A manufacturer's guide to protecting customers' data – and your own
Why does cybersecurity matter? "You don't want to be the weakest link in the chain"
Awareness and concerns over various types of cyber attacks have reached unprecedented heights. This is largely the result of highly publicized security breaches, ranging from the personal (stolen credit card passwords) to the corporate (hacked customer and business records) to the political (alleged Russian hacks of high-level politicians and organizations).
In the manufacturing sector, IT security is big business, with a long and highly successful track record. And as more and more companies are discovering, the vulnerabilities here are becoming more serious, too, and consequently are drawing more attention.
This feature describes some of the challenges faced by Macfab during its recent IT security and risk management initiatives. It draws on insights from cybersecurity expert Brigadier General (retired) John Turnbull, who spent 36 years with the Canadian Forces and five years with the Communications Security Establishment (CSE). At the time of his departure from CSE, he was Director General Cyber Protection, responsible for cyber assurance standards and policies for the Government of Canada. He is currently an associate consultant with Ottawa-based CFN Consulting.
“What happens if your information is all there, but you can no longer trust it? You may know that five percent of it has been corrupted but you don’t know which five percent. That could be as bad or worse than losing it.”
– John Turnbull, CFN Consultants
ISO 9001:2015 raises the bar
There’s no better example of the importance of minimizing the various types of exposure than in the latest ISO standard. When introducing its rollout in 2015, the organization stated, “Another major difference is the focus on risk-based thinking. While this has always been part of the standard, the new version gives it increased prominence.”
The document also emphasized the need to include the role and impact of the business’s “interested parties,” most notably its supply chain. As Macfab president Chris Macmorine points out, “The new ISO standard is spurring everybody to look at risk management, and that also relates to looking at how their key suppliers manage risks.
"Risk management has always been part of the industry, but it’s going to be a major focus going into the 2015 version of the ISO standard.” – Chris Macmorine, Macfab Manufacturing
ISO standards deal generally and primarily with quality management, of course, but the concept of risk management touches virtually every facet of product quality, manufacturing and supply chain management and best practices. As an industry’s IT and computer technology systems become more pervasive and more sophisticated, the risks of disruption also increase, whether through technical failures or from deliberate cyber attacks.
As part of a comprehensive risk management initiative, Macfab is connecting its engineering workstations to establish an integrated network
Information Assurance: Confidentiality, Accessibility, and Integrity
John Turnbull advocates that the starting point for cyber protection is actually information management. The business’s first priority should be to separate its day-to-day social and administrative communications on the Internet from any sensitive business data - and mission-critical intellectual property.
John maintains that as much as 80 percent of a business’s cybersecurity issues could be mitigated simply by keeping those two data sets separated. “It doesn’t need to cost a lot of money, but you’ve got to think about it. Beyond keeping the information-holding role segregated, it's also important to segregate administrative roles.
“While operating an IT network, anyone with system administrator privileges should have a separate persona and log-on, and ideally a separate workstation that only goes on the Internet in a controlled manner. In an administrator role, one never goes on social media, never plays games, never downloads music. This persona is only used to download software updates from a very restricted number of sites and to manage its accounts. That same person could also be a user on Facebook and everything else, but only when he’s using a different log-on and password. The two roles never blend.”
This approach of partitioning information and separating different roles significantly improves the confidentiality vulnerability. It also goes a long way toward preventing the next major issue – assuring continuous accessibility to your key business data by reducing threats such as ransomware or a denial-of-service attack.
Access: who's in, why, and when?
The third major risk is corrupted data integrity. As John explains. “If someone, even an insider, gets access to a workstation, or someone’s log-on, and escalates their access by compromising system administrative privileges, they can corrupt the whole system, either deliberately or by accident.”
In addition to having a proper backup regime, this risk can be mitigated by establishing clear permission levels for those who can access information and those who can actually change source code, the system configuration, or the data.
This raises other challenges that need to be addressed, John adds: “Are changes logged somewhere on a register so that someone else, with security supervisory privileges, can go in and review them, preferably with time-stamps on them? If you have audit tools like that, you’ve got to actually use them in order to see if there has been any potential abuse.
"Many applications and operating systems have these audit features built-in, but they are rarely adopted by users. This relatively simple administrative oversight does not require a technical background, but it can take time and thought so it is rarely done.”
What your customers need to hear
Taken together and managed properly, these efforts to ensure data confidentiality, access and integrity can stave off most of a business’s cybersecurity risks – and that, John Turnbull asserts, is what customers should expect of their suppliers and partners. "What does your customer need to hear from you? 'When you give us your intellectual property and your data, this is how we protect it. It is never exposed to the Internet. It will be held under tight configuration control on a closed system.'
"This should give them confidence that their intellectual property is safe with you – it's in your vault. And that's a win for everyone."
* * *
For more information on cybersecurity, John Turnbull recommends the Public Safety Canada publication, "Get Cybersafe"
You can find more information on ISO 9001-2015 here