Dive Brief:
- Seventy-three percent of respondents expressed concern about third-party providers, yet only 44% said their organization imposes cybersecurity requirements on upstream providers, according to a new study by Synopsys and SAE International, which surveyed almost 600 professionals.
- The report, assessing security practices in the automotive industry, also found 30% of organizations don't have an established cybersecurity program or team, and 63% test less than half of the automotive technology they develop for security vulnerabilities.
- "This study underscores the need for a fundamental shift — one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain," Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group, said in the release.
Dive Insight:
The automotive supply chain is long and complex. A break in the chain at a small, tier 3, single-part producer can be disastrous.
There are plenty of portals and opportunities for "bad guys" to breach security. According to the EY Global Information Security Survey 2018-19, 1.95 billion records containing personal information and other sensitive data were compromised between January 2017 and March 2018.
The average cost of a data breach last year, EY reported, was $3.62 million.
Opportunities do exist for automotive supply chains to protect themselves. One organization, the 3,000-member Automotive Industry Action Group (AIAG), last year released the Cyber Security 3rd Party Information Security publication to support industry efforts to protect sensitive data by outlining a unified set of cybersecurity guidelines for automotive trading partners.
Its strategies are based on industry best practices and standards. The National Institute of Standards and Technology (NIST) helped create the document. Also participating were security leaders from General Motors, Ford, Honda and Fiat-Chrysler, with additional input from Toyota, Nissan, Caterpillar, Bosch, Continental and Magna International.
"Over the course of the past 25 years, we have seen a remarkable shift in enterprise value from tangible to intangible assets. Data is the new currency," J. Scot Sharland, executive director of AIAG, said when the publication was announced. "As such, more effective command and control of data has become an enterprise risk management priority."