5/10/2019
BY: JEFF WILLIAMS
With the Fourth Industrial Revolution upon us, integrating systems into business operations has never been easier. At the same time, introduction of these technologies into our businesses means the risks we face have never been higher.
Looking at the news, we are constantly bombarded with reports of new threats to information. In fact, recent studies predict that more than $6 trillion worth of intellectual property will be lost due to cybercriminal activity by 2021. Despite this, 44% of companies lack even a basic information security strategy.
While creating and maintaining a completely secure environment for information is a virtual impossibility, one thing all organizations can do to protect themselves is implement a Risk Management System. Realizing the importance of this, the National Institute of Standards and Technology (NIST) released two proven frameworks to assist in risk management efforts among manufacturers: the “Risk Management Framework” and the “Cybersecurity Framework.” As outlined in each of these frameworks, risk management is broken down into manageable concepts and steps:
- Prepare - Before any system can be implemented successfully, organizations must first understand what is involved and prepare for it. Key individuals responsible for each part of the system must be identified. Clear goals and objectives should be established, along with identifying and quantifying exactly which information needs protection.
- Categorize – Every organization has multiple types of information to protect, and each type has its own associated risks. By categorizing information according to their threats, a better picture of what needs to be prioritized will become clear.
- Select/Implement/Assess/Authorize – While these technically are separate steps, they go hand in hand during the implementation process. By selecting predefined, industry-proven control sets or ways of protecting data, companies can be sure they are considering all aspects of security. Many times, an organization is required by contract or federal regulation to use a given control set. But, even if not required, baseline sets can be utilized. Implementing these controls ensures all aspects of information, from inception to destruction, are protected to the fullest degree. Assessing the implementation helps to validate that security measures are adequate without over-burdening employees and compromising needed processes. When adjustments are necessary, it is critical that there are individuals authorized to make these changes to verify they align with established goals.
- Monitor – Once information in need of protection has been identified and controls have been implemented and assessed, it is critical to monitor regularly. Business plans change, new threats may be identified or an issue not originally considered could arise; the Risk Management Plan will have to be updated to account for these changes.
It is important to note that while protecting information is the primary objective of a Risk Management System, organizational goals also must be taken into consideration. If the implemented controls and methods go against the company’s objective, or result in a decrease in reliability and quality of the information we are trying to protect, it is not successful. To overcome this, a tiered approach of consideration is needed during the Prepare stage of implementation:
- First and foremost, the organizational goals and responsibilities are paramount and need to be clearly established.
- Second, processes involved with the protected information must be considered. Objectives outlined for these should be in alignment with organizational goals.
- Finally, the information systems need to be considered. Many times, organizations feel that Risk Management is solely the responsibility of the IS/IT department. While protecting information at this level is critical, systems and policies implemented need to enhance what is outlined by the organization and business processes, rather than conflicting with them or over-burdening them.
Relatedly, one area that often is forgotten when implementing a Risk Management System is training and education. Employees within an organization must know what kind of security policies and procedures have been outlined, or else they will never be able to follow them. For example, if a policy specifies what type of information can be sent via email, but employees are not made aware of this policy, how can they know what is acceptable to send through email? Additionally, employees are often the primary target for various threats to information. Educating and reminding employees about these threats can drastically reduce the chance of attacks being carried out.
Risk management does not need to be overly complicated. However, failure to develop even a basic information security strategy could be detrimental, or fatal, for your company. By starting small with these critical risk management steps, your business will be set up for success in the technology-dependent landscape of tomorrow.
To learn more about how to protect your information, call 888.414.6682 or contact cyber@the-center.org.
MEET OUR EXPERT
Jeff Williams, Program Manager, Cybersecurity
Jeff Williams is a Program Manager for The Center’s cybersecurity team, leading our efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyber-attacks. One of his main areas of focus relates to the cybersecurity requirements outlined in NIST Special Publication 800-171, designed to protect the information security systems of contractors working with the Department of Defense.
Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.
Categories: Cybersecurity