Can Your Remote Workforce Collaborate Securely?

Collaboration has always been a key to a successful business. Whether working on a project or sharing documents as part of standard business operations, numerous people need to see and act on information quickly.

While ad-hoc communication uses tools like Teams, Zoom, and Slack, most people collaborate through documents.

As organizations settle into new business norms, working remotely is very common for a lot of people. A recent analysis by leading research firm Gartner predicts that by the end of 2023, 48% of knowledge workers will work hybrid and fully remotely.

Hybrid workplaces require new methods of collaboration since employees and contractors may work a few days in the office and a few days remotely. They need to collaborate securely with colleagues, partners, and customers regardless of location to stay productive and meet deadlines and goals. While video chat and instant messaging let you communicate, most of us work together to complete a project or develop ideas using documents. You need to easily share documents, make sure everyone is working on the most recent version, and guarantee that only authorized users can see the information inside.

Deploying a collaboration platform on the fly is not something you can do overnight, since it costs both time and money. The fastest way to hit the ground running and share files without losing valuable time is to use a cloud-based system with a web interface. This keeps projects on track with minimal disruption.

A key ingredient to secure collaboration is not burdening your employees or third parties with making security decisions. Wrapsody eCo is a secure and reliable collaboration platform that encrypts all shared files and makes it easy to collaborate securely. By configuring workgroups with built-in policies and permission management, your employees continue to work without worrying if decisions don’t follow policy. You can set an expiration date for your projects or revoke access to documents immediately, which simplifies security for users. They have a job to do and don’t need to worry about setting security policies.

Users can easily create a workgroup for a project and define security parameters, like permissions on downloaded files or view access to a document in a browser. Project managers can invite employees, partners, and customers to the workgroup with a few clicks. As project members upload documents, they are automatically shared with the workgroup. Authorized users get real-time and email notifications of document changes so interested parties are informed immediately of updates. Each workgroup has a centralized policy making it easier to enforce security on all documents.

Sometimes members of a project team need to interactively review a document. Creating a quick video chat with all authorized users of the document is usually faster than typing into a chat or instant messaging window. Wrapsody eCo lets you connect your Zoom account so you can quickly schedule a meeting from within the portal and get your business done.

As people work from home, they may fall into bad habits like downloading documents from protected cloud applications to work on locally. This is especially true if they do it out of frustration because the internet is slow or they are having problems with their VPNs. That could lead to emailing files, only exacerbating unsafe data handling practices. Secure in the Wrapsody eCo environment, downloading documents locally is a non-issue. When a user downloads a file, they can only open it if they have access permissions. If someone accidentally sends the file to an unauthorized user, the unauthorized user cannot view the contents. Of course, if you send it to someone who should access it, they can easily request access.

Remote workers could be anywhere, not only working from home. With our current hybrid and mobile working environments, people time shift schedules and work almost anywhere and anytime. When collaborating it’s critical that project members work on the latest document. Finding and using the latest documents is always a problem since most of us use numerous devices and can’t always be sure what’s current.

If you update a financial spreadsheet, for example, you can’t work on an old version. With Wrapsody eCo, you always work on the current version. As soon as you update the file and close it, it automatically syncs to a central location. This works whether you are accessing the document on your work laptop, a home PC, or opening it from a cloud location. The next time you open it, you get the latest version, secure in the knowledge that your data is protected and only available to authorized users.

This even works on your mobile device. If you are running to a meeting or trying to catch up in an Uber, you can review the latest document on your phone or tablet. If you want to see a previous version, that’s as easy as a few taps.

Another problem with collaborating is making sure you get input from everyone. Rather than sending emails to everyone bugging them about reading the document and providing questions or updates, you can comment on the document and have it appear in real-time on people’s devices. You can also send a view alert to quickly bring it to everyone’s attention.

You can also review logs of user activity on the document. It tells you who viewed and edited the document and when. If someone edits a document locally or in a browser, the document updates to a new version upon saving it. If you need to retrieve an earlier version, it’s a click or tap away.

Working remotely has become standard for a lot of people. Collaborating securely and effectively can ease the burden and ensure your data security controls protect your most sensitive information. And that should give you peace of mind.

Learn more about how Wrapsody eCo makes it easy for your remote workforce to securely collaborate.

Break the Cycle of Confusion When Collaborating on Documents

One of the problems of collaborating on documents is figuring out who has the latest version. How many times are you working with a group and you spend as much time asking who has the latest copy as working on the document?

Our current hybrid and mobile working environments make it even harder, since people time shift schedules and work almost anywhere and anytime. Finding and using the latest documents is always a problem since most of us use numerous devices and can’t always be sure what’s current.

It’s not just wasting time. It’s also wasting money.

You might lose a deal if you need to create a sales proposal and can’t get it to your customer on time. If you manufacture products and have outdated specs, you have to spend money on rework.

This only gets worse if you have a lot of people who provide input to your document.

Document Virtualization

Traditional document and content management platforms provide some of the answers to these problems. But they only work inside their system. If someone opens a document, edits it, and checks it in, your system should update the document version. You might get a notification that a user updated the document so you know it changed.

But if you download a document, edit it locally, and share it with a colleague, you just broke the system. The next person looking for the document will have the wrong information. And worse, they don’t even know it.

A better approach is to use content virtualization which doesn’t rely on the location of your document to manage it. It always provides up-to-date content regardless of document location. If you have the document on your desktop, in email, or stored in the cloud, when you next open it, you will have the latest version.

Get Rid of ROT

Along with not finding the latest version of a document, another problem collaborators face is multiple versions all over the place. You might have a document on your laptop, your tablet, and even another desktop somewhere. Some people want to store documents on cloud services or local file shares, and after a while, you have outdated and redundant documents everywhere. Trying to sort all this out becomes a nightmare.

By tracking all copies of a file, you can easily find redundant versions. Your files are never outdated. The moment you open one, the latest version appears. Each document has a tracking and synchronization identifier so all files know what version they are no matter their location.

Access Control

Another issue is limiting who can view or edit a file as people collaborate. Just because you are on the same project team doesn’t mean you necessarily need the same access to all files. Sometimes certain people only need to view a document, while others may not need any access. If you rely on a location-based solution to assign permissions, this all falls apart when you move the file to another location.

