Featured Product
This Week in Quality Digest Live
Management Features
Constance Noonan Hadley
The time has come to check whether the benefits of teamwork still outweigh the costs
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Julie Winkle Giulioni
The old playbook probably won't work
Sarah Schiffling
But supply chains will get worse before they get better

More Features

Management News
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Recent research finds organizations unprepared to manage more complex workforce
Attendees will learn how three top manufacturing companies use quality data to predict and prevent problems, improve efficiency, and reduce costs
More than 40% of directors surveyed cite the ability of companies to execute as one of the biggest threats to improving ESG performance
MIT Sloan study shows that target-independent compensation systems can be superior
Steps that will help you improve and enhance your employee recruitment, retention, and engagement
300 Talent acquisition leaders and HR executives from companies gather in Kansas City
FedEx demonstrates commitment to customer-focused continuous improvement

More News

Jacob Horne

Management

Cybersecurity: Protecting Your Company During Telework Operations

Start with the end in mind

Published: Tuesday, August 4, 2020 - 12:02

Cybersecurity is a complex topic no matter what industry vertical it is applied to. In order to reduce that complexity, it helps to frame cybersecurity in the context of the business. For manufacturers, there is a familiar concept that can be used: Begin with the end in mind.

So what does the end look like in terms of cybersecurity?

Incident response.The dizzying landscape of cybersecurity solutions, vendors, and managed services typically revolve around the prevention of a cybersecurity incident. Although an ounce of prevention is worth a pound of cure, cybersecurity is fundamentally a risk management process, and a quick scan of recent headlines will show that absolute prevention is an impossible task. In fact, some of the largest companies in the world with elite cybersecurity operations begin with the assumption that, despite their formidable talents and budgets, their defenses have already been breached.

That may be a reasonable assumption for international conglomerates, but is it reasonable for small manufacturers? Absolutely. The 13th annual “Verizon Data Breach Investigation Report” (one of the most respected and eagerly anticipated reports every year) breaks down more than 150,000 cyber incidents collected from more than 80 research contributors across 16 industry verticals, including manufacturing.

According to the report, manufacturers are unique in that they are consistently targeted by both organized cyber criminals as well as nation-state actors, rather than one or the other. Overall, the fastest incident detection and response times are measured in days. Twenty-five percent of breaches included in the 2020 report are measured in months or more.

Cybersecurity incidents are inevitable, but their impacts can be greatly mitigated with proper response planning. Ransomware can either be an existential threat to the company or an annoyance resulting in unexpected downtime, all based on how well a company plans with the end in mind. Managed service providers may be able to detect an incident, but they are rarely able to respond. Companies often find themselves in legal trouble, not for experiencing an incident, but for a lack of reasonable steps in planning for and executing incident response. Soon Defense Department suppliers will find themselves unable to bid on new contracts without integrating robust incident-response requirements into their overall security programs. It is telling that of the 12 paragraphs in the primary DOD acquisition regulation for cybersecurity, only one is dedicated to “adequate security,” while five are dedicated to incident response and reporting.

Failing to keep the end in mind while managing cyber-risk can easily lead to the end of an organization. Reaching out to those with experience is a positive way to demystify the complex world of cybersecurity.

Teleworking cybersecurity

For many small and medium-sized manufacturers, the great teleworking experiment brought on by Covid-19 has been a painful one. The sudden shift to telework poses numerous managerial, logistical, and operational hurdles. To make matters worse, cybersecurity risks are amplified by the needs of a remote workforce.

As with any complex management task, it helps to categorize and simplify the problems at hand. Cybersecurity risk management (teleworking in this case) can be broadly divided into two domains: governance and technology.

The most effective cybersecurity governance strategy is setting expectations for the organization. Developing robust cybersecurity policies, and training the workforce on them, are the building blocks for developing a culture of security. Additionally, continuous cybersecurity awareness training offers incredible risk management return on investment.

How to protect your company

Cybersecurity policies, controls, and technologies must be planned, developed, and implemented with the assumption that external environments contain hostile threats. Now that employees are working from home and sometimes even using personal, unmanaged devices to access company assets, certain technology solutions are absolutely required at a minimum:
Multifactor authentication (MFA). Don’t rely on a single username and password for anything. Credentials can be compromised and reused in a million different ways. MFA greatly reduces those risks.
Secure remote access. Unsecured remote access is a disaster waiting to happen. Virtual private networks (VPNs) or similar solutions are easy to set up and go a long way in protecting the organization. You would never allow company workstations and software to go weeks or months without updates. How up to date are the personal devices being used from home?
Personal firewalls. Malware and viruses on personal devices are a problem, but technologies like Windows Firewall are very effective at preventing them. However, common software such as video games will often require holes in the firewall in order to work. How secure are the configurations of the personal devices being used to access company resources?
Secure connectivity. The world runs on Wi-Fi and, unfortunately, so do countless insecure IoT devices like doorbells, cameras, and voice-activated assistants. Old Wi-Fi standards with insecure encryption (and sometimes none at all) are still common.

Related resources

For an exceptional resource on the benefits and drawbacks of various telecommuting solutions (without being overly technical), check out NIST Special Publication 800-46 Revision 2, “Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.”

First published on the CMTC blog.

Discuss

About The Author

Jacob Horne’s picture

Jacob Horne

For more than 13 years Jacob Horne has led high performance teams across a broad spectrum of cybersecurity disciplines from university education and curriculum development to 24x7 SOC operations. Horne currently specializes in demystifying and facilitating compliance with DFARS and CMMC for SMBs within the Defense Industrial Base.