Study: Manufacturers aware of cybersecurity concerns but underspending on training

January 9, 2019 – A new U.S. survey exploring cybersecurity challenges faced by the global manufacturing industry has found that manufacturers still face security concerns, that they continue to struggle with finding skilled cybersecurity staff and that they may be underspending on security training. 

ISACA, a global firm dedicated to helping enterprises and workers achieve digital transformation, and the Digital Manufacturing and Design Innovation Institute (DMDII) commissioned the survey in August 2018, which involved 167 participants from the ISACA and DMDII network. Where possible, the findings were compared against ISACA’s 2018 State of Cybersecurity and 2018 Cybersecurity Culture research findings for all industries. 

“Three-quarters of U.S. manufacturing firms have fewer than 20 employees and 98 per cent have fewer than 500. To shore up the resiliency of the U.S. supply chain, reaching small manufacturers is essential, and understanding their needs and capabilities is a crucial initial step,” says Kevin McDunn, chief product officer of DMDII. “This survey begins this important work that will lead to the type of accessible, low-cost tools and training opportunities that DMDII can develop and get into the hands of these manufacturers.”

Survey results revealed some areas of strength related to the manufacturing industry’s approach to cybersecurity when compared against all industries:

• 78 per cent of manufacturing organizations have a formal process for dealing with cybersecurity incidents, and 68 per cent have one for ransomware attacks.
• 77 per cent expressed confidence in their security team’s abilities to detect and respond to advanced persistent threats (APTs).
• 34 per cent noted they were experiencing more cybersecurity attacks today than a year ago, compared to 62 per cent across all industries from ISACA’s 2018 State of Cybersecurity survey.
• 74 per cent indicated they believed their organization’s cybersecurity training budgets would either increase or at least be maintained at current levels; only four per cent anticipated a decrease in the coming year.

Related news
EMC creates program for Canadian manufacturers to address cybersecurity
Vectra finds manufacturers have increased risk of cyber attacks over other industries
Study estimates 41% of Canadian companies had sensitive data exposed

Despite these positive data points, the survey results also revealed areas where the industry still needs to make progress:

• 75 per cent of manufacturing organizations have a program in place to promote cybersecurity awareness among their employees, but only 37 per cent believe that their programs are very to completely effective.
• 47 per cent of manufacturing organizations are spending less than US$1,000 on average each year on continuing education opportunities for their staff—versus 25 per cent in other industries—and nearly one in 10 reported that their enterprises spent nothing on average each year on these educational opportunities.
• 81 per cent of manufacturing organizations are somewhat to very concerned about the potential cybersecurity risks with personal, internet-connected devices.
• 58 per cent don’t allow those devices to connect to the corporate network and 72 pervcent don’t allow those devices to connect to the corporate network on the manufacturing floor.

Finding skilled cyber-staff remains challenging. A 1.8 million worker shortage is anticipated by 2022. Respondents indicated it takes an average of five months to fill open positions and 61 per cent of hiring managers said less than half of applicants are qualified.

“Though the manufacturing industry has made great strides in addressing security issues, this research illustrates the need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem,” says Frank Downs, director of cybersecurity practices at ISACA. “Partnerships and information sharing, like ISACA’s collaboration with DMDII on this study, are becoming increasingly key to accomplishing these goals.”

This outreach was meant to take an early pulse of manufacturing cybersecurity with a smaller sample size, with plans to expand this research with a larger-scale survey in the future.