Source: Adobe Stock

As the widely accepted proverb goes, trust is hard to earn, easy to lose, and even harder to earn back. A cybersecurity breach for a manufacturer can be a devastating event that can severely erode customer trust. It can compromise sensitive information, damage the company's reputation, and lead to significant financial losses.

Cybersecurity risks are almost unavoidable in today’s manufacturing environment, where data is frequently shared. You may not realize how much potentially sensitive data you include every day in invoices, emails, websites, and in the cloud. Data sharing is becoming increasingly common as large companies want more visibility into their supply chains and may even ask suppliers to use specific enterprise resource planning (ERP) software to track key metrics to minimize risks. The trends in data sharing underscore the growing importance of building trust with your customers and suppliers.

In today's digital age, cybersecurity offers benefits beyond compliance and risk mitigation; it's a strategic opportunity. By investing in appropriate security measures, small and medium-sized manufacturers (SMMs) can gain a competitive edge and attract more discerning customers.

SMMs can build on the processes and protocols already in place for existing strategic, operational foundations to build up their cyber hygiene. These foundations may include:

• NIST Cybersecurity Framework: The framework provides guidance to industry,
  government agencies, and other organizations in managing cybersecurity risks. It is built
  on five primary functions: Identify, Protect, Detect, Respond, and Recover.
• ISO 9001: While ISO 9001 primarily focuses on quality management, it indirectly
  contributes to cybersecurity compliance by establishing a framework for consistent
  processes and risk management that can be applied to information security practices.
  For comprehensive cybersecurity compliance, organizations typically implement a
  dedicated standard like ISO 27001 alongside ISO 9001.
• ISO 27001/27002/27701: These international standards provide a framework for
  implementing and managing access control, encryption policies, and privacy
  management systems. So, there may be a higher level of focus on laws and regulations.

In this article, we’ll look at cyber risks, how you benefit from good cyber hygiene, and the impacts of the Department of Defense’s (DOD’s) latest Cybersecurity Maturity Model Certification (CMMC) framework.

Current state of cyberattacks in manufacturing and the supply chain

In 2023, manufacturing saw the highest share of cyberattacks among the leading industries worldwide at 25.7 percent (followed by finance and insurance at 18.2 percent; and professional, business, and consumer services at 15.4 percent). Attacks against the manufacturing sector increased by 53 percent from the second half of 2022 to the first half of 2023, primarily due to increased ransomware activity. (More than 3 billion phishing emails are sent every day.)

The short-term impacts of a breach are significant — $105,000 is the average cost of a data breach for a small business, and 277 days is the average time to identify and contain a breach.

One of the biggest reasons customers and suppliers are concerned about your cyber hygiene is that about one out of five breaches resulted from supply chain compromises. These breaches took an average of 26 days longer to identify and contain and were 2.5 percent more expensive.

Why were these cyberattacks so devastating? A single cyber breach can cause you to lose access to your business information for an extended period of time, such as customer payment data or supplier records.

How Cybersecurity Positions You as a ‘Trusted Supplier’

Being proactive about cybersecurity can significantly reduce your risk of a data breach and the probability of potentially devastating consequences. It can also position you as a leader in cybersecurity, which is a great message to your current customers, suppliers, prospects, and stakeholders.

Good cyber hygiene can unlock a range of strategic advantages, such as:

• Strengthened reputation and trust: Positioning your business as a cybersecurity
  leader inspires trust in your customers and partners. It helps drive customer loyalty by
  demonstrating your commitment to protecting their data. It can also help you attract new
  clients, secure government contracts, and strengthen supply chain partnerships.
• Operational efficiency and resilience: Implementing robust cybersecurity protocols
  can streamline operations and reduce risk. Cyber hygiene can enhance your business's
  overall value by safeguarding its assets and helping to foster a culture of accountability.
• Legal and financial benefits: Adhering to stringent state and federal regulations avoids
  costly penalties and reduces the risk of potential financial burdens from data breaches
  and incident response.

Direct impacts of CMMC on the supply chain

The Department of Defense’s Dec. 15, 2024, enactment of the CMMC framework illustrates how proper cybersecurity hygiene can impact SMMs. While CMMC is designed for the defense industrial base (DIB), its principles and practices provide a framework for protecting the confidentiality of sensitive information that can be adapted to any organization, regardless of industry.

CMMC has three levels:
● Level 1: Basic safeguarding of Federal Contract Information (FCI)
● Level 2: Protection of Controlled Unclassified Information (CUI)
● Level 3: Higher-level protection of CUI against advanced persistent threats

CMMC Level 2 includes a flow-down clause, so even small manufacturers who supply parts and components to DOD contractors may be required to meet CMMC Level 2 requirements. The DOD has estimated as many as 73,000 DOD contractors and suppliers and an additional 230,000 subcontractors may be required to comply with CMMC Level 2 requirements, which can be expensive and can take many months to complete.

Indirect impacts of CMMC on manufacturing

While CMMC may not apply to all small manufacturers, its influence on the broader cybersecurity landscape can have a positive impact on them. Demonstrating CMMC Level 1 or 2 compliance can differentiate small manufacturers and increase their attractiveness to larger prime contractors. By understanding the core principles and adopting best practices, small manufacturers can strengthen their security posture and protect their business. CMMC’s impact on improving cybersecurity standards includes:

• Benchmarking: This encourages all manufacturers to adopt higher standards.
• Third-party validation: Although not mandatory for non-defense industries, third-party
  certifications based on CMMC principles can enhance credibility and customer trust.
• Supply chain requirements: If your suppliers or customers are in the defense industry,
  they may require CMMC compliance for non-defense work.
• Insurance premiums: Cybersecurity insurance providers may consider CMMC
  compliance when determining premiums, potentially leading to lower costs for compliant
  businesses.

Your local MEP center can help you build a cybersecurity plan

Your local MEP Center can help you with a cybersecurity assessment to identify security gaps and levels of risk. They can also help you find the right partner to guide you through a process that might include:

• Establishing policies, procedures, and practices
• Documenting key information
• Providing cybersecurity staff training
• Evaluating each site’s physical security needs
• Creating a cyber emergency plan

Contact your local MEP Center to get started.

About the author

Dr. Michael Barker, CISSP, CISA, RP, RPA Principal Project Manager - Cybersecurity, GaMEP Michael leads the cybersecurity team for the Georgia Manufacturing Extension Partnership (GaMEP) at Georgia Tech, part of the MEP National Network. Michael works with manufacturers on their overall cyber hygiene and resiliency and assists manufacturers who need to certify to meet DoD CMMC requirements.