Manufacturing and Distribution IT Security and Control Considerations in the Wake of COVID-19

Early on in the pandemic, as offices cleared out and employees began working remotely, IT departments deployed tens, hundreds or even thousands of new worksites, often in a matter of days. New technology equipment and software was purchased and deployed as quickly as possible. Microsoft TEAMS, Slack, Zoom and company-provisioned cloud storage were among the most popular new tools “spun up” to meet the immediate needs of employees and client.  

As time has gone on, the number of individuals with access to sensitive systems and data has increased at many organizations. The volume of digital communications has increased. Because we are much more geographically disbursed than we were before the pandemic (i.e. working remote), we have had to find new ways to continue operating with as little disruption as possible. Many organizations continue to focus on “getting the job done,” but they also need to be sure to adhere to the appropriate security protocols, and revise them as necessary.

The coronavirus came; where did your data go?

In the manufacturing and distribution industry, companies regularly communicate sensitive information internally as well as to or from vendors and customers. The recent introduction of new and different tools increases the potential for security exposure or breaches.

During the first few months of the pandemic, the mantra was to get the job done quickly with as few disruptions as possible. IT controls and security were not at the top of most priority lists. IT departments were too busy putting out fires to ask questions like: “Who are the administrators?” “Are our organization’s data governance and protection solutions being applied to these new tools?” and “Are the new tools federated/shared with customers, partners or other parties?”

The move to remote work has opened the door to new IT security risks. The walls of the organization have expanded as many companies have added their employees’ personal devices to the organization’s network. Company protocols for assessment of personal devices may have been relaxed to speed up the process of getting employees working remotely. Meanwhile, employees got things done using Google Drive, OneDrive, Dropbox and other free programs that may not previously have been in the company toolbox.

What can manufacturing and distribution organizations do now to improve data security in this new environment?

As time goes by and organizations have adapted to the changes, many are now taking stock of their remote operations with security and controls in mind. What is the impact on an organization’s data security? It depends. Every organization may find that its data has dispersed in different ways. Here are some examples:

Disclosure of sensitive information. Within manufacturing and distribution, there’s a great deal of communication not only internally but also with third parties to discuss sensitive information, such as product design specifications, banking, personal and shipping and receiving information.  Organizations should consider whether sensitive files are now being stored in new locations or communicated through new media. Is it possible for confidential information to be printed in home offices?  Is information being communicated in a safe and secure manner using reputable tools?  It is not only important to protect your organization financially but also relationships with suppliers and other key parties.

Recording of sensitive conversations. The number and frequency of web-based meetings has skyrocketed, and security controls may not have kept pace. Do you know who recorded which web meetings and where those recordings are stored?

Safety of what’s on screen. With the movement to remote work, many employees began using various devices to join video services from new and different physical locations. As they focused on making sure the technology, devices and services worked, many were not focused on background or ambient visuals. In some observed cases, passwords and other sensitive information could be seen in what was thought to be a private setting.  Are your web conferencing users aware of what’s visible across their web cameras?  

The first step is to find out the answers to these questions:

• Where are your devices going/connecting? Can you look at their DNS (web address) connections?
• Who did we just partner with? Did we just perform a large SSO / CASB integration?
• What did we open up? Did we just allow more through our firewall?
• What and where is the sensitive information for our organization? 
• What processes and transactions are considered sensitive and how are they occurring now (e.g. product design specifications, document transfers, banking, shipping and receiving processes)?

Once these questions are answered, you’ll have a better understanding of where you spent money and whether and where your organization may have entered into any long-term commitments. With that in mind, you can take the next step: separating the short-term solutions from the long-term commitments you want to retain.

For those quick fix solutions you don’t plan to retain, you will need to consider how you will store the data in workplace archives or another location.

You may find that some solutions that were considered to be temporary actually work well and should be kept for the long term. For example, many organizations expect to continue holding some or even all meetings and conferences on Zoom or other platforms to reduce travel costs. In those cases, determine how these changes will be integrated into overall operations and whether additional licenses, software or other equipment will be needed.

As with many effects of the pandemic, this is a good time to evaluate and perhaps rethink your IT operations to incorporate some of the beneficial changes and adapt to the “new workplace.” Many organizations will need to initiate a process to evaluate the effectiveness and scalability of IT systems and services to meet the sudden increase in remote workers during the 2020 pandemic and beyond.

As part of this process, it will be prudent to update governance policies and procedures, modify internal controls, and conduct a deeper assessment of recently added solution providers. This may include an audit of new licenses that may have been added or may need to be added following recent changes in operations.

As your organization reassesses and makes updates, additional security training for employees will need to be deployed. The ever important need for security awareness training cannot be underscored during this time. Targeted security training on real and perceived threats and how to treat various types of events, handling of vendor information, sharing of sensitive information within the supply chain and general best security practices is more important than ever.

At this time, the future of remote work is uncertain. But one thing you can be certain about: cybersecurity will continue to be a growing concern as organizations adapt to the changes ahead. For assistance in evaluating your organization’s data security, contact us. We are here to help.

© 2020