Today, in partnership with AIG, we published our report, Cyber Security for Manufacturing. While this issue is new territory for EEF, it is one of increasing importance to businesses operating throughout our sector. The report has been co-authored with the Royal United Services Institute (RUSI), whose expertise in the field of cyber-security research is well established. For this report we have brought together our expertise to examine the evolving threat that modern manufacturing businesses face.
So what have we have found out?
Manufacturing is a prime target for cyber-crime
According to our survey, 48% of manufacturers have been subject to cyber-attack, and half of these businesses suffered either financial loss or disruption to business as a result; that’s a large number and supports wider analysis that shows the sector is both targeted and vulnerable; by some measures the third most targeted sector after finance and government. The reasons are apparent; UK manufacturing succeeds on the back of innovation and cutting edge technology, delivering products to market that are world leading in their field. Cyber-crime that targets the theft of intellectual property and general disruption to business are the underhand methods that some competitors will look to exploit.
Manufacturers are investing in digital technology – but cyber-security is knocking confidence in it
While 91% of manufacturers told us that they are investing, or intend to invest in digitisation, 35% said that their perception of vulnerability to cyber-threats is inhibiting then from doing so fully. This suggests that opportunities are being missed and some businesses risk falling behind in the race to digitise. The UK manufacturing cannot risk being left behind by the 4th Industrial Revolution, which is bad news for businesses individually and for the economy more generally. Yet this is largely based on misapprehension. Sensible precautions and a proper cyber-security business plan will mitigate against the majority of the threat and should not be a barrier to the adoption of new technology that supports productivity and growth.
Cyber-security means more than just securing your emails
Although 75% of manufacturers tell us that they monitor and protect their systems and software from cyber-attack, significantly fewer have a comprehensive business strategy in place, including risk registers and staff training. It is critical that businesses do not see this as just a technology problem, but one that is more fundamental to business operations. Most cyber-attacks that succeed ultimately do so due to human error – mitigation and risk management are therefore fundamental to proper security. Moreover, the volume of attacks means that no level of cyber-security can be guaranteed to be 100% secure, 100% of the time; having a plan for recovery in place in the event of a breach sits at the heart of good business strategy.
The cyber-security environment is a confusing one for business...
Almost half (41%) of manufacturers don’t believe they have access to sufficient information and advice to confidently assess their specific cyber security risk, and an even greater number (45%) are not confident they are prepared with the right tools, processes and technologies to deal with it. The problem therefore is not that the tools do not exist to do this, but that manufacturers often struggle to access and assess the advice and guidance required to confidently and appropriately apply it to their business.
…and some manufacturers are choosing to ignore it completely…
A worryingly large 12% of manufacturers told us that they have no technical or managerial measures in place at all to either assess or mitigate against the threat from cyber-attack. Given that almost all the businesses reporting this are SMEs, there needs to be a particular focus on their requirements – one size does not fit all and comprehensive security cannot be the exclusive domain of big business. Affordable and trusted solutions need to be identified that work for the vast majority of UK businesses.
…but solutions are out there that all can access
Schemes such as the government-backed ‘Cyber Essentials’ might not be specific to manufacturers, but they help businesses regardless of the sector in which they operate to guard against the most common cyber threats – and demonstrate through certification that they are doing so. These relatively simple steps will protect from over 80% of the threats that exist, and ensure that a business does not fall victim to the most common attacks that are not targeted, but instead aim to pick of those who are not protected in anyway.
Change will be driven by business need – soon, if you’re not secure, you won’t be selling
The need to have demonstrable cyber safeguards in place is going to become ever more necessary merely to operate in the sector. 59% of manufacturers reported to us that they have already been asked by a customer to demonstrate or guarantee the robustness of their cyber security processes, and 58% have asked the same of a business within their supply chain. It is therefore increasingly unsustainable for the 37% of manufacturers who report that they could not, as of today, demonstrate or guarantee the robustness of their processes to continue in this regard. Ultimately, this is what will drive attitudes towards change.