Featured Product
This Week in Quality Digest Live
Management Features
Eric Stoop
Your competitive advantage could be at stake
Paul Laughlin
The upside of being a beginner
Manfred Kets de Vries
Virtual coaching can help turn around dysfunctional teams
Edward D. Hess
These four questions can reveal the truth
ASQ
ASQ’s Quality 4.0 Virtual Summit will help professionals draft a transformational blueprint

More Features

Management News
Latest installment of North American Manufacturing Covid-19 Survey Series shows 38% of surveyed companies are hiring
How to develop an effective strategic plan and make the best major decisions in the context of uncertainty and ambiguity
What continual improvement, change, and innovation are, and how they apply to performance improvement
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities
Awards to be presented March 24, 2020, at the Quest for Excellence Conference, in National Harbor, MD
Workers more at ease about job security. Millennials more confident regarding wages.
46% of creative workers want video games in the office

More News

Jacob Horne

Management

Cybersecurity: Protecting Your Company During Telework Operations

Start with the end in mind

Published: Tuesday, August 4, 2020 - 12:02

Cybersecurity is a complex topic no matter what industry vertical it is applied to. In order to reduce that complexity, it helps to frame cybersecurity in the context of the business. For manufacturers, there is a familiar concept that can be used: Begin with the end in mind.

So what does the end look like in terms of cybersecurity?

Incident response.The dizzying landscape of cybersecurity solutions, vendors, and managed services typically revolve around the prevention of a cybersecurity incident. Although an ounce of prevention is worth a pound of cure, cybersecurity is fundamentally a risk management process, and a quick scan of recent headlines will show that absolute prevention is an impossible task. In fact, some of the largest companies in the world with elite cybersecurity operations begin with the assumption that, despite their formidable talents and budgets, their defenses have already been breached.

That may be a reasonable assumption for international conglomerates, but is it reasonable for small manufacturers? Absolutely. The 13th annual “Verizon Data Breach Investigation Report” (one of the most respected and eagerly anticipated reports every year) breaks down more than 150,000 cyber incidents collected from more than 80 research contributors across 16 industry verticals, including manufacturing.

According to the report, manufacturers are unique in that they are consistently targeted by both organized cyber criminals as well as nation-state actors, rather than one or the other. Overall, the fastest incident detection and response times are measured in days. Twenty-five percent of breaches included in the 2020 report are measured in months or more.

Cybersecurity incidents are inevitable, but their impacts can be greatly mitigated with proper response planning. Ransomware can either be an existential threat to the company or an annoyance resulting in unexpected downtime, all based on how well a company plans with the end in mind. Managed service providers may be able to detect an incident, but they are rarely able to respond. Companies often find themselves in legal trouble, not for experiencing an incident, but for a lack of reasonable steps in planning for and executing incident response. Soon Defense Department suppliers will find themselves unable to bid on new contracts without integrating robust incident-response requirements into their overall security programs. It is telling that of the 12 paragraphs in the primary DOD acquisition regulation for cybersecurity, only one is dedicated to “adequate security,” while five are dedicated to incident response and reporting.

Failing to keep the end in mind while managing cyber-risk can easily lead to the end of an organization. Reaching out to those with experience is a positive way to demystify the complex world of cybersecurity.

Teleworking cybersecurity

For many small and medium-sized manufacturers, the great teleworking experiment brought on by Covid-19 has been a painful one. The sudden shift to telework poses numerous managerial, logistical, and operational hurdles. To make matters worse, cybersecurity risks are amplified by the needs of a remote workforce.

As with any complex management task, it helps to categorize and simplify the problems at hand. Cybersecurity risk management (teleworking in this case) can be broadly divided into two domains: governance and technology.

The most effective cybersecurity governance strategy is setting expectations for the organization. Developing robust cybersecurity policies, and training the workforce on them, are the building blocks for developing a culture of security. Additionally, continuous cybersecurity awareness training offers incredible risk management return on investment.

How to protect your company

Cybersecurity policies, controls, and technologies must be planned, developed, and implemented with the assumption that external environments contain hostile threats. Now that employees are working from home and sometimes even using personal, unmanaged devices to access company assets, certain technology solutions are absolutely required at a minimum:
Multifactor authentication (MFA). Don’t rely on a single username and password for anything. Credentials can be compromised and reused in a million different ways. MFA greatly reduces those risks.
Secure remote access. Unsecured remote access is a disaster waiting to happen. Virtual private networks (VPNs) or similar solutions are easy to set up and go a long way in protecting the organization. You would never allow company workstations and software to go weeks or months without updates. How up to date are the personal devices being used from home?
Personal firewalls. Malware and viruses on personal devices are a problem, but technologies like Windows Firewall are very effective at preventing them. However, common software such as video games will often require holes in the firewall in order to work. How secure are the configurations of the personal devices being used to access company resources?
Secure connectivity. The world runs on Wi-Fi and, unfortunately, so do countless insecure IoT devices like doorbells, cameras, and voice-activated assistants. Old Wi-Fi standards with insecure encryption (and sometimes none at all) are still common.

Related resources

For an exceptional resource on the benefits and drawbacks of various telecommuting solutions (without being overly technical), check out NIST Special Publication 800-46 Revision 2, “Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.”

First published on the CMTC blog.

Discuss

About The Author

Jacob Horne’s picture

Jacob Horne

For more than 13 years Jacob Horne has led high performance teams across a broad spectrum of cybersecurity disciplines from university education and curriculum development to 24x7 SOC operations. Horne currently specializes in demystifying and facilitating compliance with DFARS and CMMC for SMBs within the Defense Industrial Base.