Document owners should be able to assign permissions to a document and change it whenever the need arises. The next time someone opens the file, the new permissions are available immediately. If the document owner needs to remove access entirely, they can do it and it applies the next time someone opens the file.

Wrapsody in Action

So how does this work in practice? Let’s take a look at how Wrapsody can make collaborating easier.

Evie works in the strategic planning group of an electronics manufacturer. She participates in a project to streamline how the company brings products to market with the goal of reducing cost and time to market. Her manager launched a task force for the project to include herself and employees from sales, finance, marketing, manufacturing, and business strategy. Evie started developing a business plan for the project.

The members of the task force shared the initial versions of documents on market analysis, financial impact, and business strategy and updated documents were sent out as new versions became available. For an interim briefing to the leader of the task force, Evie had to aggregate the latest versions of the documents on her PC into the business plan.

Before updating the material, Evie had to verify she had the latest versions by checking emails and talking with the authors over the phone. About 30% of her time was spent consolidating the latest documents before the briefing, holding the briefing, and sharing feedback after the briefing. If the business plan changed before the final report, Evie needed to repeat all these steps.

Evie had a lot of challenges to overcome. First, she needed to minimize the time wasted sharing documents, managing versions, and preparing a report. Dozens of documents are shared among the members of the task force, so this could be difficult. As different members share different versions multiple times, the same documents may be stored repeatedly on different PCs. The document name itself may not indicate whether the document is the latest version. If there is a need to review the progress or hold a briefing, it will take a long time to aggregate the latest documents.

Evie needs to create an environment to efficiently manage documents for collaboration.

By using Wrapsody all members of the task force store the initial version of the business plan on their PC. They update the plan locally and when a new version is available, the leader opens it on her PC, reads the document, and adds comments, if needed. The members read the comments and make appropriate updates to their documents. No additional document sharing or aggregation process or briefing is necessary.

Wrapsody automatically synchronizes the latest version of the business plan to everyone’s device. Evie could edit the document on her laptop and later read it on her iPad. She can always be sure everyone has the latest version. This makes collaboration easy since the document is now the system of record.

Evie and the task force successfully reduced the cost of bringing products to market and cut cycle time by 40%. Using Wrapsody streamlined their process by making it easy to update their documents and ensuring each member of the task force had the latest version.

Learn more about how Wrapsody can break the cycle of confusion when collaborating with documents

IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat

No matter if your company is an automotive OEM, Tier 1-3 supplier, or a small engineering studio that serves component manufacturers across various industries: all eyes are on you.

The eyes of commercial spies, that is.

Intellectual property (IP) theft, most of it on behalf of China, damages the US economy to the tune of about $500 billion a year, says the FBI. Automotive, aerospace, and other innovation-driven tech companies are bearing the brunt of commercial espionage efforts.

What do the nation-states and competitors behind the IP theft have in common? They all rely on a secret weapon: company insiders.

What is an “insider threat”?

The US government’s National Insider Threat Task Force (NITTF) defines an insider as “any person with authorized access to an organization’s resources to include personnel, facilities, information, equipment, networks, or systems.” This not only includes your employees but contractors, partners, and potentially anyone in your supply chain.

In the vehicle manufacturing sector, most sensitive information is now stored and managed digitally: in the form of CAD drawings, for example, or as digital image files, as Microsoft Office documents, or in various Adobe PDF formats, including PDF/A, PDF/E, or PDF/X.

The dependency on these files makes IP theft by company insiders with access to that information the biggest potential security threat for automotive manufacturers and their suppliers today. Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.

A key security component in this fight is International Cybersecurity Standard ISO/SAE 21434 which specifies engineering requirements for cybersecurity risk management in the design and development of car electronics. It covers cybersecurity governance and structure, secure engineering throughout the life cycle of the vehicle, and post-production security processes. It covers vehicle manufacturers and their entire supply chain. This standard is becoming more important as the industry moves toward autonomous vehicles.

How does someone become an insider risk? What are the warning signs of potential insider theft? Is your company prepared?

Experts agree: securing unstructured data across the automotive manufacturing supply chain requires a comprehensive approach by Security, IT, HR, Compliance, and Legal. Here’s what they recommend:

1. Raise your organization’s threat awareness.

The battle for the future of mobility is marked by innovation at break-neck speed and tough competition for top performers.

Traditional players find themselves competing with Silicon Valley giants, startups, and nation-state-sponsored groups to recruit and hold on to the best talent. Electric vehicle development, connectivity, battery technology innovation, and the rise of additive manufacturing are changing the industry.

The IP Awareness Assessment, offered by the National Institute of Standards and Technology/Manufacturing Extension Partnership (NIST/MEP), enables affected companies to assess their intellectual property awareness.

Another valuable resource for your internal IP Theft awareness program and training is the National Insider Threat Awareness Month library at the Center for the Development of Security Excellence. It offers guides, real-world case studies, videos, and even web-based games to help organizations detect, deter, and mitigate insider threats.

2. Know the IP theft threatscape.

According to Ponemon Institute research from 2022, 67% of surveyed organizations worldwide reported more than 30 insider-related incidents per year involving digital assets.

In the US and the EU, counterintelligence experts and manufacturing industry security advisers attribute the rise of IP theft mainly to China. Take the Thousand Talents Plan, for example, which was conceived by the Chinese Communist Party.

Officially, TTP is a recruitment program for up-and-coming scientists and engineers to experience China and work side-by-side with their Chinese peers. In reality, it now serves as a vehicle for a state-sponsored IP theft campaign on a global scale, with more than 140 recruitment stations set up in the US alone.

Source: CISA

Social media and business networking platforms (LinkedIn, for example) are increasingly used to identify and target company insiders for later exploitation.

To keep you abreast of recent developments and emerging threats, the FBI provides IP theft prevention resources on its website and sends out email alerts.

3. Identify what’s most at risk of IP theft in your organization.

Unstructured data such as CAD/CAE files, digital images, and confidential sales or legal PDF documents contain your organization’s most valuable intellectual property and blueprints for its future. Yet IT and Security face a unique challenge in protecting it against IP theft.

