What is cyber resilience in manufacturing?

July 16, 2019 – In the age of technology, the security of data, networks, applications and devices has become a top-of-mind risk for organizations of all sizes and across all industries.

Manufacturing operations are no exception. In fact, according to the Insurance Institute of Canada, manufacturing is one of the top industries targeted by cyber criminals. With the digital transformation of the manufacturing process, it has become an industry norm for organizations to quickly adopt new, more efficient technologies into their production processes. Unfortunately, it is these technologies that are often a prime target for cyber criminals as points-of-entry to a network.

The reality is that despite the risks to network security, manufacturers are turning to automation and other new technologies for their ability to boost production efficiency and increase both workforce flexibility and product quality. As a result, cyber resilience is a concept that is rapidly gaining traction in the industry. Cyber resilience is an umbrella term encompassing information security, IT infrastructure, business processes and organizational continuity, and acts as a tool to demonstrate how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively.

In order to reach an acceptable level of cyber resilience, companies are developing and maintaining clear and robust policies whose purpose is to addresses prevention, disclosure, crisis management and insurance coverage in the event of a data breach. Many companies currently have these types of policies in place, however, it is important to note that they need to be tailored to reflect the individual cyber risk profile of a company and reflect the increasing impact of cyber risk on everyday transactions, both professional and personal.

It is equally as important that these cyber security policies should follow good design and governance practices—not so long that they become unusable, not so vague that they become meaningless, and regularly reviewed so as to ensure they stay pertinent to changing needs.

Prevention
To help avoid a security breach, companies must pay careful attention to their cybersecurity as a whole. Cybersecurity is about risk management, not risk elimination. Complete prevention of attacks is impossible; what is realistic is an in-depth security approach that operates layered defenses, rapidly mitigates harm and fosters resiliency and recovery. Multiple levels of security, password management, firewalls, and device management are only a start in cyber security risk management, and the best advice is to bring in an outside expert to test your computer systems and make security recommendations.

Disclosure
It is important that a company be aware of their disclosure responsibilities in the event of a data breach. As of November 1, 2018, The Personal Information Protection and Electronic Documents Act (PIPEDA) requires, by law, companies to report any breaches of security to the Privacy Commissioner of Canada, to notify affected individuals about those breaches, and keep records of all breaches. When notifying clients about the breach, it is equally as important to evaluate which information and how much detail should be released.

Planning
Having an action plan in place prior to an event has been shown to dramatically reduce the cost, time to recovery and reputational damage of a breach. Developing this plan can be achieved by assembling a cross-functional working group of management, lawyers, risk managers and the IT department working to define the firm’s cyber risk profile, design potential scenarios, measure the impact and size up mitigation strategies.

Security
A data breach can occur as the result of a number of incidents, including hacking, the loss of a laptop and unauthorized employee access. Data breaches can be incredibly costly for manufacturers, and expenses related to forensics, notification costs, public relations, crisis management, and fines and penalties can add up quickly. While it is possible to finance some of these costs internally, there are also cyber insurance packages to help mitigate the financial burden of a cyber incident.

The key to effective cyber risk management and ultimately cyber resilience is the careful planning and execution of all four of these components. The best strategies are developed with the presumption that the company is going to experience a cyber intrusion at some point.

It is not a matter of “if” but “when,” and manufacturers must focus on how to continue business operations, despite being under attack or a breach occurring. Most importantly, companies should focus on getting started – a rough plan with crude measurements is perfectly fine. The journey to cyber resilience has to start with a single step.
_____

Taylor Edwards is a risk advisor at insurance company Prolink.