Manufacturers are dealing with a number of security concerns related to aging infrastructure, the constant threat of data breaches, lack of formal security policies, and like many other industries, an overworked IT staff.
While tackling all the things you need to do to improve your company’s overall security may seem overwhelming, the good news is there are a number of measures you can take. One of the first steps is assessing where your company stands when it comes to security best practices.
We developed a security grader to help small and mid-sized organizations, including manufacturers, determine the people, processes and technology areas they need to take into account to strengthen their security posture. Given all your security priorities, this article boils it down to the key steps that you need to do first in each of the people, process and technology areas.
Top People Recommendation: Conduct Ongoing Security Education
Humans are the biggest target in a company, but they’re also a source of hope when it comes to your security strategy. Keeping the people side of the security equation strong requires that everyone in your organization have an awareness of security. If employees aren’t educated about what to do and what not to do when it comes to security, they may never know the dangers of using bad passwords, clicking on malicious links, or logging onto unsecured public Wi-Fi networks. Employees should be properly trained on security when they first come on board and should also receive regular training.
Your employee security orientation program should include:
- An overview of your company’s security policies and processes
- Demonstrations of security tools they’ll be using, such as two-factor authentication, a virtual private network (VPN), and a password manager
- A mock scenario demonstrating how to spot common security threats, such as a phishing attack, and how to respond
- A rundown of the people within the company they can go to when they suspect a potential security issue (e.g. your IT manager or security manager)
- A quiz to test out their knowledge after the training session
The goal of your ongoing security education should be to develop a curriculum that educates employees about common security threats and that keeps security top of mind by way of regular education and awareness. Some companies offer free and paid for tools and services which can be a great help in educating users. Training can be conducted over brown bag lunches, interactive demonstrations and by regularly testing employees on best practices.
Some training materials to equip your team with include:
- Role-based guidelines (e.g., what each team needs to know about security)
- A library of content they can reference (e.g. a Wiki) for various security scenarios, such as phishing detection, using a VPN, or managing passwords
- A special chat channel (e.g., #security on Slack or a dedicated and monitored email address) for employees to report suspected security issues and ask questions
Top Process Recommendation: Develop an Incident Response Plan
A cybersecurity incident response plan builds on your overall security program by putting in place a set of response tactics and tools to ensure that when an attack does happen, you have the people, processes and technology in place to respond effectively. In the event of an attack, time is of the essence, and being able to respond to both the attack itself and the people impacted are key strategies for mitigating the damage, costs and reputation to your company.
Your cybersecurity incident response plan should include these main components:
- An IT security business continuity plan that describes how you will access and restore data and systems after a breach
- A communications plan that helps you talk to faculty, students and parents in the event of a breach
- Cyber risk insurance and liability language in contracts with outsourced service providers
- Employee cybersecurity education
- How to restore files from backup
- Finding and responding to an attack
Top Technology Recommendation: Arm Yourself with the Latest Tools
Better manage passwords: A password manager can make using long, unique passwords easy and have a number of added benefits. You can sync passwords across your devices, audit your passwords for reuse, and set policies to ensure you are following best practices for password management including not reusing passwords. When using a password manager, we also recommend that you: 1) Use a good master password that you can remember! This password is extremely important because it allows access to all your credentials. 2) Set up two-factor authentication. 3) Configure the password manager to use long phrases.
Turn on two-factor authentication: This is an extra security measure in which you set up another way to log into a device besides entering a password. Typically, a user has to enter a code that the app texts via SMS or the phone app. This makes stealing a user’s password worthless. Cloud-based services like Google’s G Suite and Microsoft’s Office365 support two-factor authentication that is simple to put in place. You just need to make sure you enforce it for all of your employees.
Two-factor authentication helps with both proximity attacks and phishing attacks because it gives users an added layer of protection against being hacked by attackers who have managed to steal their credentials. We find that the majority of phishing victims are reusing the same weak password on multiple sites and do not have any additional authentication method.
Invest in anti-malware protection: Antivirus and firewalls are the backbone of any technical security program, but they shouldn’t be your only solution. Most antivirus and firewalls aren't built to identify the latest attacks-let alone capture or eradicate the threats once they get in. The right anti-malware protection can help defend against attacks that are delivered via the web and email, block outbound connections from inside your organization to stop an attacker from completing his mission and even offer user education on-demand.
A mix of employee education and preparedness, proper and effective procedures, and modern technologies are required to protect your organization against today’s threats and ensure your security posture is as locked down as it should be.
Todd O’Boyle is the CTO and co-founder of Strongarm.