How to secure these files across the enterprise and along its diverse supply chain? IP protection at the document level often requires that the information rights management service supports all industry-relevant CAD applications.

Automotive engineer

Your teams may currently use mainly one or two such tools. But this can change quickly due to new requirements. Effective information rights management in this dynamic environment makes support for tools such as AutoCAD, CATIA, PTC Creo, Siemens NX-CAD, or SolidWorks essential.

PDF file formats are another example. Does the information protection software cover the broadest possible range of documents? Support for at least 200 file formats is considered the bare minimum in a globally integrated enterprise environment.

4. Determine who’s posing an insider threat.

As paradoxical as it may sound, this question is the easiest to answer. Experts will tell you that any executive and rank-and-file employee, contractor, or temp with access to sensitive information is potentially a risk. This includes external business partners and is made even worse by so many people working remotely or from home.

Security professionals differentiate between malicious, negligent, and compromised insiders. The lines between these categories are blurry. Common scenarios resulting in the loss or theft of proprietary information that involves negligent or compromised insiders:

Negligent insiders

use passwords like “password” or accidentally send a confidential file to the wrong person,
(on the IT team) leave Git server content or Amazon AWS S3 cloud storage buckets open for the taking,
share access credentials with team members.

Insiders are compromised when

clicking on an email phishing link that downloads a spyware exploit kit,
inserting USB sticks found in the office parking lot or sent to them by mail,
working from home on unsecured WiFi on unmanaged compromised devices with remote access to critical company IP.

All of these examples can result in exfiltrated CAD files, office documents, or process information. IT can minimize the risk of unintentional IP exfiltration by controlling access to proprietary information at the file level and limiting or blocking possible ways of sharing, such as copying, printing, or taking screenshots.

5. Prevent the #1 IP theft scenario.

What about the malicious insiders? In the manufacturing sector, who are the real-life spies?

Let’s forget about James Bond and his Minox camera for a moment. Instead, let’s focus on Jill with a smartphone and money problems. Joe in R&D may fancy making VP at a competitor. Then there’s Jim, the work-from-home (WFH) contract engineer who just got an invite to visit China, all expenses paid, courtesy of the Thousand Talents program.

Not to forget the ambitious – now-former – head of your self-driving vehicle division (if you are Google).

That last case reminded us that the risk of IP theft is highest when employees leave. In more than 50% of documented IP theft, the perpetrators are employees who quit and take proprietary information with them.

This happens simply because they could. Nothing got in the way.

A design engineer, for instance, may store critical CAD drawings on a private hard disk or personal cloud storage “just in case” and later use them when interviewing with the competition.

IT and other stakeholders need a mechanism that makes it simple to centrally disable access to sensitive documents for a departing employee at the file level, even if that file now resides on an unmanaged work-from-home laptop.

6. Establish or expand your threat intelligence program.

Managing IP theft risk in 2022 requires more than cursory reference checks or LinkedIn profile once-overs for potential hires.

Smaller companies can outsource their pre-hire background checks to background investigation specialists and threat intelligence firms. Large manufacturers may expand their internal open-source intelligence (OSINT) collection capabilities.

This enables investigators and SOC analysts to examine, for example, dark web marketplaces for suspicious data movements.

Where to find private-sector professionals that specialize in digital insider threats on all levels? Industry associations, trade groups, and government resources such as the National Center for Cybersecurity in Manufacturing can help.

7. Monitor to identify insider threat warning signs.

What are the indicators of insider threats that may culminate in IP theft? Behavioral and personality changes can be early warning signs, experts say. Financial problems, a drop in performance, or a sudden interest in files outside the employee’s work scope are indicators as well.

To catch such telltale signs early on, the software selected to secure and manage proprietary information should include the capability to flag suspicious files and user activities. Do they indicate sufficient risk for intervention by business management?

Digital rights management combined with user and entity behavior analytics (UEBA) enables visibility into employees’ interaction with IP at the file level. It applies rule-based modeling to the respective data sources.

This approach allows the system to establish baseline behavioral patterns and help determine suspicious activities.

Fasoo’s RiskView, for example, provides such UEBA protection for sensitive files. For IT, it serves as an early warning system against infractions by users even with sufficient inside knowledge to bypass other security controls and methods.

8. Choose productivity over paranoia.

Under pressure to innovate and develop startup-like cultures, traditional manufacturers struggle to protect their digital IP without sacrificing productivity.

An overly rigid and inflexible approach to IP protection risks slowing down workflows and alienating top performers.

It also introduces additional risks. A typical example is team members who develop “creative” workarounds to access or share sensitive proprietary information they need to get the job done.

Security or productivity: do we have to choose? It doesn’t have to be an either/or choice. Let’s look at Digital Rights Management (DRM) as an example.

DRM (also referred to as Information Rights Management, IRM) today is at the heart of many enterprise-wide initiatives to prevent intellectual property theft or unintentional digital IP leakage.

How to solve the IP Theft Protection vs. Productivity conundrum? Enterprise IT leaders emphasize the importance of carefully selecting an enterprise DRM software that is flexible and fast at scale.

9. Put manageability and flexibility first.

Can we really expect data owners to become security experts when managing document-level protection for the files they oversee?

We shouldn’t. But that’s what happens, IT says, when the company deploys the kind of information protection service that was developed almost as an afterthought to popular office software and design tools.

Many IT leaders have determined such rights management services are too limited for the use cases in their enterprise-wide deployment. They are also cumbersome to manage and use on the ground.

Exception management is a prime example. How do you give everyone on the team who needs it fast and uncomplicated access to critical IP while ensuring that it doesn’t fall into the wrong hands?

An effective DRM solution simplifies and accelerates the process of obtaining exemptions from file access and management restrictions. A user’s legitimate exception request should not increase IT’s workload, be held up by slow support desk response times, or get forgotten in the system once it has been granted.

10. Select DRM that enables centralized policy and visibility

Opportunity makes thieves, as highlighted in Tip # 5. Eliminate the opportunity for digital IP theft with DRM. Protect your IP from the onboarding through the offboarding process, including all user activities on your network in between.

