How to manage IP security challenges in the manufacturing industry

In a world of increasing cyber-risk are you confident your EMS partner has all the right information security measures in place to protect your IP?

Why is information security so important in the manufacturing sector

Traditionally, manufacturing companies have been leaky vessels. IP theft and loss has been endemic in the industry.  In fact, research by Make UK found that half of all manufacturing companies had been victims of cybercrime. And with the extraordinary commercial value of the data they handle, it’s easy to see why.  

Covid 19 saw a spate of attempted, state-sponsored hacks and thefts of vaccine IP from manufacturers working on behalf of drug designers. Meanwhile, PCBA designers have known for years the devastating potential for IP theft in their multi-million dollar industry:

“Formulas, source code, and other IP can be prime theft targets in chip development. Design information in CAD files can be harder to protect than structured data. Implementing best practices, including encrypted transmission uploading and rigorous user authentication, is critical.” Rich Baker at Protolabs

Where’s the leak?

But while many data breaches occur following deliberate hacks, research from Kroll shows over 50% of all IP leaks originate from employees, contractors and third-party suppliers. 

Given the state of information security in most manufacturing businesses, that should come as no surprise.

In May 2019 an employee of a US aviation firm downloaded 18,000 confidential design files onto a single USB stick, handed in his resignation, and walked calmly out of his office. Two years later he received a $250K fine and a 20-month prison sentence for attempting to sell information to a rival firm and lying to the FBI. Is your team and supplier network protected from cyber theft?

 

For modern OEMs there has always been an increased opportunity for both accidental and intentional breaches of confidential data because of their complex, global web of external dependencies.  Their use of different consultants, third-party contractors, ODMs and EMS makes policing every contact and business a big challenge.

This risk is increased by the sheer number of ways in which information is now transferred between organisations. With individuals using everything from email and Slack, to WeTransfer, DropBox, Google Docs, and OneDrive - the truth is, the chain is only as strong as its weakest link. 

Not only this but there are a whole load of physical and environmental security risks that can be overlooked by businesses with lots of employees spread out across sprawling, global campuses.

Unless a business has a defined set of data security processes and procedures that everyone always observes, sooner or later some kind of breach is bound to occur.

How confident are you that your EMS is 'data secure'?

Some questions for you:

• As you share sensitive information back and forth with your EMS are they encouraging you to do so via encrypted methods?  
• Email can be a highly risky transfer method for the most sensitive data you possess. Has your EMS partner got a dedicated and secure document management system? Or can they give you secure access to their servers for transfer and collaboration?
• Is your data safe when it reaches your EMS partner?  What document control processes do they follow - how defined is their training around data protection, password protocol, file transfer and handling of hardware and paperwork?
• What anti-hacking software have they got in place? Are they aware of potential vulnerabilities and weaknesses? Do they conduct regular pen-testing of their systems?
• And what about the daily routines for physical security of premises and paperwork? Do you know how they enact data protection with access to buildings, physical filing systems and the like?

As manufacturing is a massive, global ecosystem, supplier relationships are often dealt with remotely. Completing due diligence under these conditions can be a complex process. If you are dealing with a long-distance partnership, what information are you relying on to vet your suppliers? Are you weighting cyber and physical data security appropriately when you choose a partner?

With all this in mind, OEMs are strongly advised to look for EMS partners who have gained the ISO 27001 standard, to give you the confidence they can control data and properly protect the IP you are sharing with them.

What is the ISO 27001: 2013 standard?

ISO 27001:2013  is the international standard for Information Security Management Systems (ISMS). The standard defines a risk-based approach to data security, requiring organisations to identify breach risks within their company and adopt appropriate controls across their business to tackle them.

Why EMS need ISO 27001:2013

ISO 27001 builds a shared culture of data security across an organisation to help protect IP against malicious and accidental loss. It gives you the process and procedures to:

1. Identify stakeholders in the company responsible for information security
2. Identify and categorise the risks to the data held by the company
3. Define the controls, process and procedures required to handle risks
4. Set clear objectives for information security
5. Implement all the controls and other risk treatment methods
6. Continuously measure if the implemented controls perform as expected
7. Make continuous improvement to improve security

If your EMS has ISO 27001:2013, then they have the tools to: 

• Control the risk of security breaches
• Create a culture of security awareness
• Prevent unnecessary system downtime
• Eliminate security loopholes
• Reduce the risk of cyber attacks
• Reduce human error in their data handling

ISO 27001 is a holistic approach to information security

It’s important to remember that it’s not just cyber threats that can endanger your data, but lapses in perimeter security, equipment security, access control, documentation storage and WFH policy. With EMS companies spread out in multiple locations across the world it may be impossible to all visit the premises where your product will be designed and manufactured, so you need external verification that processes and procedures are followed at all times. ISO 27001 is your independent guarantee that an overarching ISMS exists and is in force across an entire organisation.

Conclusion

OEMs often require their manufacturing partners to have gained ISO 9001, ISO 13485 and a host of other standards. But still, they forget about ISO 27001:2013. As the nature and sophistication of cyber threats and IP theft evolve, businesses need to be confident of the information security of all links in the supply chain. The more fragmented the chain, the greater the risk of gaps emerging. Demanding ISO 27001 certification from all your suppliers will help you seal the joins and protect your IP.