ISO 27001 and the Manufacturing and Service Industry

Ransomware attack-1

If you wait until this message greets you at work, or a Notebook PC is stolen from a company vehicle, or staff members are working on their own PCs from home, then it will be too late.  It's not a question of whether your business will be targeted. You're already a target but have been lucky to date.

 


Table of Contents


 

Is having an ISO 9001 Certified Quality Management System Enough?  

Many companies say, "We already have ISO 9001. Isn't that enough to keep our customers happy?"

If this is what you think, I respectfully suggest you get the blinkers off and protect your business before it is destroyed

It’s obvious that companies or organizations like banks or other financial institutions need information security both to protect themselves from fraudulent transactions and to protect customers' confidential details and bank card data. It’s not so obvious that in the manufacturing and service industry, information security also matters - really matters!

In this post, we’ll consider two main topics…

  1. Information Security for the Manufacturing and Service Industry, and
  2. Information Security in the Supply Chain

Information Security for the Manufacturing and Service Industry

Path to ISO 27001 Certification

 

When does a Manufacturer or Service Provider Need ISO 27001?

If you are a manufacturer or service provider and you're wondering whether your company needs ISO 27001 or not, consider these 6 questions:

1. Are you using confidential information supplied by your customers?

Think for a moment about the information supplied by your customers and how useful that information might be to a competitor of theirs.  Some examples of confidential information from customers that you would want to protect include:

  • Prototype information for a new product
  • Listings of their customers (to facilitate direct shipment)
  • Supply contract details
  • Process Validation Reports identifying optimum conditions for operating new/confidential technology
  • Information on new technologies/processes/products.
  • Formulations and test methods
  • And so on.

How difficult would it be for a determined person to lay their hands on that information?

And the point is: it’s not only your information, but also that of your customers and suppliers, that may be vulnerable to a cyberattack. While your information may not be of great interest or value, the same may not be true of your customers/suppliers.

2. Is your computer system in constant or regular contact with those of your customers and/or suppliers?

Many organisations have access to customer's systems in order. For example, they may need it to effectively manage sales order processing and to facilitate timely deliveries.  

Ask yourself, is that data protected?  

Similarly, your own system may be connected periodically or continuously with your suppliers, And a stream of emails counts here.

What information security controls are in place to protect all the data concerned?  Once a hacker has broken into your server, it may be easy to proceed to download or monitor the servers of your customers/suppliers.

3. Do you provide a service requiring access to customer’s personal details?

If you are selling directly to the public, you organisation is likely to have much personal information, including banking data and credit/debit card details.

This kind of information is not only subject to abuse in order to steal from bank accounts, but also used to set up false identities, get false passports, set up bogus bank accounts and other abuses for purposes of money laundering, tax evasion and even facilitating terrorism.

How do you prevent the leaking of these data?

4. Do you have control over the devices being brought to your site or of the information being downloaded by those with legitimate access?

Of necessity, you and your colleagues likely have access to your organisation's confidential data.  That access will be through a variety of devices - conventional work stations, laptop PCs, tablets and hand-held devices, smart phones, etc. 

These days, staff members using their own PCs from home is common. Much of the data will be on the devices themselves.  

Are there policies and procedures in place to reduce the risk of a security breach? And what about flash drives?  Are they banned? Have USB drives on all your computer equipment been disabled?

And then there are delivery vehicles.

What handheld or in-cabin devices are in use and what security is in place for them?  If someone stole a device from a vehicle, how difficult would it be to access the information on the device or, via the device, to access your servers?

What about the laptops and other devices brought on site by visitors?

5. What controls do you have in place to prevent those sitting outside your premises from downloading your confidential data?

Handheld devices used, for example, for stock control in warehouses depend on Wi-Fi.  Is your IT security for Wi-Fi robust enough to prevent a hacker sitting in their car outside your premises from breaking into your system?

6. What controls do you have around your premises, or indeed within the premises to prevent prying eyes from seeing something to your disadvantage?

Could a stranger look into your premises using, say, a telephoto lens and see something they shouldn't?

Could they walk onto the premises through an open gate or over a low fence or through a damaged fence?  When was the last time you checked the security of the perimeter of your premises?

Do you have access control within your buildings to restrict access to places where highly confidential activity takes place?

 

Get a free copy of our ISO 27001 Gap Analysis

 

Risks Posed by Security Breaches and Data Theft

But of course, this is all theoretical, isn’t it?

No way!  

The Symantec Internet Security Report (Feb 2019) stated that 1 in 10 URLs is malicious,

Supply Chain attacks are up 78% year-on-year, 48% of malicious emails are Office files. Spear-Phishing attacks (via e-mail attachments) were mainly targeted at the Manufacturing industry (20.6%) and Service industry (11.7%) and ahead of Finance, Insurance and Real Estate organisations (11.6% combined).

Numbers for 2020 regarding data breaches worldwide include:

  • January 2020: The Berlin car rental Buchbinder was breached when customer data were made accessible on the Internet.  The approximately five million files with extensive company correspondence included scanned invoices, contracts, e-mails and damage images from cars. The rental contracts included names, addresses, dates of birth and driver's license information.
  • Apr 2020: More than 500,000 Zoom accounts were on offer on hacker forums hosted on the dark web. Some are going for less than a US cent apiece while others are given away for free.

  • May 2020: The details of 44 million Pakistani mobile subscribers have leaked online this monthThe leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.