Centralized policy management empowers IT and management to conveniently set and change data-centric and user-centric document use policies at-a-glance.

The past three years have seen a significant uptick in companies looking to deploy EDRM to prevent IP theft. Industry observers attribute this trend primarily to three factors:

the rising threat of IP theft by corporate insiders,
Microsoft now supports its rights management in Azure, on Apple’s iOS, and on Google’s Android,
the pressure to protect intellectual property accessed by remote workers, often on unmanaged home networks and devices.

Fasoo Enterprise DRM’s authentication APIs, for example, supports numerous 3rd party, federated, and proprietary authentication systems. In the enterprise environment with its hybrid mix of on-premises, cloud, and WFH digital assets and devices, this means less headache for IT when securing remote access.

This way, IT can quickly adapt your document use policies to fit remote work scenarios. It also means that when your company shuts off access to an employee for good, it doesn’t run the risk anymore that a critical resource gets overlooked.

Fasoo Enterprise DRM’s encryption renders protected files useless for the former employee and other unauthorized 3rd parties.

Talk to our team about how Fasoo Enterprise DRM will complement and strengthen your insider risk program.

This post was originally published in March 2021 and has been updated for accuracy and comprehensiveness.

3 Reasons Why Enterprise DRM Saves the Day on a Deserted Island

What good is a secure island if you’re left stranded? Former Secure Islands customers want to know, since their data protection software has finally reached end-of-life support after the company was acquired by Microsoft a few years back. The good news: they have more options than they may have thought.

As a startup, Secure Islands Technologies Ltd. was a success story. Not so much for some of its early customers, we hear.

Two brothers, Aki and Yuval Eldar, founded Secure Islands in 2006 in Jerusalem. Microsoft acquired the company for $150 million in 2015 and made its technology an essential building block for Microsoft’s Azure Information Protection (AIP, part of the Microsoft Information Protection framework MIP). Six years later, to Secure Islands customers who decided AIP wasn’t for them, it may seem as if they are stuck.

So far, so predictable. As far as startup exits go, you’ve heard the stories. The outcome can be ugly: early customers are left holding the bag, with nowhere to turn. It can also be a blessing in disguise: for example, when IT discovers alternatives that show how far a technology has come elsewhere since its nascent stage.

Such happy endings happen. Take enterprise-level Digital Information Rights Management (DRM), for example. Also referred to as Information Rights Management (IRM) sometimes, it has come a long way since the aughts. This development is good news for organizations looking for AIP alternatives.

No happy endings on security islands

Information protection solutions of the past were difficult to deploy and scale. Workflows slowed down. Productivity suffered. That said, today, we see a different picture. The success of solutions such as Fasoo Enterprise DRM triggered a resurgence of the category, primarily for three reasons:

Mature Enterprise DRM solutions ensure comprehensive data protection that extends far beyond one or two document ecosystems.

Fasoo Enterprise DRM, for example, covers more than 230 document formats, including images, CAD files created with forty different applications, and old Microsoft Office documents that even AIP cannot encrypt. This approach extends beyond Microsoft Office or Adobe PDF files and prevents the creation of “security islands” that leave critical documents unprotected.

Centralized policy management and control beats having to deputize (and train) your end users as security experts.

AIP uses Secure Islands technology to categorize documents, which can result in certain limitations. Depending on a company’s Microsoft licensing level, users may have to manually label the documents they import or create and decide what protection and permissions to assign.

Other limitations concern larger organizations that deal with high volumes of unstructured data daily, such as financial institutions and globally operating law firms. AIP limits the number of sensitivity labels per organization to 500 for labels that assign encryption specifying the users and permissions.

Another issue in these industries is AIP’s lack of SDKs to facilitate integration with iManage and other Enterprise Content Management (ECM) platforms. In organizations that need to encrypt files across thousands of file-sharing folders and subfolders, this means they would have to apply an AIP label to each manually just for simple encryption.

Fasoo Enterprise DRM represents a different, “file-centric, people-centric” approach that enables organizations to preserve and support proven and efficient workflows. Policies defined by IT automatically determine at the point of creation who can access a protected document and how. Exceptions are handled flexibly and “on the fly”, for example by granting a provisional permission on a temporary basis.

Document protection in the cloud requires a mature enterprise DRM solution.

Cloud collaboration plays an important role in selecting an enterprise DRM solution. Companies now looking for alternatives to AIP are clear about this point: they want document protection that travels with the file and doesn’t end at their organization’s IT perimeter.

Their old information protection technology was devised years ago, with no consideration yet for the cloud. One consequence is that it can only protect sensitive documents on a computer or mobile device. Once the file is uploaded to the cloud outside the Microsoft ecosystem, document protection is lost.

In contrast, Fasoo Enterprise DRM ensures that persistent security remains with documents, pictures, audio, video, and 3D CAD drawings regardless of their location, whether in the cloud or on a flash drive. Senders can set a validity period or revoke access immediately, even after distribution. The organization remains in control of sensitive files at rest, in use, and in motion – no matter where they may end up.

Worried about your document protection getting stuck on a security island? In summary, these three rules will help you not to miss the boat:

1. Document protection worth its name requires properly protecting all confidential documents that need protecting, not just those preferred by one solution vendor. 2. If “automatic labeling” was the promise, you’ll hate seeing it turn into manual labor over a few hundred or thousand file-sharing folders. 3. No company is a secure island; the cloud is real, and so is the need for document protection in the cloud.

Contact the Fasoo team to find out more!

How to Protect CAD Files and Workflows Against IP Theft

How can you protect CAD files against IP theft, data leakage, and tampering? In 2022, securing confidential data along the supply chain, end-to-end, is paramount.

Manufacturing companies face growing pressure to better shield their trade secrets from prying eyes. Since the beginning of the coronavirus pandemic, they have been hit by a wave of intellectual property (IP) theft by insiders, cyber attacks, and data leaks caused by negligence.

In particular, instances of engineers copying critical CAD drawings on flash drives on their way out the door have increased dramatically. Among the victims are automotive, aerospace, defense, and semiconductor companies.

