This post was originally featured on the Manufacturing Innovation Blog and was authored by Pat Toth
It’s important for everyone — manufacturers and others — to recognize the threat of cyber attacks and how to prevent them. The vulnerabilities exploited by cybercriminals can shut down your operations, requiring your company to spend thousands of dollars on enhancing security measures and reassuring customers you’re still trustworthy.
One of the challenges manufacturers often face regarding cyber threats is that they’re not sure how vulnerable they really are. Have you ever thought about how you can assess your company’s vulnerability level? Wouldn’t it be great to be able to better understand where your company lands in meeting its cybersecurity needs?
Fortunately, it’s easier than you may think. You can get started by using the MEP National NetworkTM Cybersecurity Assessment Tool to self-assess the level of cyber risk to your business.
A Walk through of the Cybersecurity Assessment Tool
As you may know, the National Institute of Standards and Technology (NIST) released the five-part Cybersecurity Framework, which has become the standard for cybersecurity in the manufacturing and many other industries. MEP’s self-assessment tool is based on the Framework and follows its five categories: Identify, Detect, Protect, Respond, and Recover.
Identify
After you’ve provided some basic information about your company including the state of residence, you can begin to use the assessment tool. Keep in mind that NIST and the MEP National Network do not retain any information about your company, other than its location. Your score for each step of the Framework will not be recorded. You may want to take note of your score in order to track your progress when you use the tool again for a re-assessment.
The first part of the self-assessment tool relates to the existing structures and practices that help identify cyber threats to your company.
Topics covered in this section include:
- Whether you’ve identified the confidential data your company holds and which devices contain it
- Employee phishing training and their access to sensitive data
- Whether the devices that store sensitive information are up to date and do not include nonessential business applications
- Your understanding of the legal and regulatory requirements your company must follow regarding cybersecurity
- Organizational risk tolerance determination and expression
- Whether you share and receive information about threats and vulnerabilities from internal and external sources
- How your company manages passwords
- The strength and complexity of the passwords you use
- How often your company changes passwords
The answer choices are straightforward; most require only “yes,” “no” or short answers.
Protect
Next, the tool goes into the Protect category of the NIST Cybersecurity Framework and discusses system protection. Be prepared to give answers about matters such as:
- Automatic timeouts
- Firewalls
- Data retention and destruction policies
- How often employees receive cybersecurity training
- Whether workers can access company data remotely
- Access management for physical assets
- Data encryption
- Disaster recovery policies
- Physical asset management and protection
- Whether your human resources department assists with cybersecurity practices by doing things like locking a person’s account when they leave the company
Detect
The Detect category of the NIST Cybersecurity Framework assesses how well you are equipped to detect malicious threats to your systems. You’ll answer questions related to matters like:
- Anti-virus and anti-malware protection installed on devices
- The frequency of malware checks
- How your business monitors for cybersecurity events
- Whether you track network security events and correlate them with log files
Respond
The Respond portion of the Framework checks to see how well your business is prepared to take action after detecting a cybersecurity threat or incident. The questions cover topics such as:
- Whether parties in your organization have assigned roles and responsibilities and know how to carry them out when needed
- Details about the response plan your company has in place to use after an incident
- Whether you’ve made changes after past cybersecurity issues to stop problems from happening again
- Whether there is a person or group assigned to keep cybersecurity events under control and discover when and where they occurred
- Whether your business has a plan in place to notify customers about compromised sensitive information
Recover
The Recover category deals with the practices you have in place to help your business recover after a cybersecurity incident. The section covers:
- How often you back up your data
- Whether you have contact details for parties that could help with the recovery process as needed — such as law enforcement personnel, internet service providers, public relations agencies and lawyers that specialize in cybercrime
- Whether your recovery plan has actions you and your employees will take to restore normalcy after a cybersecurity event
- Whether there is someone at the organization responsible for managing the recovery
- Whether your recovery strategies incorporate lessons learned and get updated as your technologies or plans change
- Whether you have insurance coverage associated with cybersecurity
After you finish with the questions within the Recover section, the tool shares a few recommended resources before it generates your score.
If you have questions about cybersecurity, reach out to Shane at OMEP for guidance.
