Manufacturers rank cyber threats as high a concern as do companies in other industries, but their perceptions of supply chain risk and methods of measuring and managing cyber risk lag other sectors in notable ways.
The 2019 Marsh Microsoft Global Cyber Risk Perception Survey asked 1,500 managers at leading companies how they view and manage cyber risk in the context of a fast-evolving business landscape. A comparison of responses by manufacturers to those of other businesses reveals many similarities, but also several key differences:
Cyber Risk Concern Matches All Industries
- 76% of manufacturers rank cyber threats as a top five risk, up from 58% that did so in 2017.
- 79% of all companies rank cyber threats as a top five risk, up from 62% in 2017.
Cyber risk is a top-five concern for manufacturing organizations, with 22% ranking it #1.
Q: Of the following business threats, please rank the top 5 that are the biggest concerns to your organization (cyber-attacks/Cyber Threats shown)
Base: all answering; Manufacturing n= 209 (2017); n=241 (2019);
Other Industries n+1,185 (2017);n+1,271 (2019)
However, when asked to rank all other key business risks, manufacturers rank supply chain disruption much higher than other industries do:
- 61% of manufacturers rank supply chain disruption as their 3rd highest business risk.
- Across all industries, 36% of firms rank supply chain disruption as their 7th most critical risk.
- Economic uncertainty is the 2nd most critical risk for both manufacturers (61%) and across all industries (59%).
Cyber risks are the top concern for manufacturing organizations; supply chain disruptions also high on the list.
Q: Of the following business threats, please rank the top 5 that are the biggest concerns to your organization.
Base: All answering: Manufacturing n=241 (2019); Other industries= 1,271 (2019)
Manufacturers’ Cyber Confidence is Lower
Manufacturers are less confident in their ability to manage cyber risk today than companies in all industries. Looking at the three main areas of cyber risk confidence, manufacturers are both less “highly confident” and more “not at all confident” than other firms:
- Understanding/Assessing cyber threats: 20% of manufacturers are not confident, vs. 17% for other industries.
- Preventing cyber-attacks: 24% of manufacturers are not confident, vs. 18% for other industries.
- Responding to cyber-attacks: 26% of manufacturers are not confident, vs. 21% of other industries.
Confidence in cyber resilience measures slipped from 2017 to 2019.
Q: For each of the following, please indicate your level of confidence in your organization's ability to...
Base: All answering: excluding "don't know" responses; n=1,412 (2017); n=1,475 (2019)
Concern Over Supply Chain Risk, but Not Individual Partners
While manufacturers expressed much higher levels of concern about supply chain disruption than did companies in all industries, manufacturers were not as concerned about risk presented by supply chain partners – a finding that is true across all sizes of firms.
- 30% of all manufacturers perceive risk posed to them by their supply chain, compared to 40% of all industries.
- 17% of all manufacturers believe they may pose risks to their supply chain, compared to 16% of all industries.
- The disparity is even more striking when looking at concern levels by organization size:
Large manufacturing firms are more likely than smaller manufacturers to perceive a high level of cyber risks posed to their organizations by their supply chain partners.
Q: What level of cyber risk is posed to your organization BY its supply chain/3rd parties? And the reverse: what level of cyber risk does your organization pose TO its supply chain/3rd parties?
% regarding each risk as "somewhat high" or "very high" by org size (annual revenue) Base: All answering (2019): Base varies as indicated.
Approach to Cyber Risk Management Lags Other Industries
Across several key dimensions, manufacturers apply a less strategically rigorous approach to managing cyber risk than do other industries.
- 41% of management roles in manufacturers spend several hours or less on cyber risk per year, compared to 35% for all industries.
- 24% of manufacturing firms measure their cyber risk economically, compared to 31% in other industries.
- 20% of manufacturers have conducted management training in the past 2 years, compared to 30% of all other industries.
- 23% of manufacturers have modeled cyber loss scenarios in the past 2 years, compared to 29% of all other industries.
Fewer manufacturers have implemented key cyber risk resilience actions, focusing instead on technical actions.
Q: Please indicate whether your organization has taken the specific actions listed below within the past 12 to 24 months.
% organizations that have taken each action above
Base: All answering: Manufacturing. n=173 (2019); Other industries n=877 (2019)
Read the report to explore the perceptions and approaches of leading manufacturers to cyber risk, and how they compare to the other companies surveyed.