Information Security in Manufacturing is a key objective to maintain the health of your business. The threat of loss of intellectual property or operational information is high because the systems you use normally are accessible from the outside, and the data they hold is valuable to others. After all you create and sell something of value, right?
A recent article in Crain’s Cleveland Magazine highlighted this for Northeastern Ohio manufacturing companies. It is worth the read, but we expand upon these and provide more direction here.
Let’s consider the threats, what you may need to secure, and some best practices to accomplish this for manufacturing firms.
Threats in Information Security in Manufacturing
The threats are many and growing. Some to consider are:
- Loss of intellectual property – The product data you maintain, including designs, recipes, and bills of material. Someone in your industry, particularly from foreign countries with a repeated pattern of copying, find it helpful to simply clone your products and sell them for less.
- Personal Identity Theft – Your employee information is a valuable resource, especially if it has social security numbers, addresses, etc. It is all too common to see people lose control of their identity in financial systems or online store fronts like Amazon or Apple.com.
- Loss of Financial Information – Your cost structures, vendor lists, customer lists, and sales data can create a picture for someone who wants to invade your space in the market.
- Malicious attacks on your business – Your systems are vulnerable to damage once accessed, either by deletion, encryption for a ransom (CryptoLocker), or even forcing your machines to run ineffectively or to the point of damage (Stuxnet).
Someone who wants to leverage the information inside the business – Threats are not just external, an employee may want to access information to help themselves, such as knowing the payroll of the company so they can negotiate a raise.
- External applications or systems that are insecure – Many functions are moving to the cloud, so you also need to understand what systems are being used and their information security practices. Many companies use CRM systems like SalesForce.com, or Google Docs, or an online utility to convert a document into a PDF. All of the data you send or store in these are managed by other, or someone may even impersonate them and hijack your data.
All of these are threats, and knowing them helps you identify the assets to secure.
Assets that may need Secured for Information Security in Manufacturing
Having reviewed the list of threats, you may already think about what should be secured; here are ideas to help.
- ERP/MRP/Accounting Systems – These systems hold so much of your business – start here.
- Human Resources Data – Employee personal information, salaries, reviews, etc.
Product Designs, including CAD files, cost estimates, marketing plans, and other product information.
- Strategic Documents – Those that describe the business plans and organizational changes.
Personal Computers and Devices – Users often store data or the credentials needed to access the data (e.g. “saved passwords”), so an insecure PC is a path into data stored in other systems.
- Servers – It almost goes without saying, but all servers should be physically and logically secured.
- Connected Devices – It is not just the servers or PCs, any device on your network is an entry point. Consider printers, scanners, embedded production controllers, wireless access points, security cameras, and handheld barcode scanners. All of these have been granted access to valuable data, and accessing them accesses the data.
- Shared folders – where common documents like marketing brochures, project plans, and other departmental or enterprise data is stored.
- Cloud Systems that store or process your data – As we stated above, every partner you work with to store or process data should be vetted. It is all too common to read about a breach in systems of these organizations.
- USB Drives – We often see users or even IT support personnel using USB drives to store data, when left insecure they are an easy target to pick up and view the information they hold.
Best Practices for Information Security in Manufacturing
Finally, we can wrap up with some best practices you should implement to secure the overall environment.
- Identify Information Assets – This is covered above, and it must be maintained and checked regularly as your systems will change. Annual verification is a must.
- Contract for Annual Security Penetration tests –Skilled third parties work the process as a hacker would. This provides a punch list of items to secure.
- Manage your firewall – the firewall is the primary point of entry into your systems, and requires no physical access. We recommend SonicWALLs, because they are simpler to manage, and with less complexity comes greater understanding of the way data is being processed through them.
- Review all accounts and their access – When we start with a new client, it is shocking to see how many abandoned accounts exist. These are user accounts where the employee has left the organization, or changed roles. When these changes happen, secure the account and review for deletion. If left behind, they provide a way into your systems.
- Have regular patching and upgrades – Organizations sometimes think they can save money by delaying upgrading or patching systems, but they become more and more vulnerable to new threats not accounted for in the installed version, rendering them insecure. This includes software, and network components like firewalls and wireless access points. Microsoft and others release these patches to plug these holes, so keep them up to date!
- Provide Employee Training – Employees are a weak link in the process – often using insecure passwords, clicking things that install malicious software, or sharing credentials with others. Users should be regularly trained, and policies should be in place to require secure practices.
- Implement Secure Password policies – Require a minimum length, special characters, and change requirements. Do not over do this or else users write them down on sticky notes because they cannot remember them.
- Check physical security – I am shocked at how often I should not have access to a network, but can easily plug into a cabled network port and have full physical access. This also includes securing servers behind a locked door with limited access.
- Turn on security audit capabilities – These logs will provide a way to understand the threats and breaches of your systems.
- Have excellent backups – If data is accessed and destroyed, you will need good backups to resume operations, and potentially determine the history of access so you can see if data was stolen.
Information Security in manufacturing is an important objective, providing long term reliability for your business. Keystone Technology Consultants takes this seriously and knows it is a cat and mouse game with new threats coming all the time. We run a Client Data Safety team that meets monthly to review all threats to our clients, and proactively plans the best way to thwart them. Call us today to discuss your systems and how they can be secured.