CAD/CAM/CAE files often contain the most valuable know-how in these industries. They hold the key to the company’s future – or to that of a competitor, if outsiders get hold of the data. That’s why more manufacturers now adopt Enterprise Digital Rights Management (Enterprise DRM) for end-to-end document protection. So what does it actually look like to protect CAD files from the engineer’s perspective?

CAD file password protection is for victims

CAD file password protection can be guessed or cracked. Data Loss Prevention (DLP) tools provide only limited protection. Enterprise DRM, on the other hand, provides an alternative. Based on a data-centric security model and strong FIPS 140-2 encryption, it is the key to a viable Zero Trust strategy.

Let’s take the automotive industry, for example. Many companies in the mobility sector realize the need to secure their CAD drawings and other unstructured data properly. The wide variety of CAD tools and file formats used across various companies in the supply chain poses a major challenge.

A viable solution protects Catia, Creo, or Siemens NX drawings, plus Solidworks, SolidEdge, JT, 3D-PDF, or STEP files, among many others, depending on the use case. Their quest for effective and gapless document protection leads many companies to Fasoo Enterprise DRM, which covers more than 230 applications and document formats. This means the company can encrypt, control, and track its sensitive data – no matter where it goes or who handles it.

How to protect CAD drawings without productivity loss?

These capabilities are now crucial in the automotive sector, where information security teams were hit by a triple whammy during the pandemic:

- Remote work and unmanaged devices have created blind spots for IT and increased insider risks. In addition, remote access vulnerabilities like misconfigured VPNs and spotty endpoint security make it easier for outside attackers to penetrate corporate networks, often through supply chain partners.

- In the automotive industry, the “great reset” – the shift to development and production of “intelligent” electric vehicles (EV) – is coinciding with the “great resignation”. Companies struggle with higher turnover rates among their top talent, including senior engineers who join competitors.

- IT in manufacturing companies is particularly impacted by both developments. The coronavirus crisis exacerbated personnel shortages in this sector. In many organizations, this development has increased the vulnerability to data theft and leaks. Critical software patches, for example, are often postponed or missed altogether.

As a result, companies take additional measures to secure their CAD drawings. One concern IT has to deal with is: How will the new CAD file protection impact workflows in the engineering department?

CAD file protection without gaps or friction

In organizations that deploy Fasoo Enterprise DRM, such concerns are quickly alleviated. Let’s look at a leading automotive components supplier, for example.

Brake caliper (red)

Here’s what happens when a design engineer opens and modifies a Fasoo-protected 3D CAD drawing of a brake caliper:

- 1. The engineer finds and clicks the CAD file in the company’s Product Lifecycle Management (PLM) system. This is also where related data sets, such as process information, are stored and maintained. This system is shared by the company’s tech centers on several continents.

- 1. This particular document opens in CATIA, the tool it was created with. Like all files containing confidential IP, it was automatically encrypted by Fasoo at the point of creation, with specific permissions assigned to a limited group of authorized users. As a senior member of the development team, our engineer can download, view, and modify the file.

- 1. The senior engineer reviews the CAD drawing and discovers a possible improvement opportunity that would make the caliper piston more efficient. To be sure it hasn’t been incorporated before and abandoned, the user runs and downloads a report from the PLM that includes updates and revisions of related documents. Fasoo automatically encrypts this report as it is downloaded to the engineer’s computer.

- 1. In the next step, our user saves an excerpt of the 3D geometry as a PDF file to email to one of the company’s outside engineering consultants for discussion. Because security policies automatically apply to file derivatives protected with Fasoo Enterprise DRM, the new file inherits the security of the original file. The senior engineer then manually grants temporary access to the engineering consultant, who now can view and annotate the PDF before submitting a formal quote for this project.

Throughout the process, Fasoo Enterprise DRM secures the CAD file and its derivative at rest, in transit, and in motion. Equally protected is all associated unstructured data, such as Microsoft Office, images, or PDF documents. Security policies are centrally managed and travel with the file.

An audit trail of document activities provides granular insight into how each CAD file and related documents are accessed during this process. This includes unauthorized access attempts. Seamless integration with the automotive company’s knowledge management system and flexible policy management ensure a frictionless user experience for engineering teams – no IT intervention required.

Do you have questions about protecting CAD files and workflows with Enterprise DRM?
Contact us here.

IP Protection Over Workflows? “People don’t want their productivity to dip”

How to stop intellectual property leakage and theft in manufacturing?

That was the topic of a discussion hosted by Fasoo at the 2021 Apex Assembly Tech Leaders Northeast Summit. CTO Ron Arden spoke with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power, about the challenges of IP protection in the manufacturing enterprise.

In Part 1 of this conversation, IP Protection: “We need a tool with a wider scope”, we focused on how to protect sensitive CAD files, 3D-PDFs and other PDF file formats, in addition to the wide variety of Microsoft Office and other documents typically found in innovation-driven manufacturing companies.

In this post, Ron, Hillary and Chris zoom in on additional insider threats and risks introduced through the rise of the cloud and the rapid shift to work-from-home due to COVID-19.

What advice do the GE security researchers have for IT leaders in manufacturing companies looking to update their document protection program? Find out in Part 2 of the conversation:

Ron Arden: With everybody being remote, all of a sudden new threat vectors are appearing. There are things you didn’t even think about before. Somebody is going to copy something to their private OneDrive or their Dropbox account because it’s convenient. It’s easy to move stuff around. We all used to copy things to our USB drives, but now it’s just as easy to go to a cloud service. You know employees are just working along, and they’re not really worried about all of this.

Chris Babie: Exactly. Most of it is amiss on our [the IT security] side. If we told [engineers] the proper running rules, they wouldn’t perform that risky activity. People want to back up their data. Right now, there’s no help desk for them. I think people don’t want their productivity to dip. That’s a perfect example of the “I need to make sure my data is safe, hey, let me move it to my desktop” kind of thing. We need an answer for that now.

“A ton of new risk has bubbled up”

Hillary Fehr: And engineering machines, which typically were in a lab environment in the business before, now are in somebody’s home. That’s a whole other layer of risk that was never there.

