How to stop intellectual property leakage and theft in manufacturing?
That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise.
In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.
In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.
What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:
Ron Arden: With everybody being remote, all of a sudden new threat vectors are appearing. There are things you didn’t even think about before. Somebody is going to copy something to their private OneDrive or their Dropbox account because it’s convenient. It’s easy to move stuff around. We all used to copy things to our USB drives, but now it’s just as easy to go to a cloud service. You know employees are just working along, and they’re not really worried about all of this.
Chris Babie: Exactly. Most of it is amiss on our [the IT security] side. If we told [engineers] the proper running rules, they wouldn’t perform that risky activity. People want to back up their data. Right now, there’s no help desk for them. I think people don’t want their productivity to dip. That’s a perfect example of the “I need to make sure my data is safe, hey, let me move it to my desktop” kind of thing. We need an answer for that now.
“A ton of new risk has bubbled up”
Hillary Fehr: And engineering machines, which typically were in a lab environment in the business before, now are in somebody’s home. That’s a whole other layer of risk that was never there.
Chris Babie: We kind of knew that our “walls” in the manufacturing environment were okay. Now you’re worried about “does a virus now get on that machine?”, “is the home network protected?” It’s not even a data protection issue alone anymore. It’s also a home networking issue. A ton of new risk has bubbled up.
Ron Arden: Chris, what was your experience with other solutions that you use to protect and control sensitive documents?
Chris Babie: I think one thing that every solution struggles with in our world is scale. If you think about 300,000 folks, millions of transactions every single day, all these different mediums for transacting data. We already touched on the complex file types [see Part 1, IP Protection: “We need a tool with a wider scope”].
Our value is not driven by the standard stuff. It’s more in part files, CAD drawings. We were finding certain populations really love mobile. That’s just how they work. They’re very busy, they’re traveling, and it would work great on the endpoint. And then it would fall down.
We cover all these different complex workflows. Finding a solution that works everywhere is very challenging. It worked well when it was a standard workflow, very cookie-cutter. But we don’t do cookie-cutter at GE.
I talked about our vast network. I need a solution that works if it gets sent to an organization with 500,000 people and a supplier with three folks, and they’re more of like a mom-and-pop shop. We have a whole spectrum. We kind of cover everything, in terms of file types, network entity types…
How do you find something that works everywhere? It’s a challenge.
Wanted: IP protection that “works everywhere”
Hillary Fehr: It’s got to be adaptable, especially with business requirements and environments. We know how quickly those can change. Last year was a big indicator of your ability to really pivot and adjust your priorities and approach, based on new risks that come up in the business.
Chris Babie: We touched on user experience. That’s literally everything —the main bucket. If the user experience wasn’t there… – people do not like change. They just don’t.
We need to make sure that however they are working today, the technology works. That’s getting really hard to find with all these new solutions, cloud storage… It’s critical if we’re going to bring anything in-house.
Ron Arden: As you said, we all hate change. If we initiate the change, that’s different, but when the change is brought down on us – no. You got a job to do. The person who is creating the next generation of turbines has to focus on that. They cannot waste their time learning a new tool and completely changing their workflow.
And like you said, Chris: If you go out to GE’s smaller suppliers, they work the way they work. I mean, you might be able to impose some things on them. Still, they want to work the way they want to work. Mobile is extremely important today. Working with a flexible solution is key.
Adaptability is key, because the tool should adapt to you. You shouldn’t have to force yourself to adapt to the tool because that never works. People just get annoyed, and they don’t use it.
I’d like to wrap up with one last item. Hillary, what advice would you give to people listening in?
Hillary Fehr: I would say you need to know where your data is. You need to have a strong process for identifying your data, tracking it, understanding the movement, how that data is used.
Until you have that, you really don’t know where you have sensitive data and how to protect it. Once you have a good understanding of what that data movement looks like and where that data is, you can start to build your approach to data protection.
Data protection is about auditability, too
Like we mentioned before, it’s also important to listen to the business because things are changing all the time. So you need to understand the business processes and be adaptable as they change and as the business priorities change.
You need to have standards and best practices in place. Not only to outline the do’s and don’ts for your end users, but also from an auditability perspective. It gives you legs to stand on.
Ron Arden: Chris, your advice?
Chris Babie: We touched on it – communication and education. In the insider threat space, we wouldn’t see a dominant portion of the [insider threat] activity if we were simply upfront with them on how people are supposed to work, and how data is supposed to transact.
To anyone implementing a solution, I would say: Try to get really close to the business. Do you understand all the different use cases you’re going to encounter?
At least in our world, there’s all this function overlap. If you’re going to implement anything, it cannot be in a silo. There needs to be a major partnership with the business. Everyone has to have a seat at the table before we go in any direction.
Hillary Fehr: That’s a good point, Chris. I think relationship management is a big part of getting their buy-in, too, and building out your process – because your data owners are the ones that understand your data and can help you to identify the best approach to protecting it.
Chris Babie: Having some of these basic “101” items – assets inventory, knowing your environment – gives you a head start, especially at our scale. It can be very challenging, as you can imagine.
Hillary Fehr: You have churn of employees and contractors, and people who may have known where the data was – years ago – are no longer with the company. That’s where you need to partner with the business and the functional areas to get to the heart of where things are and what they do with them.
Ron Arden: In essence, what you’ve been saying is that you need a solution that is location agnostic, because you have a lot of systems. Some would be legacy; some might be brand new. In the cloud, on people’s phones, home devices, engineering workstations…
So you can’t rely on a perimeter. There’s no perimeter anymore. It’s everywhere. I’m guessing you probably even have storage assets that you don’t even know about because somebody put a server somewhere in a room and nobody remembers what’s there, and then all of a sudden you find out something of value is sitting on that device.
Hillary Fehr: Or an endpoint in their bottom drawer of their desk.
Chris Babie (chuckles): I can confirm that our data is everywhere. Most organizations need to shift towards that [location agnostic] model. There’s zero perimeter today. Our data is all over the world, in every system imaginable. How do we make sure it’s protected wherever it goes?
“Shift towards location-agnostic model” of data protection
Ron Arden: We have some customers with scenarios where they have to feed the data to machines. Those systems tend to be older, because of the cost of those types of machines. So you might even have a Windows XP machine that’s connected to one of these devices with important process information on it.
It’s sensitive information. If you’ve got a contractor or a person who just ups and leaves the business and says, “Hey, this might be really cool for me to take to my next company,” you’re never going to know that, and something very important walks out of the door.
Do the scenarios mentioned in this conversation sound familiar? Most innovation-driven manufacturing companies face similar challenges, due to remote work demands under COVID. This explains why manufacturers increasingly rely on a file-centric approach to protecting intellectual property.
Fasoo Enterprise DRM comes with centralized policy management and granular controls baked in that can be adjusted flexibly by the data owner. This approach enables large organizations to provide maximum protection – across the enterprise and its supply chain – against insider threats and IP exfiltration at scale, while maintaining workflows and productivity.
Watch Ron Arden’s complete Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here.
The transcript of this conversation has been shortened and edited for clarity and the blog format.