Podcast: 5 cybersecurity action steps manufacturing executives need to take now

Frank Balonis is Chief Information Security Officer and Senior VP of Operations and Support at Kiteworks. Frank has been in IT support and services for more than 20 years. In his current position, Frank is responsible for technical support, customer success, and corporate IT. Additionally, Frank oversees corporate security and compliance, and works closely with the company’s product and engineering teams. Frank is a veteran of the United States Navy, in addition to being a Certified Information Systems Security Professional (CISSP). Frank recently spoke with Smart Industry managing editor Scott Achelpohl about the types and objectives of cyberattacks in the manufacturing sector and best practices to improve cyber resilience.

Below is an excerpt from the podcast:

SI: In your article for Smart Industry in April, “Navigating red-alert security challenges in manufacturing,” you named five urgent cybersecurity action steps that manufacturing executives and their CSIOs and CIOs should take. They are 1) conduct cybersecurity assessments, 2) implement multi-factor authentication, 3) establish incident response plans, 4) educate and train employees, and 5) enhance supply chain security. Can you tell us what goes into each of these steps to make them successful?

FB: I sure can, Scott. First off, starting with conducting your first cybersecurity assessment, it can be a daunting task. So make sure you have the right understanding of the framework and its intent is in mind. These are crucial factors in doing your first assessment or doing an assessment. Seeking assistance from third parties that can provide guidance and understanding is a great way to start. They're invaluable in saving time and resources and completing the assessment in a timely fashion. It also helps you move on to the beginning stages of continuous monitoring improvements from that point on.

For multi-factor authentication, you need to start with a really good identity management system. These types of services allow for multiple forms of multiple-factor authentication and provide the flexibility needed not only for the individual and the service, but also the systems and the time they're being accessed. Having this flexibility makes things secure, but also easily accessible without interrupting work that has to be completed.

For your incident response plan, a good compliance and security program really helps prevent and protect your sensitive information infrastructure, but a great compliance program helps you for the eventuality of an event happening and the best way to respond to that event. So without a proper incident response plan in place, an incident that is known to happen, or be happening, but is not being addressed properly can increase the impact of that event and your ability to address it. That's why in every compliance program that I've ever been involved with or Kiteworks has worked through, you have to test and look to improve your incident response plan on a regular basis.

For educating and training your employees, as you mentioned earlier, the numbers are a good way to bring a conversation to the forefront and understand what's happening. Depending on what you're looking at, you can look at cyber events, 85 to 95% of them are caused by individuals, whether it's through a malicious attack with phishing or other related acts. So, educating these employees at the start and then on a regular basis will keep those principles of safe behavior at the forefront of their minds. The proof is in the pudding. Every time we go through the process of doing our annual security training and awareness programs, I do see an increase in the number of reported possible phishing and scamming emails, highlighting that the end user and the employees are much more village and diligent at looking at these things. And actually, based on these facts over the last couple years, it’s become more apparent to Kiteworks and other organizations that maybe more frequent but smaller bits of awareness training and reminders are necessary. That is something that we're planning on doing, and I see a lot of other organizations doing as well.

So, the final thing would be good practices for your supply chain. Having all those four things in mind that I just discussed, to how you do things at home, so to speak, allows you to understand what best practices, not only for yourself, but also you can properly and better understand what you need to validate and understand with the supply chain, ensuring that they're doing at least as much as what you're doing in your compliance and your security to ensure that whether they're providing you services, storing your data or software, that they have a very comprehensive compliance and security program in place to ensure that your data and services are remaining secure and safe as well.

About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.