At the 2021 Apex Assembly Tech Leaders Northeast Summit in March, Fasoo hosted a discussion on IP protection in manufacturing. CTO Ron Arden spoke with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie about protecting R&D, product designs, specifications, and other sensitive intellectual property (IP).
The typical person in a business creates and interacts with about 50 files a day. Most of this information is sensitive unstructured data or data contained in documents like CAD drawings, MS Office files, PDFs, and images.
Let’s look at an organization of 3,000 people, for example. You could see how quickly the numbers grow in a single day. Extrapolate this to a year, and you’re looking at a massive amount of files to manage.
Security is crucial to prevent the leaking of critical information. Employees share CAD files and other documents throughout the supply chain and with other employees or contractors who may not be with your company forever. The most significant risk to a manufacturing company are insider threats.
That insider threat could be someone with malicious intent who wants to steal your data. More commonly, it is someone who accidentally emails a file to the wrong person or puts a file into the wrong folder in your cloud sharing app.
Intellectual property (IP) loss results in competitive disadvantages that cost you time, money, and your reputation as a company. How can you securely share proprietary information through email, collaboration platforms, and mobile devices throughout your supply chain?
Defining the security perimeter in a large organization has become a major challenge, especially with so many people working from home. Your company may have employees or contractors using company-owned PCs connected to personal devices.
Data may go back and forth between them for convenience. Somebody copies a file from their work PC to a personal computer and prints it. That may be convenient for them, but you lose all track of that sensitive data as a business.
IP Protection Challenges in Manufacturing
Enterprise-level IP protection requires file-centric security to ensure business continuity. How exactly do you protect your intellectual property inside a manufacturing environment?
At the 2021 Apex Assembly Tech Leaders Northeast Summit, Fasoo CTO Ron Arden discussed this and related questions with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power.
Ron Arden: Hillary, what are the specific challenges in protecting your IP with solutions that only focus on standard Office documents?
Hillary Fehr: I think Office files are a good example. We see a lot of sensitive information, whether it’s PII – Personal Identifiable Information – or other personal data in documents that HR, Finance, Legal departments may use.
Specifically in a manufacturing environment, when you start peeling back the onion layers, you realize that there’s a lot of sensitive data in other file types we maintain: CAD drawings are one example. We also have 3D PDFs. And even source code can contain potentially sensitive information.
So it’s important that we have a tool that has a wider scope, to allow us to protect any format of data that the business may find worth protecting. One of the challenges you face, though, when you focus specifically on Office, may be compatibility issues.
A Windows-based application works well on a Windows machine, but we also have a lot of Mac users. The user experience may be different. The level of protection or usability may not be the same that you would find on a traditional Windows-based machine.
You’ll also face challenges with external sharing. As a manufacturing business, we share with our suppliers and a lot of third-party vendors. They may not necessarily use the same toolset as we do.
That means you lock yourselves into one particular software package when you focus your IP protection specifically on your own toolset. For document protection, we want to have the flexibility to have a tool that works with various files and can be used for other software out there.
Ron Arden: The different file formats I mentioned earlier get converted to other formats, too. It’s not just one type through the whole workflow. Instead, a supplier may need it in a special format, so you need that flexibility to be able to manipulate your data and provide it in a usable format.
Speaking of workflows – Chris, what is your biggest concern about meeting data protection needs of such a large organization when different divisions can implement their own solutions?
Chris Babie: My biggest concern with an organization of our size is the volume of data we have to protect. We’re talking about millions of different files here. As Hillary said, very complex file types – it’s not just your standard Office-type documents.
“Not just your standard Office-type documents”
With an organization of our size, think about its vast network. That means I not only have to protect transactions within my walls. It’s also about how many hundreds of suppliers, customers we’re dealing with. Millions of transactions are happening every day. How do you protect all of those workflows?
The workflows themselves are going to be complex. If you think about the engineering space – how many different software packages are used, or different systems of data storage? How do you make sure your security solutions can scale?
As for the second part of your question, Ron – different divisions implementing their own solutions – that’s really a non-starter in our world. We need to have a unified vision and be consistent in what tools we’re going to use.
That’s because of the amount of data we share and how we’re all intertwined in this one ecosystem. If somebody were to go rogue and build something else, it’s bound to fall down once data moves over into another part of the business.
So we need to make sure that we partner across all these different functions, all these other businesses, and have a common vision of the solution that we’re going to implement.
Hillary Fehr: I would say common guidelines, too. The toolset is one thing. But also having similar standards that we all use to set that baseline for our users is important.
Ron Arden: It sounds like you don’t want even different divisions within your business to be acting as external partners, like your supply chain? They’re all part of the same company, so you need to share data internally.
