Mobile apps and devices have become prominent ways to access information across many industries. Manufacturing is no exception. Ashish Thapar explains that while digital transformation has helped manufacturers streamline production, monitor equipment and improve safety, it has also left their information assets more vulnerable to cyber threats.
Despite widespread awareness, the manufacturing industry is failing to fully address and manage mobile security risks, leading to a spike in reported breaches. In fact according to Verizon’s data-driven Mobile Security Index 2020, 41% of manufacturers admitted to mobile device related breaches in the past year, almost double the 21% reporting these breaches in 2019. A large majority of these breaches are serious, with more than two-thirds (67%) reporting a major mobile security compromise.
The IP paradox
One of the biggest concerns raised in the report is competitors stealing their intellectual property (IP), cited by 87% of manufacturers, yet half of all manufacturers admit to sacrificing mobile security to get the job done.
This creates a paradox for IP, where reality doesn’t quite match the very real fears around IP theft while simultaneously disregarding those threats. Clearly, manufacturers are displaying a disconnect between challenges and solutions.
Mobile isn’t going anywhere. It has rapidly become an intrinsic part of manufacturing operations, so much greater emphasis needs to be placed on tightening mobile security, because the consequences of a breach can wreak serious long-term consequences.
Know your IT infrastructure to control it
One of the key issues highlighted in the report is the chronic lack of awareness by most manufacturers over how many mobile apps are being used within their organisation. Most organisations are seriously underestimating the number being used, with 38% of those estimating that under 100 are in use, when the true average is around the 1,300 mark. This speaks to the wider problem of a lack of control over what is flowing through their IT infrastructure.
Well-known problems like malware and ransomware remain major threats, but emerging ones like cryptojacking can also put your organisation at risk. Even apps downloaded from official stores can be compromised. One of the most effective ways to trick users into installing malware is to disguise it as a useful or entertaining app. In our report, of the organisations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident. Of course, sideloading apps from non-official stores or third-party websites increases the risk. This is a distinct security blind spot for any organisation, but it can be fixed by implementing a few sensible controls over mobile device app usage.
Firstly, establish a formal Acceptable Use Policy. This should clearly set out what apps are permissible for Bring Your Own Device users to use on the company network. Using a Mobile Device Management solution also helps to simplify security patch updates to devices accessing the network.
Furthermore, manufacturers should ensure employees are educated when it comes to the basics of information security, such as being aware of the risks of accessing public Wi-Fi and have a policy in place to lock down and isolate lost, stolen, or infected devices, in order to contain the damage.
Password policies are also needed to stipulate regular password changes, outlaw the reusing of passwords, and mandate the use of sufficiently strong options so that they won’t be guessed and enforcing IT administrators to change default and vendor-supplied passwords. Use two-factor authentication, with special emphasis on any external-facing interfaces and high-risk environments, for example remote access, privileged access, and access to sensitive data.
Cyber resiliency demands that organisations have a proven response plan for a wide array of incidents that can disrupt operations and imperil sensitive data. And the best response plans are powered by threat intelligence tailored to an organisation’s specific risk profile. Verizon’s Advanced Security Operations Centre in Canberra was established to help its customers stay one step ahead of their adversaries by providing real time threat reporting and analysis, but enterprises also need to reduce their vulnerability to attack, and critically, put an end to the practice of sacrificing security for convenience. The statistics don’t lie – manufacturers that admitted to sacrificing mobile security were almost twice (1.9 times) as likely to have suffered a breach.
A new perspective
Security has been viewed in the past as a barrier to change, but it should now be the primary focus for any organisation, as without it, manufacturers are exposing their entire operations and IP to theft or destruction.
Industries such as manufacturing and construction also carry the additional risk of a mobile security breach potentially putting the safety of workers in jeopardy. Consequently, those organisations need to take mobile security even more seriously.
Mobile applications are enabling manufacturers to innovate in ways that previously would’ve seemed unimaginable, so we absolutely must encourage the use of those applications that bring great benefit to workflows, processes, and deliver better client outcomes, whilst preventing network access to those apps that offer none of those things.
Lack of user awareness is one thing, but manufacturers can and should impose rules around the use of apps, devices, networks and cloud services that gives those employees much less leeway to cause a problem for the business through their actions, whether intended or otherwise.
It may seem rather punitive, but if restricting the use of a few apps on the corporate network saves the business from potential multi-million-dollar losses from a breach, surely, it’s a small price to pay.
Ashish Thapar is the Managing Principal for Asia Pacific at Verizon’s Threat Research Advisory Centre (VTRAC).