Note: For information on the latest and largest data breaches worldwide, visit.information beautiful.net

Companies Especially Vulnerable to Security Breaches and Data Theft

Some companies think that just because they are relatively small, no one would probably be interested in launching a cyber attack against them. If you are one of them, you are treading dangerous waters.

If you have been keeping up, there are continuing stories in the media of a multi-storey office block in Beijing, operated by the Chinese Military, whose sole function is electronic industrial espionage.

Reputedly, they target Small and Medium-sized Enterprise (SME) suppliers of the multi-nationals (their actual target) as they expect SMEs to have less secure information security systems in place. 

Theft of technical information rarely gets publicity because of management embarrassment and the lack of a legal obligation to publicise the loss (unlike with personal information).

How to Ensure Information Security

You don’t wait for the attack to occur.

You probably wouldn’t recognise it when it happens, anyway. Chances are, you would only become aware of it after it seriously impacted your business, or your customer’s business, or your supplier’s business.  In any case, when the damage has already been done and, likely, is not reversible.

You need to evaluate the threats your business faces.  And then put in place sufficient controls and precautions to reduce the risk overall to an acceptable level.

Why Having an Information Security Management System (ISMS) is Important

The problem usually with projects tackling amorphous subjects like risk is knowing where to start. This is where ISO 27001:2013 comes in. ISO 27001 sorts this out for you by providing a logical framework to tackle information-related risk.

With an Information Security Management System in place, you’ll be able to sleep easy at night. And so will your customers and suppliers.

You’d never know, but with ISO 27001 Certification in place, they might put more business your way, confident that you’ll protect confidences.

Implementing an Information Security Management System

You will need the help of a good consultant.  Make sure of their expertise and check out their previous work.  

ISO 27001 is not a simple variation of ISO 9001.  It has very different requirements, with lots of mandatory controls required, and there are many subsidiary Standards which may apply. An expert will be well worth the investment.

And remember, just because you're paranoid doesn’t mean they’re not out to get you.

Information Security Application in the Supply ChainWhat is Certified Auditor Training

It's not just in-house that you need to take steps to prevent information loss or compromise.  It's your entire Supply Chain. 

Many of you reading this will be routinely involved in Supplier Audits (and usually against the requirements of ISO 9001).

But does the vulnerability created by your sharing information and other assets get evaluated? Do you consider the damage that misuse of your data could trigger?

Why your Supplier Audits must include Information Security

‘Property belonging to external providers’ is a heading that will be included in all of your supplier evaluations, not least because your organisation, as the external provider, owns that property.  But does consideration go beyond the protection of that property and preservation of its identity and traceability? 

Risk Assessment and Supplier Evaluation

Does the question of the protection of the data and information associated with that property get discussed?

The commercial value of data and the value of intellectual property will vary considerably from case to case.  But there will be situations where loss of data/information, or actions preventing its use, may have severe consequences for your business.  Your preparation for a Supplier Evaluation should include a risk assessment regarding information security.

Here are some points for you to ponder:

  • Intellectual Property:  How do your suppliers protect the drawings and specifications you have provided? Are they always kept under ‘lock and key’ when not in use? Is access to computers storing such information controlled?

  • Commercial information: How is access to contract documents, supplier agreements and other information that could be of use to a competitor protected?  What documented agreements regarding confidentiality are in place?

  • Physical property: Customer-supplied inventory is what we are normally considering here. In addition to preservation and to maintaining identity and traceability, who has access to the storage area? Is it possible for a sample of the material to be taken unnoticed?   

Could prototype products be photographed or be interfered with?  How secure are the buildings?  Is access controlled? How secure is the perimeter of the premises?

  • Information Storage and Security:  How and where is data/information stored?  Whether stored on local servers in the cloud or on a hybrid system, how do your suppliers protect your property?  What documentation and records are there to support their claims?  Who has access to the system? Is it suitably restricted?  Is their password control system credible?  Is it implemented and checked regularly?

  • The Human Factor:  Wittingly or otherwise, the root cause of most security breaches is down to something someone has done.  How do your suppliers ensure that contractual requirements regarding confidentiality and security of information are implemented?  

Are new staff members trained on what to do/not to do as part of induction training?  Is there a tidy desk policy that’s implemented? Is there a B-Y-O-D (bring your own device) policy that’s implemented? Do audits take place regularly to confirm the maintenance of these arrangements?  In talking to staff is their awareness of the importance of information security apparent?

I’ll stop now, hoping that I’ve got you thinking about all the valuable data and product you share with your Suppliers, and of how you’re going to be asking some related, and insightful, questions when next you visit them.

Useful Sources on Cybersecurity

For a comprehensive list of potential information security vulnerabilities, to aid you in constructing a list relevant to your own organization, see ISO 27001:2013, Annex A:  Reference control objects and controls.

To get an insight into cybersecurity, there are two sites we’d recommend …

Is ISO 27001 Certification Mandatory?

Certification to ISO 27001 -- the Information Security Management System standard -- or other security standard is not required. However, it is strongly recommended that you take information security seriously.

If your business uses formal Working Papers as part of your Supplier Evaluations/Re-evaluations, you are strongly advised to modify them to ensure that, in the future, information security is adequately addressed. 

You should not allow the carelessness or failure of your Suppliers to protect your interests to hinder or prevent your organizations from satisfactorily serving your customer needs.

Choose from five ISO 27001 Courses

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates

FOLLOW US ON...

Recent Posts

Posts by Topic