Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Manufacturing & Distribution articles

Protecting IT: A Question of Risk, a Matter of Time
March 01, 2008

by Deron Kling

Information is often a company’s most significant and most sensitive asset. Protecting it, along with the integrity and availability of information systems, should be among an organization’s top priorities.

Yet for many manufacturers, managing such security risks may not garner the same attention and resources as does, say, promoting safety or quality.

One reason may be that manufacturers haven’t faced the same IT regulatory requirements and scrutiny the financial and health care industries have been subjected to. Without specific mandates and timelines, manufacturers understandably focus their energies on those issues that directly affect productivity and quality.

And yet productivity, quality, and every other operational objective on the list are precisely the reasons why IT risk management must become a dynamic part of manufacturers’ key responsibilities. Ignore it, and overall operations are placed in jeopardy.   

Info is everywhere . . . and so are threats

From phishing and fraud to SPAM and malicious viruses, attacks both internal and external have become increasingly commonplace. Some manufacturers mistakenly perceive IT security to be a contained effort—an isolated activity designed to safeguard customer information housed in front-office computers.

The truth is that an entire manufacturing environment relies on information, making the whole organization vulnerable to risks. And those risks have far-reaching consequences.

IT security must go well beyond ID theft to include the protection of all valuable data, including CAD drawings, patents, and other proprietary information a company would not want in the hands of hackers or lost because of human error.

Adequate security also requires controls, processes, management, and training to protect the systems and networks that keep all operations running. Wireless networks, for instance, are now prevalent throughout the manufacturing environment, used to manage materials, track items, and control inventory. Unless adequately secured at implementation and continuously protected, a wireless network opens up opportunities for attack.

Likewise, production equipment and machines that were previously isolated are today commonly integrated with ERP systems. Now if systems go down because of a security breach, production will go with it. What manufacturer can afford the production downtime before systems can be restored?

Take the lead

Sound risk management must encompass the breadth of a manufacturer’s IT capabilities, as well as all physical and operational touch points. An organization should identify risks, form a strategy to manage those risks, implement that strategy, test the implementation, and continually monitor the environment to control future threats.

To avoid the most common security pitfalls, start with these two fundamental tactics, followed by six essential strategies for an effective security management process:

Two fundamentals

  1. Involve employees in security awareness and incident prevention. Ongoing communication and training are the keys to success. Develop written policies, to be signed by employees, that cover a range of security issues, from acceptable Internet use and proper password protection to onsite security measures. Policies should also include instructions on how to report incidents or suspicious activities. Use safety meetings to reinforce key security messages.
  2. Develop and enforce facility security measures. Ensure that data centers and records storage areas remain secured. Always require employee, vendor, and visitor badges. Use a consistent communication approach for client and customer identification, whether visiting on-site, telephoning, or e-mailing.

Six essential strategies

  1. Assign organizational responsibility for security.
  2. Perform an information risk assessment.
  3. Ensure network security by conducting vulnerability assessments and implementing firewalls and intrusion detection where appropriate.
  4. Develop and test a disaster recovery plan that includes backup and restoration; review and update it annually.
  5. Develop an incident-response plan.
  6. Conduct routine security awareness training and provide staff updates.

Why risk it?

The foundation of any strong IT risk management effort is a formalized security program. By implementing an ongoing commitment, manufacturers will be well positioned to protect their information, their operations, and their future success.

About the author

Deron Kling is a manager within the IT consluting practice at Wipfli.  He has over ten years of management experience with information technology management, executive leadership, business process improvement, and global project implementations for manufacturers.  To learn more about IT securtity for your company, please contact Deron at dkling@wipfli.com.