The state of data security and compliance in the manufacturing industry

The manufacturing industry has long believed that it was not a primary target for cyberattacks, unlike the financial and healthcare sectors. However, the 2023 IBM Security X-Force Threat Intelligence Index report has revealed that this is not the case. In 2022, the manufacturing industry was once again the most heavily targeted, with 24.8% of incident response cases occurring in the sector. Backdoors were the most common attack method, accounting for 28% of incidents, surpassing ransomware at 23%, according to X-Force’s data. The Emotet malware outbreak contributed to the increase in backdoor deployments, which is a type of malware that bypasses standard authentication procedures in order to gain access to a system. Backdoor deployment allows the perpetrator to remotely access resources within an application, including databases and file servers, and to issue system commands and update malware from a remote location. In North America, manufacturing takes second place among the most commonly attacked organizations, with 14% of cases attributed to the industry.

The rising statistics reveal that the manufacturing industry is facing a severe threat from cybercriminals, and it is more important than ever for organizations to implement robust data protection strategies to better secure their data. Companies must ensure that they have strong cybersecurity measures in place, such as multi-factor authentication, zero trust security, encryption, and regular backups. Additionally, they should conduct regular security assessments to identify vulnerabilities and mitigate risks.

As data privacy laws emerge, regulating how organizations collect, store, and share personal data with third parties, manufacturing businesses must prioritize their handling of personally identifiable information (PII).

Regulatory compliance is essential for manufacturing businesses as in the case of failure to adhere to relevant laws and security standards, organizations risk facing significant administrative penalties. This is best illustrated by the 2023 case where the US Department of State charged 3D Systems Corporation $20,000,000 for export violations under ITAR. The violations that occurred during the period from 2012 to 2018 involved unauthorized transfers of technical data to foreign-person employees in Germany, the People’s Republic of China, and Taiwan, as well as failure to comply with ITAR record retention requirements.

The data privacy and protection laws vary depending on the region, but some of the most common federal and state laws and standards that US companies must comply with include:

• International Traffic in Arms Regulations (ITAR): A set of rules created to regulate the sharing of sensitive technology and information with foreign governments and individuals. Companies must comply with ITAR regulations, which require them to secure a license from the US Department of State before exporting any defense-related data or items.
• Defense Federal Acquisition Regulation Supplement (DFARS): An addition to a set of regulations that the US Department of Defense (DoD) and other related agencies follow to manage the procurement of goods and services, including technology.
• Payment Card Industry Data Security Standard (PCI DSS): A security protocol that is implemented to guarantee the secure and safe transmission of credit card information.
• Sarbanes-Oxley Act (Pub L. 107-204): A law requiring all publicly traded companies to establish explicit data security guidelines, and ensure that these guidelines are communicated and enforced effectively.
• Federal Trade Commission Act (15 USC § 41 et seq.): A law that gives the FTC broad authority to protect consumers against organizations that fail to follow basic cybersecurity and privacy best practices.
• General Data Protection Regulation (GDPR): EU law governing the collection, use, transmission, and security of data collected from residents of the European Union.

The COVID-19 pandemic disrupted manufacturing organizations worldwide, just as it disrupted daily life. By April 7, 2020, almost all Americans were required to stay at home, and similar measures were taken in other countries. The sudden shift to remote work happened during a time of great economic and social upheaval caused by the pandemic, at a time when organizational coordination, decision-making processes, and productivity were more important than ever before. The manufacturing industry responded to these new realities by making adjustments to work arrangements, including an increased reliance on digital communication platforms, such as Microsoft Teams and WhatsApp. However, these tools are often overlooked as the weak point that hackers can leverage to access critical data, causing reputational and financial damage to victim organizations. 

Businesses should not rely solely on third-party providers for security against evolving threats and compliance challenges and need to take a proactive approach to solidify trust by reducing the risk of data losses and fines. While third-party providers can offer valuable expertise and tools, they may not always be able to exercise preventive measures as effectively as the internal security teams. It is the companies that bear full responsibility for ensuring that they have a comprehensive security strategy in place, which includes proactive measures across three key domains: people, technology, and policy.

To keep up with the evolving threat landscape and data protection regulations in the manufacturing industry, it is essential that organizations maintain control over their digital assets, ensuring ownership of encryption keys, enforceable data localization, and zero trust access management. With increasing threats to information security and privacy, and big tech companies holding all the cards, it is crucial for businesses to regain control and visibility over their data assets.