? Beyond enterprise systems, who is leading key cyber initiatives related to ICS and connected products?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
- Are we focused on, and investing in, the right things? And, if so, how do we evaluate and measure the results of our decisions?
- How do our cyber risk program and capabilities align to industry standards and peer organizations?
- How do our awareness programs create cyber-focused mindset and cyber-conscious culture organization wide? Are awareness programs tailored to address special considerations for high-risk employee groups handling sensitive intellectual property, ICS, or connected products?
- What have we done to protect the organization against third-party cyber risks?
- Can we rapidly contain damages and mobilize response resources when a cyber incident occurs? How is our cyber incident response plan tailored to address the unique risks in ICS and connected products?
- How do we evaluate the effectiveness of our organization’s cyber risk program?
- Are we a strong and secure link in the highly connected ecosystems in which we operate?
Be Secure.Vigilant.Resilient.™: Top 10 next steps
- Set the tone. The CISO cannot be an army of one. He or she needs to be appropriately supported by the leadership team and management to accomplish key cyber risk objectives for the company.
- Assess risk broadly. Perform a cyber risk assessment that includes the enterprise, ICS, and connected product, and ensure any recent assessments were inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products, and third-party risks related to industrial ecosystem relationships.
- Socialize the risk profile. Share the results of the enterprise cyber risk assessment, and recommended strategy and roadmap with executive leadership and the board. Engage in dialogue as a team related to the business impact of key cyber risks, and prioritize resource allocation to address risks commensurate with the organization’s risk tolerance, risk posture, and capability for relevant business impact.
- Build in security. Evaluate top business investments in emerging manufacturing technologies, IoT, and connected products, and confirm whether those projects are harmonized with the cyber risk program. Determine whether cyber talent is resident on those project teams to help them build in cyber risk management and fail-safe strategies on the front end.
- Remember data is an asset. It is important to change the mindset in manufacturing from a transactional mindset to the fact certain data alone may be an asset. This likely necessitates a tighter connection between business value associated with data and the strategies used to protect it.
- Assess third-party risk. Inventory mission-critical industrial ecosystem relationships, and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
- Be vigilant with monitoring. Be vigilant in evaluating, developing, and implementing the company’s cyber threat monitoring capabilities to determine whether and how quickly a breach in key areas of the company would be detected.
- Always be prepared. Increase organizational resiliency by focusing on incident and breach preparedness through table-top or wargaming simulations. Engage IT as well as key business leaders in this exercise.
- Clarify organizational responsibilities. Be crystal clear with the executive leadership team on the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team with responsibilities to bring it all together.
- Drive increased awareness. Get employees on board. Make sure they are appropriately aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP, and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.