As the pandemic transformed the world as we once knew it, some industries struggled to reinvent themselves. Perhaps topping the list of cybersecurity laggards, manufacturers were called upon to digitize more rapidly than we’ve ever witnessed before. However, where does the industry stand now, over one year since COVID-19 began?

Were the solutions implemented to overcome supply chain disruptions futureproof, or simply a bandaid placed to rip off and scramble to address again down the road? Determined to find out, the Black Kite research team analyzed the top 100 companies from one the most impacted industries: consumer packaged goods (CPGs).

Despite a “good” overall cyber rating, 79% of consumer goods companies have high and critical vulnerabilities due to out-of-date systems.

At first glance, the “B-” average cyber rating would indicate that consumer goods’ risk posture passes the test. However, 79 of the 100 companies analyzed had high and/or critical vulnerabilities caused by out-of-date systems, with a CVSS (Common Vulnerability Scoring System) score at or above 7.0. 

Legacy systems accessible by the internet may have vulnerabilities related to either the application servers or the application flaws. Whether it’s a design flaw or an implementation bug, attackers are capable of compromising both the system itself and its applications. With the massive surge in hacking activities, patch management has become more important than ever.

More GAteways for Ransomware Attacks puts an Even bigger target on consumer goods companies.

Alongside the world’s digital transformation, hackers have also shifted their playbook. As a result, ransomware has rapidly increased in popularity due to its low-stake, high-reward setup. What worked a decade, five years, or even pre-COVID may not work given the new, highly sophisticated exploitation methods hackers leverage today.

Hand-in-hand with phishing, poor credential management is a major flaw found throughout the industry. In fact, we found 66% of consumer goods companies had at least one credential leaked within the last 90 days. Often a result of staff using the network to sign into external platforms, those external platforms can create a ripple effect once compromised.

This poses a huge challenge when it comes to combating today’s increasingly sophisticated cyber attacks. Historically the No. 1 attack vector used in ransomware attacks, hackers infiltrate and leak credential lists on the dark web. This completely raises the stakes for its victims, as access through leaked credentials bypasses many cybersecurity countermeasures. 

Now the most common resource leveraged by ransomware groups, publicly visible critical ports are the easiest source of infiltration for ransomware groups. Given that scanning open ports with autonomous tools is an extremely viable option for today’s cybercriminals, it may be time that 74% of the CPGs surveyed revisit their cyber defense strategy.

Unfortunately for the 29 organizations that have already experienced a third-party data breach, one-and-done doesn’t necessarily apply here, especially if cybersecurity investment is inadequate. In fact, many companies are making it essential to report whether or not a prospective vendor has any data breach history during their due-diligence efforts.

Cybersecurity has taken the back seat to Physical security.

The primary focus for most manufacturers has always been on physical security, rather than protecting its digital assets. It’s time to shift the conversation, especially as more sensitive information is shared online. While SSL protocols ensure user information travels safely and securely through the internet, 87% of CPGs have at least one invalid, incorrect, expired or self-signed SSL certificate.

To make matters worse, 99% of the CPG websites analyzed leverage old cipher suites and/ or outdated algorithms. Given that most of these websites allow customer logins, lacking SSL controls leaves those credentials, financial information and other sensitive data at risk. Employees should be just as well-versed in protecting themselves online as they are in the field.

Supply chains have rapidly evolved throughout the past year, and there’s no doubt they will continue to change post-pandemic. At the heart of the ecosystem, manufacturers play an integral role in securing today’s cyber landscape. In order to shift the conversation, we must shift our mindset. 

It’s no longer just about securing our plants, nor is it just about protecting our own software, network and digital assets. Supply chain business continuity requires effectively assessing and managing our own cyber assets, as well as collaborating with vendors, suppliers and partners to do the same.

Interested in how Black Kite is identifying cyber risk for manufacturing supply chains?
See how we’re bringing cybersecurity to the forefront.