By MEP National Network Partner Andy Nichols, Michigan Manufacturing Technology Center
A few weeks ago, we posted a blog dissecting the various requirements of ISO 9001:2015 related to the “control of documented information” and addressed how cyberattacks can affect customers, management, employees and even regulatory compliance. Now that the value of information security has been established, we’ll discuss how to incorporate safe cybersecurity practices to further support your organization’s controls of documented information.
Following the Cybersecurity Framework established by the National Institution of Standards & Technology (NIST), there are five main steps to understanding and managing cyber risks:
1. Identify the information that must be secured.
This includes intellectual property owned by both the organization and its customers, such as math data files, drawings, product and process specifications, as well as business development, personnel and financial data. Broken down further, this step requires organizations to:
- Inventory the information along with where it resides, whether it is on hardware such as desktop computers, servers, mobile devices and portable data storage devices, or software. Consider where and how all information is accessible, especially with the recent increase in remote working (and associated increase in cyber risk).
- Account for all threats and vulnerabilities to the information. Common threats include ransomware, where data is held “hostage” for a price, phishing emails, which use seemingly benign emails to steal information, or other attacks such as malware, viruses/worms, etc. Vulnerabilities are weaknesses in assets which may be exploited. An example might be allowing employees to use USB drives to access work documents from multiple computers, providing an open door to viruses.
- Perform a risk assessment. If the organization allows email access to many employees, for example, then phishing/spear-phishing attacks become a higher risk. The PC that still runs on Windows XP may be vulnerable to exploitation because that operating system is no longer supported by Microsoft.
2. Protect the identified information.
The most common contributor to a successful data breach is human error. The recent move towards working from home has opened Pandora’s Box, with a significant increase in breaches due to ineffective security at remote locations.
To better protect against such breaches, companies need to establish and enforce safe cybersecurity protocols among all workers – whether they’re in the facility or remote – by regularly changing user credentials (especially passwords) or using multi-factor authentication or finger/face scanning for logging in.
Polaris MEP offers cybersecurity training for manufacturing employees that can be conducted on-site at your Rhode Island facility or virtually. Ensuring that workers have a true understanding of risks and risk effects increases compliance with cybersecurity protocols.
Organizations also must determine if they have the policies and procedures in place, and the technical resources available, to ensure applications and operating systems are kept up to date. If the organization has an internal server and the drive is partitioned, each may be set up with different permissions to write, read and delete files for stronger protection.
3. Detect breaches or attacks.
MS Windows Defender or Microsoft Azure provide ways to detect so-called anomalies in the data exchanged between your organization and the outside world. While it may not be possible to prevent a cyberattack, being aware of the threats as they occur can assist in building better defenses in the future. Keeping employees aware of the latest spear-phishing attacks is critical.
4. Respond to threats accordingly.
How and when a company responds to a data breach is crucial to the well-being of the organization. For example, careful consideration should be given to your response to a ransom attack. In some jurisdictions, paying a ransom (in cryptocurrency) can be a criminal offense in itself.
Communicate with law enforcement/regulatory authorities, employees, suppliers and customers to ensure the situation is resolved swiftly and without causing further harm.
5. Recover from the attack.
If a breach does occur, making these preparations ahead of time can pay off in a big way – in both time and money.
Having access to a backup of all affected data can help significantly. Saving duplicates of robust and timely information could eliminate the need to respond to a ransom demand. Shutting down your system, cleaning the affected threat and then backing up your data with minimal loss of availability can be achieved with the right approach and a strong recovery plan.
For many small to medium-sized manufacturing companies, it may be beneficial – and optimal – to engage the services of a Data Security Specialist to manage these aspects. Polaris MEP can help.
Andy Nichols, CQP MCQI, brings 40 years of expertise in a wide variety of roles and industries, with a particular focus on quality management systems in manufacturing organizations. Prior to joining Polaris MEP’s “sister” center, the Michigan Manufacturing Technology Center, he was the East Coast Regional Sales Manager for NQA, a “Top 5” Global Certification Body. He has authored two books, “Exploding the Myths Surrounding ISO 9000 – A Practical Implementation Guide” and “A Guide to Effective Internal Management Systems Audits.”
This post was originally published by the Michigan Manufacturing Technology Center: https://www.the-center.org/Blog/November-2020-(1)/ISO-9001-%E2%80%93-A-Key-to-Cybersecurity-(Part-2).