The leaders of Canadian manufacturing companies don’t take cybersecurity seriously enough, says the head of an agency trying to encourage advanced manufacturing in this country.
The C-suite has what he called “an overall concern about cybersecurity.” But, he added, “I don’t think most companies have an overall view of the risks they could potentially face. And I don’t think most have a risk mitigation system in place – not just a plan, but the procedures, training and everything else – that can effectively assure senior management that their potential [cyber] risk is going to be adequately and appropriately taken care of.”
The interview started with Myers’ observations during the annual October Cybersecurity Awareness Month activities on why it’s important to raise awareness among manufacturers about the threat of a breach of security controls.
But it then became a calm but stinging criticism of the industry’s lack of preparation for cyber attacks.
NGen is an industry-led not-for-profit that focuses on building advanced manufacturing capabilities in Canada. Funded largely by a $250 million supercluster grant from Ottawa, about $200 million has already been committed to 131 projects ranging from disinfecting robots for the healthcare sector to new protein manufacturing techniques.
Its goals include helping to build better links between manufacturers, technology firms, industry networks academics, and government funding agencies. In addition, it encourages students at all levels to think of careers in advanced manufacturing.
Myers’ knowledge of the state of cybersecurity in the industry comes in part from talking to NGen’s 4,200 members, the regular cybersecurity awareness workshops it holds for firms, and a recent industry survey 500 owners, CEOs and senior management of mainly small manufacturers.
Among the findings
•68 per cent said their organization had suffered a cybersecurity attack in the previous 12 months (by comparison, in the 2020 survey 45 per cent said they were hit);
•93 per cent believed they have done enough to protect themselves against cybersecurity threats;
•20 per cent said they were not concerned about cybersecurity;
• and only 35 per cent had an incident response plan.
It’s the results of this survey that made Myers conclude that manufacturers are complacent about cybersecurity.
In talking to members, Myers said most manufacturers are aware of vulnerabilities in what he calls “online communications,” – by which he means email and text messaging – and e-commerce, but not the cyber threats to materials, products and industrial control systems.
However, he said, as manufacturing processes become more digital, “the risks will increase exponentially.”
“Companies have to become more aware of how they are using it (cybersecurity) in the future and to get more prepared around this,” he said.
A gap to be filled
“I think senior executives – CEOs we deal with, board members – are very concerned” about cybersecurity, he added. “I think even smaller companies know they have to do something about it. I think there is, though, a gap that needs to be filled between the expectations and concerns of senior leadership, on the one hand, and the actual engineering/tech/compliance departments on the other.
“Cybersecurity is an IT issue too hot to be left in the hands of the IT specialists. Even with CEO concern, I don’t think the issues around cybersecurity are taken as seriously as they should be at the senior management and board levels. And part of that is the expectation by many of the leadership is that the IT/engineering/tech departments will handle the issue. But I think this is an issue the boards and CEOs have to take this seriously, because it can seriously compromise the organization. “Unfortunately what I see happening is sometimes it takes a problem” — such as a cyberattack on the firm or its supply chain – to raise it to a level where the senior leadership realizes how important this is.”
Asked if he believes that if Canadian companies don’t see cybersecurity as a priority it will impede their ability to be leaders in advanced manufacturing, Myers replied, “Absolutely.
“I think this is a strategic issue that every company needs to take seriously and develop the right processes, operating procedures and training to protect themselves against cybersecurity risks. I see this as a critical enabling capability for companies that are looking to develop more advanced manufacturing capacity in the future.”
NGen’s tactics to raise awareness include cybersecurity workshops and trying to create a network of cybersecurity providers who can liaise with and sell solutions to manufacturers.
But it doesn’t do something that would really raise the importance of cybersecurity to funding applicants: Make passing a cybersecurity assessment a condition of funding.
”We’re not up to that stage right now,” he said when asked why a cybersecurity assessment isn’t demanded. “That is not a requirement for funding. I think it’s a really good idea, but it’s something we need to work up to. We assess [applicants’] financial ability, but the capability to protect their data and to carry out the types of projects we’re funding is really up to the project partners.”