Cyber Security and the UK manufacturing industry
What does the research tell us?
Recent studies into the manufacturing industry, like those carried out by the Engineering Employers Federation (EEF) and RUI, have provided us with useful statistics and figures about how it has fared over the past year in addition to projections for the years ahead.
Although much of the content is dominated by domestic politics and Brexit, cyber security has been listed as one of top 5 threats facing the industry, which isn’t something that bodes particularly well, especially for an industry where 60% of businesses surveyed do not see security as a priority, yet almost 50% have fallen victim to attack.
The reality is that manufacturing is the 3rd most attacked sector, behind government and finance. Not only has the industry been affected by large scale attacks which have dominated the headlines in recent years, such as the Wanna Cry attack of 2017 that cost upwards of $8 Billion worldwide, but the reputational damage inflicted can often be as severe as the financial loss. Over 90% of small businesses across all sectors who suffered an attack reported that it caused damage to their brand, stopped them winning business, even lost them clients.
Investment in Cyber Security in the UK
In response to the increasing number of attacks in recent years, the UK Government has made significant investments into cyber security. This has seen the creation of the National Cyber Security Centre (NCSC), which is now at the forefront of the fight against the cybercrime. This initiative has helped raise the profile of cyber security and has played a fundamental role in the promotion of security frameworks and guidelines.
In addition to the investments made by the UK government, the Scottish Government has invested an additional £500,000 to help reduce the financial burden on small to medium sized companies who wish to improve their cyber maturity. Through the creation of the Cyber Essentials Voucher Scheme, Scottish companies who employ less than 250 members of staff can now claim up to £1000 to help with their Cyber Essentials Plus certification.
Public sector frameworks and requirements
With the recent investments made by the Scottish and UK governments, it's no surprise that for businesses who work closely with the public sector it’s now mandatory for certain cyber security requirements to be met. We have a quick guide to ISO27001 and NIS Directive, however two worth noting particularly in the manufacturing sector are the DCPP and Cyber Essentials.
DCPP
The Defence Cyber Protection Partnership (DCPP) is a joint UK Ministry of Defence (MOD) and industry initiative put in place to improve the protection of the defence supply chain. Developed by using key controls from ISO27001 and Cyber Essentials, its aim is to mitigate against the risk cyber threats present to the MOD.
Cyber Essentials
Since 2014, certification to Cyber Essentials has often been a mandatory requirement for businesses to work with the UK Government.
You have options
Certification to such frameworks may not be a mandatory requirement for companies which aren’t providing critical services to the UK government or Defence, however these frameworks do provide an excellent starting point for any organisation that wants to improve cyber security, as most of these can be achieved in just a few weeks.
These frameworks no longer come with a hefty price tag or the rigidity and inflexibility that can negatively impact businesses, but can instead be used to provide a competitive edge, offering lower insurance premiums and enabling businesses to embrace new and exciting technologies.
Finally, we have 3 top tips to get you started
Do the Basics
It’s important to get the basics done before looking too far afield. The Cyber Essentials or Cyber Essentials Plus framework can be a great way to reduce the risk to your business and to demonstrate to your customers or competitors that your organisation takes security seriously.
Start at the Top
It is important that the board are engaged and supportive of a security programme as this helps to ensure that security becomes a top down approach. The board will be able to provide guidance on what the business objectives are and what’s most important. Once you understand what the key objectives are, kick off with a gap analysis looking at business processes, common practice and/or a technical vulnerability scan which will enable you to identify any potential weaknesses or vulnerabilities that could manifest themselves as a risk. By using this method, any risks identified can be measured against one another to see which risk presents the greatest threat, allowing you to focus on the biggest risks first.
Equip your Staff
Never forget the importance of ensuring that your staff are able and willing to embark on this journey. Often overlooked, employees can be an organisation's biggest asset or weakest link. It is vital that they are made aware of their collective and individual responsibilities. Staff training is critical to ensuring the success of a security programme. Workshops, training, guest speakers, scenarios and videos are all great ways to get them engaged. Helping them understand the risks and how to avoid them can serve them well both at work or even when at home with their families.