That’s fake news. Real news COSTS. Please turn off your ad blocker for our web site.
Our PROMISE: Our ads will never cover up content.
Jacob Horne
Published: Tuesday, August 4, 2020 - 11:02 Cybersecurity is a complex topic no matter what industry vertical it is applied to. In order to reduce that complexity, it helps to frame cybersecurity in the context of the business. For manufacturers, there is a familiar concept that can be used: Begin with the end in mind. So what does the end look like in terms of cybersecurity? Incident response.The dizzying landscape of cybersecurity solutions, vendors, and managed services typically revolve around the prevention of a cybersecurity incident. Although an ounce of prevention is worth a pound of cure, cybersecurity is fundamentally a risk management process, and a quick scan of recent headlines will show that absolute prevention is an impossible task. In fact, some of the largest companies in the world with elite cybersecurity operations begin with the assumption that, despite their formidable talents and budgets, their defenses have already been breached. That may be a reasonable assumption for international conglomerates, but is it reasonable for small manufacturers? Absolutely. The 13th annual “Verizon Data Breach Investigation Report” (one of the most respected and eagerly anticipated reports every year) breaks down more than 150,000 cyber incidents collected from more than 80 research contributors across 16 industry verticals, including manufacturing. According to the report, manufacturers are unique in that they are consistently targeted by both organized cyber criminals as well as nation-state actors, rather than one or the other. Overall, the fastest incident detection and response times are measured in days. Twenty-five percent of breaches included in the 2020 report are measured in months or more. Cybersecurity incidents are inevitable, but their impacts can be greatly mitigated with proper response planning. Ransomware can either be an existential threat to the company or an annoyance resulting in unexpected downtime, all based on how well a company plans with the end in mind. Managed service providers may be able to detect an incident, but they are rarely able to respond. Companies often find themselves in legal trouble, not for experiencing an incident, but for a lack of reasonable steps in planning for and executing incident response. Soon Defense Department suppliers will find themselves unable to bid on new contracts without integrating robust incident-response requirements into their overall security programs. It is telling that of the 12 paragraphs in the primary DOD acquisition regulation for cybersecurity, only one is dedicated to “adequate security,” while five are dedicated to incident response and reporting. Failing to keep the end in mind while managing cyber-risk can easily lead to the end of an organization. Reaching out to those with experience is a positive way to demystify the complex world of cybersecurity. For many small and medium-sized manufacturers, the great teleworking experiment brought on by Covid-19 has been a painful one. The sudden shift to telework poses numerous managerial, logistical, and operational hurdles. To make matters worse, cybersecurity risks are amplified by the needs of a remote workforce. As with any complex management task, it helps to categorize and simplify the problems at hand. Cybersecurity risk management (teleworking in this case) can be broadly divided into two domains: governance and technology. The most effective cybersecurity governance strategy is setting expectations for the organization. Developing robust cybersecurity policies, and training the workforce on them, are the building blocks for developing a culture of security. Additionally, continuous cybersecurity awareness training offers incredible risk management return on investment. Cybersecurity policies, controls, and technologies must be planned, developed, and implemented with the assumption that external environments contain hostile threats. Now that employees are working from home and sometimes even using personal, unmanaged devices to access company assets, certain technology solutions are absolutely required at a minimum: For an exceptional resource on the benefits and drawbacks of various telecommuting solutions (without being overly technical), check out NIST Special Publication 800-46 Revision 2, “Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.” First published on the CMTC blog. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, For more than 13 years Jacob Horne has led high performance teams across a broad spectrum of cybersecurity disciplines from university education and curriculum development to 24x7 SOC operations. Horne currently specializes in demystifying and facilitating compliance with DFARS and CMMC for SMBs within the Defense Industrial Base.Cybersecurity: Protecting Your Company During Telework Operations
Start with the end in mind
Teleworking cybersecurity
How to protect your company
• Multifactor authentication (MFA). Don’t rely on a single username and password for anything. Credentials can be compromised and reused in a million different ways. MFA greatly reduces those risks.
• Secure remote access. Unsecured remote access is a disaster waiting to happen. Virtual private networks (VPNs) or similar solutions are easy to set up and go a long way in protecting the organization. You would never allow company workstations and software to go weeks or months without updates. How up to date are the personal devices being used from home?
• Personal firewalls. Malware and viruses on personal devices are a problem, but technologies like Windows Firewall are very effective at preventing them. However, common software such as video games will often require holes in the firewall in order to work. How secure are the configurations of the personal devices being used to access company resources?
• Secure connectivity. The world runs on Wi-Fi and, unfortunately, so do countless insecure IoT devices like doorbells, cameras, and voice-activated assistants. Old Wi-Fi standards with insecure encryption (and sometimes none at all) are still common.Related resources
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Jacob Horne
© 2021 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.