Cybersecurity continues to be a critical concern for industries ranging from manufacturing and retail to banking. It is imperative that all manufacturing organizations develop strategies to manage cybersecurity risks. As Peter J. Beshar pointed out in a recent Fortune article, cybersecurity is a challenge every business should prepare for: “Everything is connected now. Robots perform critical tasks, and artificial intelligence mimics human cognition. Although these advances in technology present tremendous opportunity to society and business, there was a growing chorus … that these interconnected innovations could open the door to making cyber-breaches more frequent and more severe.”¹

In making its announcement regarding a new emphasis in its School of Engineering to train cybersecurity experts, the University of Kansas emphasized that “the future of information technology is the future of technology itself. All types of technology now are closely related to IT. For example, 20 years ago a car was a car and the territory of mechanical engineers. But because cars are getting smarter, they’re vulnerable to cyber-attacks. Now, we have smart refrigerators and smart TVs. In a few years, everything we do will be connected to the Internet, and everything connected to the Internet is subject to cyber-attacks.”²

A cybersecurity panel discussion at Rockwell Automation’s Automation Fair at the end of 2015 emphasized the critical concern about manufacturing and cyber-risks, stating, “Cyber threats are everywhere and companies want to secure the manufacturing infrastructure and systems. That’s a big problem considering industrial control systems (ICS) are connecting to more smart assets, enterprise systems, as well as the Internet, meaning the plant could be opening the virtual door to the bad guys.”³

Numerous cybersecurity attacks over the past few years have impacted banks, municipal infrastructures, large retailers and other companies. In addition, these mounting cyberthreats have made the issue a key priority for the U.S. government. Since this is clearly a large and complex issue, some manufacturers want to act but may be wondering how to handle the challenge and manage their risks for the long term.

Company-Wide Training

Industry experience says that a successful cybersecurity strategy must link the whole company (i.e., IT, security, engineering, human resources, marketing and supply chain, etc.). One key starting point is to make sure the company develops and requires cybersecurity training for all employees who use company computers/applications or handle company data (from top management to temporary workers).

Information security training is a critical part of an effort to address increasing threats to the security of manufacturing information, systems and data. As Ron Christie, manager of human resources training and organizational development at University of California, Riverside, said, “Studies have shown that a substantial number of cyber-attacks involve the unintended actions of users of information systems, and this risk can be significantly lowered through an effective training program.”⁴

All employees in the organization should be required to complete information security awareness training. In addition, since systems change within an organization and an organization’s policies and procedures change, a refresher course is recommended on a regular basis. Also, it is important to provide this training for new hires so that a culture of information security is taught at the onset. Furthermore, if your supply chain has access to company data and information systems, they, too, should be required take the training as a supplement to non-disclosure agreements that should also be in place.

For larger companies with multiple locations, the training can be offered online. Local community colleges can often provide resources to help with developing training courses for smaller manufacturers. Keep in mind that your cybersecurity awareness training course does not need to be an all-day affair. Some video-based training classes can take less than one hour to complete.

Course Content

A number of issues, ranging from company processes to employee actions, impact information security within an organization. As such, topics in your training should include the following:

Introduction

In your introductory remarks, address why cybersecurity is important to your company.

Computer Usage

The discussion regarding computer usage should include company guidelines for the use of company-issued computers, as well as portable media (particularly that which interfaces with company hardware, software and data).

Social Networking

Address whether social networking is appropriate on company assets at any time. In addition, discuss the company’s guidelines for what employees should share (or not) about their work in order to prevent company secrets being inadvertently leaked.

Email

It is important to have guidelines for using the company email system. For example, are employees restricted from sending company email to their personal accounts?

Browsing

What are the company’s guidelines regarding browsing the Internet?

Mobile Device Security

The discussion regarding mobile devices should include guidelines for the appropriate use of mobile phones, USB drives and other mobile media.

Passwords

How frequently should passwords be changed? What password format(s) are acceptable?

Data Security

Define company-critical data, and provide detailed instructions regarding how to keep it secure.

What to Do if Hacked

Provide guidelines as to who employees should contact if they suspect a cyber-attack or a virus on a computer.

Information Privacy

Emphasize how important it is to maintain the privacy of information related to assets like collected personal information, employee records, financial data, and other business-related details.

International and Domestic Travel

The focus regarding travel should be in preventing company information from being discussed in public areas such as airports, hotels, and restaurants, such that critical data or trade secrets might be overheard.

Comprehensive Policies

Information security continues to be a hot topic for manufacturers and other businesses around the world. No company can escape the threat of a data breach. To avoid potential disaster, it is critical to build and maintain strong employee awareness of cybersecurity and its impact on the company. Salo Fajer, chief technology officer with Digital Guardian, sums it up succinctly: “The weakest link in data defense is the employee. Train them on your policies regarding the use of confidential data. It also helps to perform regular security awareness training and invite your contractors, vendors and partners to participate, as they should be subject to your data protection policies as well.”⁵

For more information, contact the author at howellvw@outlook.com.

References

1. Beshar, Peter J., “The Cybersecurity Challenge Every Business Should Prepare For,” http://fortune.com/2016/01/26/davos-cybersecurity-challenge-business.
2. “KU to Train Next-Generation Cybersecurity Experts for Government Service,” http://news.ku.edu/2016/01/20/ku-train-next-generation-cybersecurity-experts-government-service#sthash.CLtJfvYt.dpuf http://news.ku.edu/2016/01/20/ku-train-next-generation-cybersecurity-experts-government-service#sthash.CLtJfvYt.dpuf.
3. Neil, Stephanie, “Cybersecurity and the Manufacturing Mindset,” www.automa-tionworld.com/all/cybersecurity-and-manufacturing-mindset.
4. Marantos, Jeanette, “UC Wants YOU to Complete Cyber Security Training By Jan. 31,” https://ucrtoday.ucr.edu/34412.
5. Fajer, Salo, “What Manufacturers Need to Know about Cybersecurity,” March 3, 2015, www.industryweek.com/information-technology/what-manufacturers-need-know-about-cybersecurity.