Chris Babie: We kind of knew that our “walls” in the manufacturing environment were okay. Now you’re worried about “does a virus now get on that machine?”, “is the home network protected?” It’s not even a data protection issue alone anymore. It’s also a home networking issue. A ton of new risk has bubbled up.

Ron Arden: Chris, what was your experience with other solutions that you use to protect and control sensitive documents?

Chris Babie: I think one thing that every solution struggles with in our world is scale. If you think about 300,000 folks, millions of transactions every single day, all these different mediums for transacting data. We already touched on the complex file types [see Part 1, IP Protection: “We need a tool with a wider scope”].

Our value is not driven by the standard stuff. It’s more in part files, CAD drawings. We were finding certain populations really love mobile. That’s just how they work. They’re very busy, they’re traveling, and it would work great on the endpoint. And then it would fall down.

We cover all these different complex workflows. Finding a solution that works everywhere is very challenging. It worked well when it was a standard workflow, very cookie-cutter. But we don’t do cookie-cutter at GE.

I talked about our vast network. I need a solution that works if it gets sent to an organization with 500,000 people and a supplier with three folks, and they’re more of like a mom-and-pop shop. We have a whole spectrum. We kind of cover everything, in terms of file types, network entity types…

How do you find something that works everywhere? It’s a challenge.

Wanted: IP protection that “works everywhere”

Hillary Fehr: It’s got to be adaptable, especially with business requirements and environments. We know how quickly those can change. Last year was a big indicator of your ability to really pivot and adjust your priorities and approach, based on new risks that come up in the business.

Chris Babie: We touched on user experience. That’s literally everything —the main bucket. If the user experience wasn’t there… – people do not like change. They just don’t.

We need to make sure that however they are working today, the technology works. That’s getting really hard to find with all these new solutions, cloud storage… It’s critical if we’re going to bring anything in-house.

Ron Arden: As you said, we all hate change. If we initiate the change, that’s different, but when the change is brought down on us – no. You got a job to do. The person who is creating the next generation of turbines has to focus on that. They cannot waste their time learning a new tool and completely changing their workflow.

And like you said, Chris: If you go out to GE’s smaller suppliers, they work the way they work. I mean, you might be able to impose some things on them. Still, they want to work the way they want to work. Mobile is extremely important today. Working with a flexible solution is key.

Adaptability is key, because the tool should adapt to you. You shouldn’t have to force yourself to adapt to the tool because that never works. People just get annoyed, and they don’t use it.

I’d like to wrap up with one last item. Hillary, what advice would you give to people listening in?

Hillary Fehr: I would say you need to know where your data is. You need to have a strong process for identifying your data, tracking it, understanding the movement, how that data is used.

Until you have that, you really don’t know where you have sensitive data and how to protect it. Once you have a good understanding of what that data movement looks like and where that data is, you can start to build your approach to data protection.

Data protection is about auditability, too

Like we mentioned before, it’s also important to listen to the business because things are changing all the time. So you need to understand the business processes and be adaptable as they change and as the business priorities change.

You need to have standards and best practices in place. Not only to outline the do’s and don’ts for your end users, but also from an auditability perspective. It gives you legs to stand on.

Ron Arden: Chris, your advice?

Chris Babie: We touched on it – communication and education. In the insider threat space, we wouldn’t see a dominant portion of the [insider threat] activity if we were simply upfront with them on how people are supposed to work, and how data is supposed to transact.

To anyone implementing a solution, I would say: Try to get really close to the business. Do you understand all the different use cases you’re going to encounter?

At least in our world, there’s all this function overlap. If you’re going to implement anything, it cannot be in a silo. There needs to be a major partnership with the business. Everyone has to have a seat at the table before we go in any direction.

Hillary Fehr: That’s a good point, Chris. I think relationship management is a big part of getting their buy-in, too, and building out your process – because your data owners are the ones that understand your data and can help you to identify the best approach to protecting it.

Chris Babie: Having some of these basic “101” items – assets inventory, knowing your environment – gives you a head start, especially at our scale. It can be very challenging, as you can imagine.

Hillary Fehr: You have churn of employees and contractors, and people who may have known where the data was – years ago – are no longer with the company. That’s where you need to partner with the business and the functional areas to get to the heart of where things are and what they do with them.

Ron Arden: In essence, what you’ve been saying is that you need a solution that is location agnostic, because you have a lot of systems. Some would be legacy; some might be brand new. In the cloud, on people’s phones, home devices, engineering workstations…

So you can’t rely on a perimeter. There’s no perimeter anymore. It’s everywhere. I’m guessing you probably even have storage assets that you don’t even know about because somebody put a server somewhere in a room and nobody remembers what’s there, and then all of a sudden you find out something of value is sitting on that device.

Hillary Fehr: Or an endpoint in their bottom drawer of their desk.

Chris Babie (chuckles): I can confirm that our data is everywhere. Most organizations need to shift towards that [location agnostic] model. There’s zero perimeter today. Our data is all over the world, in every system imaginable. How do we make sure it’s protected wherever it goes?

“Shift towards location-agnostic model” of data protection

Ron Arden: We have some customers with scenarios where they have to feed the data to machines. Those systems tend to be older, because of the cost of those types of machines. So you might even have a Windows XP machine that’s connected to one of these devices with important process information on it.

It’s sensitive information. If you’ve got a contractor or a person who just ups and leaves the business and says, “Hey, this might be really cool for me to take to my next company,” you’re never going to know that, and something very important walks out of the door.

Do the scenarios mentioned in this conversation sound familiar? Most innovation-driven manufacturing companies face similar challenges, due to remote work demands under COVID. This explains why manufacturers increasingly rely on a file-centric approach to protecting intellectual property.

Fasoo Enterprise DRM comes with centralized policy management and granular controls baked in that can be adjusted flexibly by the data owner. This approach enables large organizations to provide maximum protection – across the enterprise and its supply chain – against insider threats and IP exfiltration at scale, while maintaining workflows and productivity.

Watch Ron Arden’s complete Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here.

###

The transcript of this conversation has been shortened and edited for clarity and the blog format.

