Cybersecurity has recently become a top priority for the manufacturing industry, with ransomware and phishing attacks continuing to cause disruption, production issues and loss of finances.
At one stage, manufacturing was named the second most attacked industry, according to IBM, with ransomware attacks against the sector increasing from 211 in 2021 to 437 in 2022. Due to the convergence of IoT/OT and the rise of digital transformation, the attack surface for organizations within this sector has expanded, presenting more potential entry points to hackers.
Of the top causes of successful ransomware attacks, social engineering is the leading instigator, with phishing being the most common technique for attackers. Spamming personnel within an organization with malicious messages, attachments or websites on email (phishing), voice (vishing) or SMS (smishing), criminals hope that at least one person will click it, providing them with credentials to gain access to their organization. Last year, 82% of data breaches were attributed to human error or mistake, highlighting the importance of the human element in manufacturers’ cybersecurity efforts.
Manufacturers are a natural target for cyber-criminals; they collect and produce valuable quantities of intellectual data which, if stolen, could be sold to competitors or nation-states. Moreover, they also have a low tolerance for downtime, as any disruptions to manufacturing will result in unwanted costs.
To reduce the likelihood of a phishing attack, manufacturers must first avoid this simple mistake: investing large sums in the latest technology in the market.
Technology is a crucial element within an organization’s defenses, but with social engineering the preferred attack route, the core problem that needs to be addressed is the psychological behaviors of the workforce. Changing this will have a more positive effect on the security culture as providing more education and awareness to the wider workforce about cyber risks, how to stay safe online and spotting red flags will only lead to improved security habits.
Benchmark to See Areas to Strengthen
Delving further into the threat posed by phishing, research revealed that among the top industries, manufacturers, particularly those with under 250 employees, are highly likely to be susceptible to being duped by phishing threats. Using a Phish-prone™ Percentage (PPP) to calculate an organization’s employee susceptibility to simulated phishing attacks over three stages, small manufacturers had a PPP score of 29.5%, higher than the average of 28.8% of all small organizations. This shows that manufacturing workers are lagging behind when it comes to identifying cyber-criminals’ phishing and social engineering tactics compared to workers in other industries.
It’s never nice to single out an industry, business or individual, but by benchmarking and identifying the issue, we can clearly see the areas that need strengthening to make the necessary changes to improve overall security awareness and habits.
Furthermore, those responsible for security and risk management within manufacturers should look to obtain the full support of executives while clearly communicating and aligning the current security policies. Investment should begin with security awareness and training programs to prepare staff for such threats.
Leading by Example
Having role models within the company is another important security element to factor. Regardless of the size of the organization, C-level and senior management should be active participants when it comes to promoting and participating in security awareness. This creates a ‘norm’ of security best practices within the workplace that others naturally observe and follow. Along this process, ‘security champions’ will become apparent and these individuals can be the torchbearers to help shape the company’s overall security culture.
Moreover, engaging security awareness content is vital to the success of any security awareness training program because this will create a positive learning experience for participants. If a positive experience is had, a higher chance of secure behavioral change will be made. There are security awareness providers that can supply training in a variety of flavors, mediums and languages to fit the audience and tailor to the learning style of the workforce.
Mundane, boring material or repetitive learning will only limit the experience and reduce the retention of the audience. Furthermore, don’t get trapped into a one-size-fits-all approach that treats every user the same. Different departments, employee groups and executives will all have unique risk factors, and therefore their training should reflect these. By making sure all groups are catered for and by not focusing too narrowly, changing and improving the security-related habits of the organization will be set up to succeed from the outset.
Manufacturers need to build a strong foundation and an environment where security culture can begin to flourish as the workforce gains a clearer understanding of their roles and responsibilities within the overall defense of the company.
For the best outcome, use phishing simulations and interactive training material to give staff the best opportunities to make smarter and safer decisions. There are even tests available to measure the strengths and weaknesses of the workforce’s phishing proneness. Regarding security, building the workforce as an effective last line of defense should be a priority for all manufacturers.