I understand it’s important to share with your supply chain. But you also need a set of common standards. Even at the level of a PC – if everybody was not using the same application, if I used Word and you used something completely different – all of a sudden we’re going to have obvious incompatibilities.
If you tried to create a unique data protection infrastructure under such circumstances, it’s going to be a nightmare.
Chris Babie: Yes, especially in this climate with its particular cost challenges. We need to make sure that there’s compatibility, or else we’ll have major productivity issues, and all of a sudden someone’s workflow totally breaks down.
We need to make sure that people can deliver the most value during these times. I think everyone’s in that cost-conscious setting.
Hillary Fehr: The other thing worth adding is that we have many functions driven by Corporate. So Corporate not only touches their functional area, but also provides services to all these different [internal] businesses.
That means they need to have the same user experience for each business by having that consistency across the enterprise.
Ron Arden: And I can imagine, if you have engineers who just move between divisions, and somebody moved to a different division, and it’s a completely different regime… – that can create productivity issues, as you said, Chris, and even training issues.
One thing I know about engineers is that they get used to a certain toolset, and that’s what they want to work with. So you can’t simply change the security infrastructure all of a sudden. That’s like pulling the rug out from under them.
“Pulling the rug out” is not an option
Because then, they’re going to complain, and your productivity is going to suffer. Hillary, given that engineers help the company generate a lot of revenue through their work – how do you minimize impact on their workflow while protecting your IP?
Hillary Fehr: That’s a good question. It starts with educating our end users, getting their buy-in. For engineers to make the business money, you really need them to understand the “why.”
Sometimes, it’s a matter of creating a shock factor, helping them understand the impact on the business if our sensitive data got outside our walls. Once you establish that and they understand the impact their data could have outside the business, then it’s a matter of slowly and incrementally working with them to build data protection into their already existing processes.
As Chris mentioned – we don’t want to interrupt workflows. We don’t want to stop business continuity. It’s important that we slowly get their buy-in and then work with them to identify key pockets of data and implement our solution.
That solution does have to align with current processes; they can’t overlay and cause them to have to change the way they do things. Otherwise, they won’t do it. Ultimately, it has to have a strong user experience, because if you have a tool that doesn’t work, they’re not going to use it.
Ron Arden: When you said “shock factor,” what you mean is proving to an engineer the impact it has if something leaves the business?
Hillary Fehr: Exactly. It could be our competitive edge, the financial impact, reputation – all of those different things. The data leakage doesn’t necessarily have to be caused with malicious intent. You need people to think about the criticality of what they’re working on, and if that were to egress outside of the business, what people could do with it.
Ron Arden: That’s a really interesting point you brought up – most of the time it’s not malicious. When something leaves the business, it’s usually what I’d call an “oops” situation, such as accidentally emailing the wrong file to somebody. Or I thought I was sending to Hillary, and I wound up sending to Hugh, who happens to be a competitor who’s in my address book.
The other point, as Chris mentioned, are issues with work from home. People are moving things around for convenience. Maybe they’re moving it to a personal device, which is never good… – and accidentally, something happens, and your intellectual property goes out the door.
IP protection and work-from-home: communicate and educate
Hillary Fehr: That’s true in other functional areas outside Engineering, too, where team members aren’t security experts. You’ve got Financial, you’ve got Legal, you’ve got Sourcing – they interact with data all the time that they send out to suppliers to get bids.
They’re not thinking about what happens to that data. So you have to educate them on why it’s important that they take an extra step or do a certain task to preserve that data and make sure that it’s maintained.
Chris Babie: Ron, to your point – in this new remote world, organizations need to focus on communication and education. I can confirm, people don’t know the running rules of remote work – yet.
They have all these digital assets that were never next to their company-issued endpoints. And now there are these new risks. They’re not malicious. They just need to know what’s okay and what’s not.
We would prevent many problematic activities if we were more proactive about data sharing, data storage, about: how should data move in this new world?
This remote arrangement is pretty permanent for a lot of folks. Organizations need to take the proper steps to learn how to protect their data within it.
Hillary Fehr: And it’s our job to educate them about what they can and cannot do, because these are new times. People don’t really know what the guidelines and guardrails are.
Read Part 2 of this conversation here: IP Protection Over Workflows? “People don’t want their productivity to dip”
Is your company dealing with similar challenges? Encrypting and controlling sensitive data at the point of creation reduces insider risks and helps protect your intellectual property. When employees or contractors change jobs, for instance, you need to be able to immediately revoke their access to sensitive files.
Rather than focusing on protecting location – like a cloud or file server – the flexible and future-proof solution is securing the file itself with file-centric, enterprise-wide Digital Rights Management (DRM).
Watch Ron Arden’s full Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here.
The transcript of this conversation has been shortened and edited for clarity and the blog format.