As manufacturers strive to evolve their toolsets to move data between companies and across borders more securely there are guiding principles of traceability and consistency to follow – but these can be boiled down to something simpler: share sensitive data as carefully as you would ship your top-secret prototype model.
In 2016, a watershed moment passed when the value of ‘digital flows’ over borders exceeded the value of the traditional cross-border goods shipments. Contrary to previous beliefs – that Globalisation had stalled – research by the McKinsey Global Institute suggested that it had in fact entered a new digital phase.
This was, it seemed, an opportunity for supply-chain-dependent manufacturing to redraw the networks on which its productivity depended – and to an extent, it was. Over 50% of a vehicle’s design engineering efforts are today carried out by a globally distributed supply chain, with the final design assembled in the manufacturer’s design environment with the collated components.
Opportunity it was, but it was also uncharted territory in many ways: a digital network incepted and grown in the space of 15 years to become the inseparable counterpart of much older processes and relationships. The new age of connected (globally collaborative) design engineering didn’t just connect supplier to OEM. It connected every key stakeholder within every organisation to a vast global information sharing network.
Supply chains were indeed redrawn by digital Globalisation, but as research suggests, imprecisely. 1 in 3 data breaches involve insiders, and 80% of those are unintentional as hyper-connected employees inadvertently move data via unsecured areas. With the supply chain quickly becoming the primary attack surface for hackers, manufacturing stands to recoup a lot from thwarted breaches by removing the ambiguities that give accident or ill-intent the chance to deal a financial blow.
This is where a new mindset – that data should be handled like a top-secret physical prototype – comes in.
Step 1 – Know where your data is at all times
Contractual obligation to take all due security precautions when handling a customer organisation’s data is much easier to meet when you can see in detail who is accessing the data and when. According to Martin Tyley, Head of UK Cyber at KPMG, supply chain CISOs should focus on “taking an internal and external view of risk” and “embracing technology tools”.
With manufacturing underpinned by the digital world more than ever before, allowing your digital intellectual property out of your sight (and for sight read ‘network’) brings unknown and potentially self-multiplying risks because of a simple fact of technology. That the cloud is really someone else’s computer, someone else’s network, and someone else’s opportunity to access or distribute your data.
The risks can be mitigated to an extent by limiting the number of stakeholders who receive the design data in the first place, but the sheer complexity of the automotive industry can still render that ‘need-to-know’ group unmanageably large. More so when you consider that the data may change hands again once it leaves the last endpoint within your own line of sight.
As well as reassuring customer stakeholders of due diligence, taking steps to track and audit all intellectual property distribution in the supply chain allows proactive monitoring of sensitive design recipients – given this level of supply chain visibility, an organisation’s data gatekeeper can ensure that new names on the access records have only been included in the supply chain following proper security vetting.
With many manufacturing programmes planned years in advance, tracing which parts have been released to which users can provide vital intelligence for breach response and recovery.
Step 2 – Create a laser-focussed data sharing policy
A large supplier network – with hundreds of organisations handling the same OEM’s proprietary information – increases the risk of an unapproved data sharing method cropping up in an unobserved area of the supply chain.
On the scale of a supply chain, this phenomenon’s end result in an impossible to regulate mixture of unvetted methods of data transfer ranging from non-pen-tested online tools to easily intercepted emails. As soon as this happens, you lose easy visibility across the digital side of the supply chain which should by its very nature lend itself to transparent reporting.
A good rule of thumb for sharing sensitive data across the supplier network is that the fewer available sharing methods the better. It will be much easier to make sense of the journey taken by sensitive IP if that journey is described by data from a smaller number of sources.
Mandating a smaller number of approved data sharing methods has the added benefit of saving precious IT resource where organisations working on the same projects are maintaining parallel FTP or similar solutions. Even so, too large a number of approved data sharing methods within your policy increases the chances of non-compliant ‘hidden factory’ work arounds – a security risk.
In an ideal world, b2b data sharing would be consolidated onto a single platform, which though difficult to mandate does go a long way towards mitigating a significant cyber security risk: the userbase.
Step 3 – Eliminate risk on your users’ behalf
Analysis by Aberdeen Group of 3,255 confirmed data breaches over a 2-year period “found that about 1 in 3 data breaches involve insiders, and about 80% of those are unintentional”.
In other words, an insider breach is less likely to come from an ‘insider threat’ (malicious activity) than ‘insider risk’. This broader category covers the likelihood and business impact of data loss – most likely the result of unintentional data exposure by well-intentioned and legitimate employees.
With business data constantly moving between companies in global collaboration networks, every user represents some level of insider risk. For example, in a five-quarter period Aberdeen Group observed a median average of 13 exposure events per day where users moved files to untrusted locations “via email, messaging, cloud, or removable media”.
The kind of global collaboration network that powers modern manufacturing will companies with varying levels of cyber security education and varying attitudes towards insider risk – on a global scale, the likelihood of a company-company or company-state exposure event increases with the complexity of the network. Programmes which frequently induct new suppliers increase the likelihood of unfamiliarity with tools and processes causing inadvertent data exposure.
A proactive approach to insider risk will therefore combine workforce education with (just as important) measures to improve digital workflows for well-intentioned employees so that they do not have the opportunity to trigger an exposure event in the first place.
This means taking a ‘secure-by-design’ approach to data sharing workflows, and deploying tools with better usability so that unfamiliarity, lack of digital skills or badly designed interfaces don’t rig the game against staff who would otherwise never dream of risking sensitive information.
Treat your data like a prototype model shipment
Corporate espionage is – as we can see from the LandWind X7’s striking similarity to the Land Rover Evoque – a growing risk for manufacturers. Threat actors stand to profit considerably by intercepting valuable intellectual property, with unsecured points on the data’s supply chain journey as their most obvious attack vector.
When carmakers ship physical components of – for example – a new powertrain, allowing those parts to pass undocumented through an unsecured area would be unthinkable. The physical end-product of a costly design cycle (moving from supply chain node to node) would never be left unattended outside the depot between drop-off and pick-up days later.
The same should be true of data, and a number of automotive OEMs and their suppliers have been taking steps to route confidential data away from pockets of ‘shadow IT’ to mitigate insider risk and control intellectual property with consistently secure data transfer across supply chain tiers.
A fully auditable data transfer system, developed with manufacturers specifically for global design data exchange, is allowing OEMs and SMEs to consolidate file sharing activity into a single system which permanently logs all activity and minimises insider risk with a carefully designed interface.
Created by a UK technology firm – and recently upgraded with an anonymisation+sharding option to confer ‘perfect secrecy’ to data transfers – MX Data Exchange is used by manufacturers such as Jaguar Land Rover, Aston Martin, Lotus, and Varroc Lighting Systems who describe MX as their ‘standard process for exchanging data with external partners’.
Discover how manufacturers are using MX to share design data
We’ve worked hard to balance fulfilling user needs and business needs – which means removal of file size limits, patented security technology, and audit capability that tells you exactly who shares/accesses which data.
Read our use case pack today to understand why automotive manufacturers share data with MX.