Data security concerns in the manufacturing industry have surged in the past few months; while these concerns have long been in the spotlight, COVID-related circumstances inspired a rush to adopt new software applications and platforms to support remote work environments and content sharing capabilities with employees, customers, and partners.
Some manufacturing and industrial organizations classified as “essential services” faced the challenge to quickly adjust production facilities to new health safety standards for onsite workers. In the rush to do so, many adopted what were later revealed to be insecure off-the-shelf IT solutions and cybersecurity measures that buckled under the strain of new demand spikes. The haste to ensure business continuity in the first wave of COVID-19 led to unintended data security and manufacturing risk.
However, there are steps industrial and manufacturing organizations can take to ensure data is secure and IT systems remain up and running during the next wave of effects from the COVID-19 pandemic. Planning for provider continuity and working to secure your critical manufacturing data and systems starts by following four essential steps.
#1 Review Your IT Outsourcing Dependencies and Data Flows
It is crucial to have a complete understanding of which IT vendors are essential to core business and manufacturing operations, as well as which handle any sensitive data—but this can be more complex than it appears.
What you do know: many departments, such as Finance, Marketing, and others, may license smaller cloud-based platforms to manage their work outside of IT’s line of sight.
What you may not know: sensitive data may be handled by vendors, be the target of threat actors, and result in data breaches.
Vendors can include:
- Internet service providers (ISPs)
- Cloud service providers (including any “shadow IT” cloud providers leveraged by smaller departments within business units)
- Data center providers
- Managed security services—any vendor critical to supporting your information technology or operational technology (IT/OT) needs.
Before you can assess your manufacturing data security supply chain risk, we recommend auditing your third-party IT dependencies across the business and your data flows to understand where your data may traverse networks and be handled, stored, or processed outside of your perimeter.
Get a detailed review of the most pervasive and impactful cyber threats affecting manufacturers today.
#2: Ensure Third-Party Remote Work Models Aren’t Affecting Manufacturing Data Security Standards
Once you have identified your critical and data-handling vendors, contact them to assess whether their staff is working remotely, all or in part, and how they anticipate this has changed their current or anticipated future manufacturing data security practices or contracted levels of performance.
Some vendors may have requirements for retaining a certain number of onsite personnel (such as cloud infrastructure providers), but may still have remote workers in some essential functions.
In many states or regions, “stay-at-home” orders for individuals and non-essential businesses have been lifted to varying degrees. But it is up to individual businesses to determine when and how they will introduce their employees back into the office.
Questions you may consider asking them include:
- Do you have a business continuity plan in place for COVID-19-related impacts?
- Have you shifted to a full or partial remote work model? If so, please describe the security measures you have employed to protect ongoing operations and security of information assets.
- Are your staffing levels adequate to address current customer needs and/or take on new business? Do you have an employee augmentation plan should staff fall ill?
- Have you reduced, or do you plan to reduce, your services offerings as a result of COVID-19? If so, please specify.
- Are you experiencing (or do you anticipate) any degradation or outages of critical systems, services, or platforms? If so, please specify.
- Do you rely on third-party providers/partners for your offerings? Are you satisfied with their ability to deliver at the levels you require to deliver for your customers?
Partners in the industrial sector are often essential and highly valued; delivering these questions with respect and appreciation helps continue to foster an ongoing, trusted relationship.
#3: Assess Manufacturing and Industrial Partners for Future Cyber Security Risk
As you make inquiries of partners regarding their business continuity and remote work status, you may also choose to inquire whether they anticipate any future impediments (including financial issues) that will affect their ability to continue to meet your needs at the levels delivered before COVID-19.
This is one step in assessing their financial solidity; but the fact is, few can accurately predict the economic impacts of global shutdowns, or even the course of the pandemic itself.
We recommend taking a risk matrix approach and map our your third-party providers by:
- The criticality of their offering to your core operations and whether they handle sensitive data.
- The difficulty and time needed to assess and contract new vendors in this space.
- Your contract terms and your ability to cancel should performance or data security drop to unacceptable levels or service offerings change in scope.
Using this information, prioritize your highest risk third-party service areas so that you can build a fallback plan, should a vendor close their doors or be acquired by another organization, and offer contract terms that are not favorable to your needs.
Review our 2020 Incident Response and Data Breach Report to see how the manufacturing industry is the most vulnerable to cyber criminals.
#4: Planned Redundancy and Identifying Fallback Plans
To avoid repeating mistakes made in the first COVID wave, we recommend conducting behind-the-scenes research to identify a shortlist of alternate providers for your most “at-risk” service areas, in case you need to find a new vendor quickly.
Your research should determine whether they offer the span of service offerings, service levels, brand reputation, and, importantly, rigorous manufacturing data security practices you require. Additionally, ensure you have a plan to repossess your data from your current vendors should they fail.
The goal of the exercise is not to create insecurity in your current provider base (particularly if you are satisfied with them); but, rather, understand your options so that you can shorten the time needed to shift to new vendors should it become necessary, avoiding the need to make hasty, poorly thought-out decisions that could backfire. Business continuity is paramount—but if you embrace a new vendor with sub-par data security practices and suffer a data breach, the cure can be worse than the illness.
A little research and planning today can help you feel confident your manufacturing business has a continuity plan for your IT solutions and data security, to stop riding the wave of COVID reactivity.