Companies that fall victim to cyberattacks must stop operations, lock down their systems, and often pay ransoms. And this is the best-case scenario. At worst, cybercriminals can steal intellectual property (IP), pilfer patents, and swipe sensitive financial information.
Not taking this seriously is akin to leaving your house open while you go away on holiday. Savvy OEMs (original equipment manufacturers) know this already and take security measures with their own systems. But what about when you outsource part of your operation? You want to ensure that your EMS (electronics manufacturing services) partner is as careful with your information as you are. You need to know they have the most robust information security management system (ISMS) possible.
It could be a Distributed Denial of Service attack, phishing attack, social engineering attack, BEC attack, ransomware attack, or remote access trojan attack. Whatever the attack, it will cost a business more than just money—lost IP and a damaged reputation are much worse.
Both OEMs and their EMS partners are prime targets as they store valuable information on their IT systems. Unfortunately, many companies have insufficient security in place to combat attacks.
EMS providers store sensitive client information, client lists, employee information, supplier information, and financial data—and criminals know this. By attacking EMS companies, cybercriminals can target secondary and even tertiary victims as part of the same network. One attack can lead to other attacks up and down the supply chain.
For example, in early March, Nvidia, a producer of chips and graphics cards, was attacked by the Lapsus$ group. One TB of data was captured, and the criminal organisation published the user credentials of Nvidia employees online, leading to a secondary wave of phishing, spear phishing, and brute-force attacks.
We can all adhere to several best practices in the manufacturing industry to reduce the risk of cyberattacks and protect systems and data.
There are also several additional measures EMS providers should be taking to ensure their—and their customer's—data are protected.
Understanding how criminals attack cyber systems is the first step to preventing attacks by implementing counteractive measures. There are four critical areas where EMS providers are vulnerable.
Proactively preparing for an event rather than sitting back and hoping it won't happen is a sound approach. A dedicated cybersecurity team should audit what parts of the system can and should be strengthened.
EMS providers with cybersecurity insurance can also benefit from the insurer's expertise, which will help improve cybersecurity risk management tools and procedures.
Establishing a process plan to deal with a breach in the event of an attack is also a good idea, as robust procedures will ensure damage limitation.
ISO 27001 is an international standard that outlines best practices and requirements for establishing, maintaining, and continually improving an organisation's information security management system (ISMS). It provides a framework for EMS providers to follow to effectively manage and protect sensitive information, including their customer’s personal data, intellectual property, and other types of confidential information.
One of the fundamental principles of ISO 27001 is protecting sensitive data and information by using appropriate controls. These controls can include technical measures such as encryption, access controls, firewalls, and organisational measures such as policies, procedures, and training.
By implementing the guidelines and requirements in ISO 27001, organisations can ensure that they have a robust and effective ISMS to protect sensitive data and information from unauthorised access, use, disclosure, disruption, modification, or destruction. This can help reduce the risk of data breaches, cyberattacks, and other types of information security incidents and help companies maintain the trust and confidence of their customers, employees, and other stakeholders.
As OEMs entrust their EMS partner with important data, it is understandable that they may require ISO 27001 certification for several reasons:
Compliance: Many OEMs must ensure that their suppliers and partners comply with relevant standards and regulations. As ISO 27001 is a widely recognised information security management standard, having an EMS provider certified to this standard can help OEMs meet their own compliance requirements.
Data protection: OEMs entrust their partner with sensitive and confidential information, such as IP and customer data, that needs to be protected. An EMS provider that has implemented the controls and processes outlined in ISO 27001 can help to ensure that this information is handled securely and confidentially.
Risk management: OEMs are understandably concerned about the risk of data breaches, cyberattacks, and other information security incidents that could negatively impact their business. By working with an EMS provider with ISO 27001 certification, OEMs can have confidence that their information is being managed and protected to minimise these risks.
Reputation: OEMs may also be concerned about their company's reputation and want to ensure that their EMS provider is seen as a trustworthy and reliable partner. An EMS provider certified to ISO 27001 can help demonstrate to customers, regulators, and other stakeholders that the OEM takes information security seriously.
Unlike security on the factory floor, ensuring robust cybersecurity is challenging as it requires addressing invisible risks. However, not being able to see these risks is no excuse for inaction. EMS providers have a duty to their customers to ensure they carry out basic and advanced cybersecurity measures and are ISO 27001 certified. After all, their customer's IP and data are at stake.