In the production environment, companies are increasingly using information technology (IT) as part of the digital transformation to enable data processing and analysis of productive processes in real time. Many production facilities are no longer isolated systems, but are connected to the company's ERP system, various networks or even the Industrial Internet of Things (IIoT). This increased networking of production systems and machines also provides cyber criminals with a larger attack surface and therefore increases the risk of manufacturing companies falling victim to a cyber attack. According to Sophos's latest research report The State of Ransomware in Manufacturing and Production 2021, 50% of manufacturing and production companies in the DACH region were affected by ransomware last year.

According to experts, the most important preventative measure that companies can take to recover their data after a ransomware attack is to create regular backups. These should be equipped with technology that cannot be encrypted by ransomware. Production and manufacturing companies seem to follow this recommendation: According to the Sophos survey, 68 percent of respondents were able to restore their data from backups and thus resist the attackers' demands in the event of classic ransomware encryption. However, despite backups, a ransomware attack can lead to high costs, even if the disruption to the production process can be quickly rectified with the help of recovery. In addition to the cost of production downtime, the main costs incurred are lost orders and operating costs. On average, this amount is around ten times higher than the ransom payment itself.

Anatomy of an active cyberattack

© Sophos

Cyber criminals are increasingly using blackmail methods in their attacks on manufacturing companies: They not only use data encryption as a means of pressure, as in a classic ransomware attack, but also threaten to publish stolen files on the internet if the victim does not comply with the ransom demand. Cyber criminals know that the publication of business-critical data such as product data or production plans can mean the end for companies, so this tactic improves their negotiating position for the subsequent ransom demand.

The supply chain is also a gateway for hackers in manufacturing companies. In the case of an attack via the supply chain, attackers de facto penetrate the company via a detour and go through third parties, such as suppliers, who already have access to the company systems. Through this backdoor, the attackers can gain a foothold in the company's environment and then carry out all kinds of malicious activities. If just one poorly secured or infected supplier is connected to the corporate network, there is a risk of an attack on the entire supply chain. As these attacks can originate from any part of the supply chain, they are particularly difficult to detect and defend against.

The increasing ransomware risks for manufacturing companies are also reflected in the results of the Sophos survey. Companies in this sector are far more concerned about a ransomware attack in the future than any other sector: 60 percent of respondents consider the attacks to be so sophisticated that it is becoming increasingly difficult to stop them. For 46 percent, ransomware is so widespread that they expect to be affected by it.

Backups are vital when it comes to the threat of ransomware, but many traditional backup concepts offer no protection against this risk. Therefore, manufacturing and production companies should not rely on having effective protection against extortion. Organizations need to expand their anti-ransomware defenses to include a combination of technology and human-driven threat hunting.

Multi-layered protection with human expertise

© Sophos

A good approach to arming yourself against ransomware attacks is a recovery plan. According to the Sophos study, 92% of manufacturing and production companies in the DACH region have one. However, this alone will not be enough. In addition to regular backups, which are still necessary, it is more important than ever to keep cyber criminals out in the first place or to detect them before they can cause any damage. Such sophisticated threats require intelligent security solutions that are proactive, multi-layered and interact across systems. With Sophos Intercept X in combination with XG Firewall, for example, companies have Next Generation Security technologies at their disposal and also benefit from the advantages of Synchronized Security. These security technologies are part of the Adaptive Cybersecurity Ecosystem, which also includes the components of human-led prevention and emergency response by experienced experts. It forms a security environment that continuously and automatically improves itself and is able to recognize treacherous tactics, techniques and procedures at an early stage and combat them immediately. In this way, today's advanced cyberattacks can also be detected and neutralized in the production sector in good time.