Suppliers should take the threat seriously and instill a culture that promotes good practices in cybersecurity from the top down, Stone said.
"I can walk into a company and ask their CEO about cybersecurity policies, and if they say, 'I don't know' or 'You'll have to ask my CTO or IT director,' I know they're in trouble," he said.
It is important for companies to let workers know that hackers and other bad actors often prey on emotions and instincts such as curiosity, fatigue and frustration, said Claudia Rast, chair of the IP, cybersecurity and emerging technology group at Detroit law firm Butzel. Likewise, companies should strictly control who has access to critical information and implement multifactor authentication, she said.
Larger parts companies and automakers often send questionnaires to their suppliers asking about their cybersecurity practices and they are looking to do business only with companies they trust, she said.
"Often, the smaller companies will get flummoxed and say this doesn't apply to us or we can only do so much," Rast said.
Smaller companies should work with their customers to establish standards, she said. Rast said she advises suppliers to bring in a local forensic group to assess their vulnerabilities.
Likewise, smaller companies could benefit from an attorney with expertise in this area now to establish trust and attorney-client privilege. That will allow a quicker response to a cyberattack, Stone said.
"You need to assume you're going to get attacked and need to have a plan in place to know how to respond when you are attacked," Stone said.
Cybercriminals increasingly view manufacturers as lucrative targets
Hackers and other bad actors believe manufacturers as behind on security measures and more likely to pay a ransom.
Manufacturing, including in industries outside of automotive, accounted for 26 percent of cyberattacks in 2023, more than any other sector, according to an annual study by IBM.