ABCs of IT Security for Manufacturers
posted Oct 19, 2018 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Roughly one in four respondents to our 2018 Manufacturing Industry Outlook Report recognizes cybersecurity as a major risk factor. But the IT world is foreign territory to many business owners — so they may be unsure how to start the cybersecurity process.
Like learning a new language, the process of securing your IT assets and data begins by covering your ABCs: asset disposal, basic security measures and company-wide training programs.
“A” is for Asset Disposal
The end of an asset’s useful life may seem like an odd place to start the data security process. But asset disposal is commonly overlooked — so, savvy hackers have learned to exploit the back end. How secure are your IT assets once they’re recycled, donated, returned to the leasing company or otherwise discarded?
Data security policies should extend to the disposal stage of an asset’s life. If not, sensitive data could be breached. This means wiping clean old hard drives and printers or using a trusted outside vendor to handle disposal. Devices that haven’t been properly disposed of can pose significant risks if they wind up in the wrong hands.
In addition, this means the continuous performance of an inventory of IT assets to make sure that there are no devices inadvertently connected to the company’s network. This is often a source of network breaches.
“B” is for Basic Security Measures
Security “essentials” go a long way toward safeguarding data stored on IT devices and the cloud. Although these elements may seem to be a matter of common sense, surprisingly, some manufacturers still aren’t using them properly. Examples include:
Strong passwords. Protect your company’s network and devices with unique passwords that contain a combination of 8 or more letters, numbers and symbols. Every employee should have a unique username and password to connect to the network, and passwords should be changed every month or quarter.
Also consider the use of pass “phrases” and multi-factor authentication (“MFA”) as control measures over access.
Daily backup. Make a backup copy of sensitive customer, employee and proprietary data every night, using a safe and secure external source. It should not be connected full time to your network, in case the network goes down for an extended time or gets hacked.
Data encryption. Encrypt all sensitive data to prevent it from being read after a device has been lost, stolen or hacked.
Security software. Install anti-virus/anti-malware software and firewalls on all devices — laptops, desktops, routers, tablets and phones. The software should always be set to automatically update.
Windows and Mac operating systems come with factory-installed security software and encryption technology that you should almost always enable. Or you can purchase security software with a broader range of protections from a trusted vendor.
“C” is for Company-Wide Training Programs
Employees at all levels — C-level executives, accounting and HR personnel, administrative assistants, machine operators, and maintenance workers — are your first line of defense against external cyberthreats. Too often, data security plans are created by upper management and then bits and pieces filter down to rank-and-file workers through memos, the intranet, personnel manuals or word of mouth.
Formal training programs can inform employees about the company’s policies and procedures on how data theft is prevented, detected and responded to. In addition to getting everyone on board with company policies, training programs may deter IT theft from company insiders, as well as providing opportunities for workers to provide input to further secure data.
For example, a payroll clerk might know about coworkers who access personnel files using unauthorized personal devices. The janitor might be aware of old laptops sitting in an unlocked storage closet with hard drives full of sensitive data. Or a machinist might know a disgruntled former employee who’s still able to access the company’s cloud using her old username and log-in.
Will your workers speak up about internal control weaknesses? Break-out sessions and post-training survey forms can reveal major vulnerabilities in your systems that upper management was previously unaware of.
Cybersecurity concerns are at an all-time high, according to a recent global survey of CFOs. And the manufacturing industry may be especially vulnerable.
These ABCs provide a solid foundation for data security. But there’s a lot more you can do to prevent and detect data breaches and theft. Contact our information security professionals to establish a more sophisticated data security plan that helps keep you one step ahead of cybercriminals.