IP Protection: “We need a tool with a wider scope”

At the 2021 Apex Assembly Tech Leaders Northeast Summit in March, Fasoo hosted a discussion on IP protection in manufacturing. CTO Ron Arden spoke with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie about protecting R&D, product designs, specifications, and other sensitive intellectual property (IP).

The typical person in a business creates and interacts with about 50 files a day. Most of this information is sensitive unstructured data or data contained in documents like CAD drawings, MS Office files, PDFs, and images.

Let’s look at an organization of 3,000 people, for example. You could see how quickly the numbers grow in a single day. Extrapolate this to a year, and you’re looking at a massive amount of files to manage.

Security is crucial to prevent the leaking of critical information. Employees share CAD files and other documents throughout the supply chain and with other employees or contractors who may not be with your company forever. The most significant risk to a manufacturing company are insider threats.

That insider threat could be someone with malicious intent who wants to steal your data. More commonly, it is someone who accidentally emails a file to the wrong person or puts a file into the wrong folder in your cloud sharing app.

Intellectual property (IP) loss results in competitive disadvantages that cost you time, money, and your reputation as a company. How can you securely share proprietary information through email, collaboration platforms, and mobile devices throughout your supply chain?

Defining the security perimeter in a large organization has become a major challenge, especially with so many people working from home. Your company may have employees or contractors using company-owned PCs connected to personal devices.

Data may go back and forth between them for convenience. Somebody copies a file from their work PC to a personal computer and prints it. That may be convenient for them, but you lose all track of that sensitive data as a business.

IP Protection Challenges in Manufacturing

Enterprise-level IP protection requires file-centric security to ensure business continuity. How exactly do you protect your intellectual property inside a manufacturing environment?

At the 2021 Apex Assembly Tech Leaders Northeast Summit, Fasoo CTO Ron Arden discussed this and related questions with Hillary Fehr, Senior Cyber Security Researcher with GE Gas Power, and Chris Babie, Staff Cyber Security Researcher with GE Gas Power.

Ron Arden: Hillary, what are the specific challenges in protecting your IP with solutions that only focus on standard Office documents?

Hillary Fehr: I think Office files are a good example. We see a lot of sensitive information, whether it’s PII – Personal Identifiable Information – or other personal data in documents that HR, Finance, Legal departments may use.

Specifically in a manufacturing environment, when you start peeling back the onion layers, you realize that there’s a lot of sensitive data in other file types we maintain: CAD drawings are one example. We also have 3D PDFs. And even source code can contain potentially sensitive information.

So it’s important that we have a tool that has a wider scope, to allow us to protect any format of data that the business may find worth protecting. One of the challenges you face, though, when you focus specifically on Office, may be compatibility issues.

A Windows-based application works well on a Windows machine, but we also have a lot of Mac users. The user experience may be different. The level of protection or usability may not be the same that you would find on a traditional Windows-based machine.

You’ll also face challenges with external sharing. As a manufacturing business, we share with our suppliers and a lot of third-party vendors. They may not necessarily use the same toolset as we do.

That means you lock yourselves into one particular software package when you focus your IP protection specifically on your own toolset. For document protection, we want to have the flexibility to have a tool that works with various files and can be used for other software out there.

Ron Arden: The different file formats I mentioned earlier get converted to other formats, too. It’s not just one type through the whole workflow. Instead, a supplier may need it in a special format, so you need that flexibility to be able to manipulate your data and provide it in a usable format.

Speaking of workflows – Chris, what is your biggest concern about meeting data protection needs of such a large organization when different divisions can implement their own solutions?

Chris Babie: My biggest concern with an organization of our size is the volume of data we have to protect. We’re talking about millions of different files here. As Hillary said, very complex file types – it’s not just your standard Office-type documents.

“Not just your standard Office-type documents”

With an organization of our size, think about its vast network. That means I not only have to protect transactions within my walls. It’s also about how many hundreds of suppliers, customers we’re dealing with. Millions of transactions are happening every day. How do you protect all of those workflows?

The workflows themselves are going to be complex. If you think about the engineering space – how many different software packages are used, or different systems of data storage? How do you make sure your security solutions can scale?

As for the second part of your question, Ron – different divisions implementing their own solutions – that’s really a non-starter in our world. We need to have a unified vision and be consistent in what tools we’re going to use.

That’s because of the amount of data we share and how we’re all intertwined in this one ecosystem. If somebody were to go rogue and build something else, it’s bound to fall down once data moves over into another part of the business.

So we need to make sure that we partner across all these different functions, all these other businesses, and have a common vision of the solution that we’re going to implement.

Hillary Fehr: I would say common guidelines, too. The toolset is one thing. But also having similar standards that we all use to set that baseline for our users is important.

Ron Arden: It sounds like you don’t want even different divisions within your business to be acting as external partners, like your supply chain? They’re all part of the same company, so you need to share data internally.

I understand it’s important to share with your supply chain. But you also need a set of common standards. Even at the level of a PC – if everybody was not using the same application, if I used Word and you used something completely different – all of a sudden we’re going to have obvious incompatibilities.

If you tried to create a unique data protection infrastructure under such circumstances, it’s going to be a nightmare.

Chris Babie: Yes, especially in this climate with its particular cost challenges. We need to make sure that there’s compatibility, or else we’ll have major productivity issues, and all of a sudden someone’s workflow totally breaks down.

We need to make sure that people can deliver the most value during these times. I think everyone’s in that cost-conscious setting.

Hillary Fehr: The other thing worth adding is that we have many functions driven by Corporate. So Corporate not only touches their functional area, but also provides services to all these different [internal] businesses.

That means they need to have the same user experience for each business by having that consistency across the enterprise.

Ron Arden: And I can imagine, if you have engineers who just move between divisions, and somebody moved to a different division, and it’s a completely different regime… – that can create productivity issues, as you said, Chris, and even training issues.

One thing I know about engineers is that they get used to a certain toolset, and that’s what they want to work with. So you can’t simply change the security infrastructure all of a sudden. That’s like pulling the rug out from under them.

“Pulling the rug out” is not an option

Because then, they’re going to complain, and your productivity is going to suffer. Hillary, given that engineers help the company generate a lot of revenue through their work – how do you minimize impact on their workflow while protecting your IP?

