The cyberattacks that have received the greatest media and public attention in recent years were those against financial services firms such as JPMorgan Chase and Citigroup and retailers such as Target, Ebay and Home Depot. But manufacturers aren’t immune. Last year, sophisticated attackers gained access to the office network of a German steel plant and, eventually, into the organization’s production network. Control components and entire production machines suffered outages, preventing the plant from appropriately shutting down a blast furnace. Significant damage was sustained by the plant.
So, just as with financial services firms and retailers, information security is critically important for manufacturers.
There are two approaches to securing a company’s or plant’s information: defensive and offensive.
The defensive approach includes configuring firewalls, coding to standards and implementing software that you “set and forget” such as antivirus or software to ensure password strength. In essence, you check all the information security “boxes.”
The offensive approach — and the preferred approach — is to think like a hacker. After checking those boxes, you try to break into your own system. You find out how people have been hacking into similar systems and try the technique on your own environment — taking a clear box approach, looking at how a system is built and where it is served and then trying to exploit its vulnerabilities.
If you are going to keep your company’s network data secure, the offensive approach to information security requires taking several steps.
Here are the first few items on your technology to do list:
- Know where all your data is;
- Identify who has access to it;
- Classify your data as high or low risk;
- Bring in an outside firm to objectively evaluate and understand your systems and processes;
- Then, create a plan and a specific scope of work so you know what technology partners you need.
With these small steps, you won’t become the company that allows a cyber attacker to infiltrate your office and production network. That‘s a start.
Processes and protocols
The next step? A successful information security function relies heavily on solid governance.
Companies need a framework for evaluating third party providers of information technology development and security. And they need to ensure that departments inside their organizations follow strict processes and protocols when making technology decisions or purchases.
Part of this governance process is simply asking the right questions. Managers and executives should set up a meeting with their technology team and ask a number of questions:
- Do we have an information security function? To whom does it report?
- What does our security function look like?
- How do we vet 3rd party technology providers? How do we know they are doing things the right way?
- Do we have gateways and forced check-ins in order to get something done, such as a code review before any new websites are launched?
This sort of dialogue is key to ensuring you don’t stall in your quest to provide the highest level of security for your company and your customers.
No need to reinvent the wheel?
Next, take a look at the best information security practices of entities that do it well, such as the government, defense and financial services industries. There’s no point in reinventing the wheel if effective practices are already being utilized.
The Building Security in Maturity Model (BSIMM) is also a great place to start. It is a software security measurement framework that helps organizations compare their software security to other organizations, enabling them to take the necessary steps to improve.
A great example of an industry-specific security measure is the concept of vaulting, where convenience stores and retailers never store credit card numbers from transactions or loyalty programs on site. They are placed in an off-site “vault” that protects information from hackers. Always remember, examples from sectors outside manufacturing might be helpful and relevant, as is learning from missteps other organizations take.
Perfection isn’t required
The most common mistake I see is when managers get overwhelmed — the process becomes too cumbersome and too intimidating. So, managers ignore the entire issue of information security and hope nothing happens. Too many managers say “the system is too old” or “we could never do that” or “I don’t even know where to begin.” Don’t let “perfect” be the enemy of the greater good.
Here is a pep talk… some emotional advice to reflect on as you embark on this security journey.
- It’s all about continuous improvement; start where you are and get better;
- Don’t get discouraged — keep the momentum going;
- Break through the politics and get people on board;
- Most mistakes are not technical — they are management errors.
To avoid these mistakes, consider the following:
- Always look at how to control scope; you don’t have to do it all yourself;
- Get experts in the room; do your due diligence;
- Take necessary precautions — you can’t afford not to;
- Do what is needed and then take it to the next level — think like a hacker.
The people component
Don’t forget that technology is built by and for people. If a human being created the technology, a human being can hack into it. So, your most effective solution is to have a real person take what is known about the system and try to break it from the inside out. This clear box approach requires skill and expertise that you may or may not have on your tech team.
Second, a culture of educating staff is important. The technology is for them. Explain your information security initiative to employees through lunch-and-learns and other internal communications efforts — and provide the information in a simple way. You will be surprised at how willing they are to follow the rules and ask questions when doing something technology related.
Finally, commit. Senior management, not just compliance personnel, must be on board for an information security initiative to be successful – just as they must be for your business’ other important initiatives.
Dennis Egen is President and Founder of Engine Room, a technology and security firm.