Executives at Canadian manufacturing companies are not taking cybersecurity seriously enough, says the head of an agency trying to encourage advanced manufacturing in that country.
“There is a high degree of complacency,” Jayson Myers, CEO of Next Generation Manufacturing Canada (NGen), a nonprofit leading an advanced manufacturing supercluster, said in an interview.
The C-suite has what he called “a global cybersecurity concern.” But, he added, “I don’t think most companies have the full picture of the risks they might face. And I don’t think most of them have a risk mitigation system – not just a plan, but the procedures, training, and all the rest – that can effectively assure senior management that their potential [cyber] the risk will be taken care of in an adequate and appropriate manner.
The interview began with Myers’ observations at the annual October Cyber Security Awareness Month activities on why it’s important to educate manufacturers about the threat of a breach of security controls.
But it then became a calm but scathing critique of the industry’s lack of preparedness for cyberattacks.
NGen is an industry-led not-for-profit organization focused on building advanced manufacturing capacity in Canada. Funded largely by a $ 250 million grant from the Ottawa Supercluster, around $ 200 million has already been committed to 131 projects ranging from sanitizing robots for the healthcare sector to new techniques for making protein.
Its goals include helping build better links between manufacturers, technology companies, academics in industry networks, and government funding agencies. Additionally, it encourages students of all skill levels to consider careers in advanced manufacturing.
Myers’ knowledge of the state of cybersecurity in the industry comes in part from discussions with NGen’s 4,200 members, the regular cybersecurity awareness workshops it runs for businesses, and a recent survey of NGen. industry with 500 owners, CEOs and senior executives from mostly small manufacturers.
Among the discoveries
• 68% said their organization had experienced a cybersecurity attack in the past 12 months (by comparison, in the 2020 survey, 45% said they had been affected);
• 93% believe they have done enough to protect themselves against cybersecurity threats;
• 20 percent said they were not concerned about cybersecurity;
• and only 35 percent had an incident response plan.
It was the results of this investigation that led Myers to conclude that manufacturers are complacent when it comes to cybersecurity.
Speaking with members, Myers said most manufacturers are aware of the vulnerabilities in what he calls “online communications,” – by which he means email and text – and e-commerce, but not cyber threats to materials, products and industrial control systems. .
However, he said, as manufacturing processes become more digital, “the risks will increase exponentially.”
“Businesses need to become more aware of how they use it (cybersecurity) in the future and be more prepared for it,” he said.
A gap to be filled
“I think the top executives – the CEOs we deal with, the board members – are very concerned” about cybersecurity, he added. “I think even small businesses know they need to do something. I think there is, however, a gap that needs to be bridged between the expectations and concerns of senior management on the one hand, and the actual engineering / tech / compliance departments on the other.
“Cyber security is too hot an IT problem to be left in the hands of IT people. Even with CEO concerns, I don’t think cybersecurity issues are taken as seriously as they should be at the senior management and board level. And part of that is the expectation of most executives is that IT / Engineering / Tech departments will take care of the problem. But I think it’s an issue that boards and CEOs need to take seriously because it can seriously compromise the organization. “Unfortunately, what I see happening is that sometimes it takes a problem” – like a cyberattack on the company or its supply chain – to raise it to a level where top management realizes how point it is important. “
When asked if he believed that if Canadian companies did not see cybersecurity as a priority, it would hamper their ability to be leaders in advanced manufacturing, Myers replied, “Absolutely.
“I think this is a strategic issue that every company must take seriously and develop the right processes, operating procedures and training to protect against cybersecurity risks. I see this as a critical enabling capability for companies looking to develop more advanced manufacturing capabilities in the future. “
NGen’s tactics for raising awareness include workshops on cybersecurity and attempting to create a network of cybersecurity vendors who can liaise with manufacturers and sell them solutions.
But that doesn’t do something that would really increase the importance of cybersecurity to funding applicants: making a successful cybersecurity assessment a condition for funding.
“We’re not at that point yet,” he said when asked why a cybersecurity assessment was not required. “It’s not a funding requirement. I think it’s a great idea, but it’s something we need to work on. We evaluate [applicants’] financial capacity, but the ability to protect their data and complete the types of projects we fund really depends on the project partners.