Cyber Security Lessons for CL Manufacturers at EFCLIN 2025

April 2025 - Go to About page

A few days ago, I had the privilege of speaking at the 51st EFCLIN Congress in Lillestrøm, Norway, where I tackled a topic that doesn’t always get the attention it deserves in our industry: cybersecurity. Now, I know what some people were thinking when they saw the session title, “Cybersecurity? Isn’t that just an IT issue?" and that’s exactly the mindset I wanted to challenge.

Cybersecurity is Not just an IT problem

One of the first things I shared with the audience was a real-life story that, frankly, shocked a lot of people. Imagine a farmer in Switzerland relying on a robotic milking system to manage his herd. One day, hackers take control of that system, encrypt his data, and demand a ransom. He doesn’t pay, but as a result, he loses access to critical health data on his cows. Tragically, one of his pregnant cows has to be euthanized because he no longer had the information needed to intervene in time. This is where it matters: cyberattacks aren’t just about money or data loss. They can disrupt real-world operations with devastating consequences. And if this can happen on a tiny farm up in the swiss alps, imagine the potential impact in a highly regulated industry like contact lenses. Yet, many companies in our field still underestimate the risk.

Too Small to be Targeted?

Many labs and manufacturers in our industry still believe they’re not on a hacker’s radar. But the numbers tell a different story. According to Statista (2023), 68% of global companies faced bulk phishing attacks, and 34% experienced ransomware incidents. Even USB drop attacks, which involve leaving infected USB sticks in physical locations, were reported by over 10% of businesses surveyed. These aren’t just abstract risks, they’re everyday threats, often aimed at businesses with fewer protections in place.

Who is Responsible for Cyber Security?

The answer should be “everyone,” but in reality, responsibility often gets passed around like a hot potato.

• Leadership thinks it’s an IT problem
• IT thinks it’s a people problem
• Employees think it’s leadership

This lack of clear ownership leaves businesses vulnerable, and I made it clear during the talk that this needs to change. Cyber security needs to be a shared responsibility across the organization.

Most Companies aren't Ready

The data reveals a harsh truth: most companies are unprepared—both before and after an attack.

• 33% of companies are unprepared for a attack
• The most common threats like phishing, can happen to any company, any day
• Many companies don’t have a recovery plan

The real question isn’t if an attack will happen, it’s how prepared we’ll be when it does. Most attacks aren’t even targeted. They still rely on basic tactics like email phishing because, frankly, they still work, especially against organizations with little awareness or culture around cybersecurity. In a strange way, hackers operate like businesses: they aim to maximize results while minimizing effort. And why would they evolve their methods if we keep making it easy for them?

A Practical Approach

Rather than treating cybersecurity as a crisis that IT handles when something goes wrong, I encouraged the audience to think about it like any other risk, something that can be assessed, planned for, and managed.

I introduced a maturity model that helps businesses understand where they stand:

1. Ad Hoc: no real security plan, hoping for the best
2. Reactive: some measures in place, but mostly responding after incidents
3. Prepared: documented security protocols and improved defenses
4. Proactive: regularly tested security measures and faster recovery times
5. Resilient: full cybersecurity integration, minimal risk of disruption

When I asked for a show of hands, very few in the audience considered themselves proactive, and almost none were at the resilient stage. If we consider recent statistics showing that 33% of companies are unprepared, we can say that they all fall in the first two stages.

Who is Responsible for Cyber Security?

I get it, cybersecurity can seem overwhelming, and too technical to be treated as a shared responsibility. But I broke it down into three simple focus areas that every company in the contact lens industry should prioritize.

Leadership Must Own the Problem

Cybersecurity is no longer a purely technical issue, it’s a business-critical decision. Leadership must actively take ownership of the company’s digital safety. This means defining clear, realistic, and enforceable security policies that align with the organization's operations. Rather than reacting to every possible threat, leaders should focus on prioritizing risks based on measurable business impact, ensuring resources are directed where they matter most. Most importantly, they need to understand that cybersecurity is a form of risk management, not just a technological fix, but a strategic responsibility that affects every layer of the business.

Building a Cyber Resilience Culture

At the heart of every secure organization is its people. Employees are the first line of defense, and their awareness can make or break your cybersecurity posture. This requires regular, engaging training to help them identify phishing attempts and emerging scams. But awareness alone isn’t enough—the organization must foster a security-first culture, where reporting threats is encouraged and normalized. It's equally crucial to move away from a blame-based mindset. Mistakes will happen, but the goal is to create an environment where teams feel safe learning from errors and continuously improving.

Smart Habits for a Safer Business

Sometimes, the most effective measures are also the simplest. Maintaining basic cyber hygiene can significantly reduce vulnerabilities. Keeping software up to date ensures that known security gaps are patched before they’re exploited. Implementing Multi-Factor Authentication (MFA) adds an essential layer of protection against unauthorized access, especially to critical systems. And for data resilience, applying the 3-2-1 backup rule—three copies of your data, stored on two different media types, with one kept off-site—helps ensure that even in a worst-case scenario, recovery is possible and downtime is minimized.

Some Risk is Inevitable

I ended the talk with a reality check: you can’t eliminate all cyber risks. But you can build resilience, meaning that if something happens, your business can recover quickly, minimize financial damage, and protect customer trust. That’s what truly matters.

Be a Cyber-safe Cow!

To lighten the mood after all the serious discussions, I ended with a simple takeaway: “Be a cyber-safe cow!” We can’t expect the little Swiss farmer to have backup systems, regular security audits, and a plan in place, but with more knowledge and better understanding of its risks, he wouldn’t have lost his cow. The same principle applies to businesses in the contact lens industry. Cybersecurity isn’t about paranoia; it’s about being prepared and harnessing tools like a maturity model that can help the organization measure its status, and identify areas of improvement. The audience response? Overwhelmingly positive. Many came up afterward, sharing how they hadn’t thought about cybersecurity in this way before. That’s exactly why conversations like these are so important.

If you weren’t at EFCLIN 2025, I hope this article gives you a clear view of the key take-outs from my talk. And if you’re wondering where to start with cybersecurity, start simple. Small steps today can prevent major disasters tomorrow.

Filippo Selden, CEO Advance

SHARE THIS ARTICLE