Three quarters of manufacturing companies claim they are aware of cyber risks and can deal with most of them — but, in reality, many still lack the skills and security practices to do so, new research has found.
In a survey of 350 industrial groups across Europe and the US, conducted by the Financial Times’ Longitude research and consulting business, 75 per cent reported that they either knew of a cyber attack being mounted against their operations (40 per cent) or had knowingly avoided an attack (35 per cent).
Among those that did suffer a cyber attack or data breach, nearly half said it dented their profits, while four in ten acknowledged there had been reputational damage as a result, and a reduction in sales.
Medium-sized companies, with a valuation between $500mn and $1bn, emerged as the most likely to be successfully targeted by hackers or cyber criminals, with 49 per cent admitting they had “knowingly suffered a cyber attack”. In comparison, only 41 per cent of $1bn-plus groups and 36 per cent of smaller, sub-$500mn businesses knew of attacks. Large companies were the most likely to have knowingly avoided an attack: 44 per cent said they had managed to do so, against only 29 per cent of medium-sized businesses.
But, despite their greater vulnerability, the ‘squeezed middle’ of the manufacturing industry appears to be less well prepared for various cyber attacks than larger or smaller groups. Of the five common types of attack, medium-sized companies had the lowest level of preparedness for four of them: scamming; phishing (where fraudsters trick businesses into disclosing payment information); ‘man-in-the-middle’ attacks (where criminals intercept and change secure messages between parties); ransomware (where data is ‘locked’ with encryption and only released for a ransom); and SQL injection (where malicious code is used to access databases).
And ‘cyber hygiene’ — the carrying out of appropriate security practices — was found to be poor across companies of all sizes. Only a quarter made connecting via virtual private networks mandatory; only a third prompted staff to change passwords and demanded mandatory software updates; fewer than half backed up data regularly or arranged industry-specific cyber training.
Senior management often failed to ensure sound systems of cyber governance were in place. Only 36 per cent of manufacturing groups gave a board member direct responsibility for cyber security, or reported on it every year. Fewer than half operated a company-wide security policy or made staff throughout their businesses accountable for cyber safety.
Longitude’s survey did find that a small number manufacturers were taking effective steps to protect their operations — by investing in technology, insurance and specialist advice. More than half are now investing more in cloud computing security measures, safeguarding their computer networks, and preventing attacks via interconnected devices (the ‘internet of things’).
However, the disparity between most companies’ stated confidence and their limited skillsets and preparations led the researchers to question their ‘false sense of security’.