Hillary Fehr: That’s a good question. It starts with educating our end users, getting their buy-in. For engineers to make the business money, you really need them to understand the “why.”

Sometimes, it’s a matter of creating a shock factor, helping them understand the impact on the business if our sensitive data got outside our walls. Once you establish that and they understand the impact their data could have outside the business, then it’s a matter of slowly and incrementally working with them to build data protection into their already existing processes.

As Chris mentioned – we don’t want to interrupt workflows. We don’t want to stop business continuity. It’s important that we slowly get their buy-in and then work with them to identify key pockets of data and implement our solution.

That solution does have to align with current processes; they can’t overlay and cause them to have to change the way they do things. Otherwise, they won’t do it. Ultimately, it has to have a strong user experience, because if you have a tool that doesn’t work, they’re not going to use it.

Ron Arden: When you said “shock factor,” what you mean is proving to an engineer the impact it has if something leaves the business?

Hillary Fehr: Exactly. It could be our competitive edge, the financial impact, reputation – all of those different things. The data leakage doesn’t necessarily have to be caused with malicious intent. You need people to think about the criticality of what they’re working on, and if that were to egress outside of the business, what people could do with it.

Ron Arden: That’s a really interesting point you brought up – most of the time it’s not malicious. When something leaves the business, it’s usually what I’d call an “oops” situation, such as accidentally emailing the wrong file to somebody. Or I thought I was sending to Hillary, and I wound up sending to Hugh, who happens to be a competitor who’s in my address book.

The other point, as Chris mentioned, are issues with work from home. People are moving things around for convenience. Maybe they’re moving it to a personal device, which is never good… – and accidentally, something happens, and your intellectual property goes out the door.

IP protection and work-from-home: communicate and educate

Hillary Fehr: That’s true in other functional areas outside Engineering, too, where team members aren’t security experts. You’ve got Financial, you’ve got Legal, you’ve got Sourcing – they interact with data all the time that they send out to suppliers to get bids.

They’re not thinking about what happens to that data. So you have to educate them on why it’s important that they take an extra step or do a certain task to preserve that data and make sure that it’s maintained.

Chris Babie: Ron, to your point – in this new remote world, organizations need to focus on communication and education. I can confirm, people don’t know the running rules of remote work – yet.

They have all these digital assets that were never next to their company-issued endpoints. And now there are these new risks. They’re not malicious. They just need to know what’s okay and what’s not.

We would prevent many problematic activities if we were more proactive about data sharing, data storage, about: how should data move in this new world?

This remote arrangement is pretty permanent for a lot of folks. Organizations need to take the proper steps to learn how to protect their data within it.

Hillary Fehr: And it’s our job to educate them about what they can and cannot do, because these are new times. People don’t really know what the guidelines and guardrails are.

Read Part 2 of this conversation here: IP Protection Over Workflows? “People don’t want their productivity to dip”

Is your company dealing with similar challenges? Encrypting and controlling sensitive data at the point of creation reduces insider risks and helps protect your intellectual property. When employees or contractors change jobs, for instance, you need to be able to immediately revoke their access to sensitive files.

Rather than focusing on protecting location – like a cloud or file server – the flexible and future-proof solution is securing the file itself with file-centric, enterprise-wide Digital Rights Management (DRM).

Watch Ron Arden’s full Apex Summit Fireside Chat with GE Gas Power’s Hillary Fehr and Chris Babie here.

The transcript of this conversation has been shortened and edited for clarity and the blog format.

How Can Your Remote Workforce Collaborate Securely?

Never has there been a better litmus test for seeing how agile your business is than responding to a pandemic. A recent survey by leading research firm Gartner confirmed that most businesses will shift some employees to remote work permanently as a result of COVID-19. Even from home, employees need to collaborate securely with colleagues, partners and customers to stay productive and meet deadlines and goals. While video chat and instant messaging lets you communicate, a lot of collaboration is through documents. Ideally you want to easily share documents, make sure everyone is working on the most recent version, and be able to securely manage all your projects. With the major shift to working at home, the time to double down on data security is now.

Deploying a collaboration environment on the fly is not something you can do overnight, since it costs both time and money. The fastest way to hit the ground running and share files without losing valuable time is to use a cloud-based system with a web interface. This keeps projects on track with minimal disruption.

A key ingredient to secure collaboration is not burdening your employees or third parties with making security decisions. Wrapsody eCo is a secure and reliable collaboration platform that encrypts all shared files and makes it easy to collaborate securely. By configuring workgroups with built-in policies and permission management, your employees continue to work without worrying if decisions don’t follow policy. You can also set an expiration date for your projects or revoke access to documents immediately, which simplifies security for users. They have a job to do and don’t need to worry about setting security policies.

Users can easily create a workgroup for a project and define security parameters, like permissions on downloaded files or view access to a document in a browser. Project managers can invite employees, partners and customers to the workgroup with a few clicks. As project members upload documents, they are automatically shared with the workgroup. Each workgroup has a centralized policy making it easier to enforce security on all documents.

As people work from home, they may fall into bad habits like downloading documents from protected cloud applications to work on locally. This is especially true if they do it out of frustration because the internet is slow or they are having problems with their VPNs. That could also lead to emailing files, only exacerbating unsafe data handling practices. Secure in the Wrapsody eCo environment, downloading documents locally is a non-issue. When a user downloads a file, they can only open it if they have access permissions. If someone accidentally sends the file to an unauthorized user, it is still protected because the unauthorized user will not be able to view the contents.

The other challenge with collaboration is ensuring project members are working on the latest document. If you are updating a financial spreadsheet, for example, you can’t work on an old version. With Wrapsody eCo, you always work on the current version. As soon as you update the file and close it, it automatically syncs to a central location. The next time you open it, you get the latest version, secure in the knowledge that your data is protected and only available to authorized users.

Working remotely may become standard for a lot people. Collaborating securely and effectively can ease the burden and ensure your data security controls protect your most sensitive information. And that should give you peace of mind.

Photo Credit: Graeme Butler

Collecting Laptops From Terminated Employees? Protect Unstructured Data

I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word). Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them? It also made me think, in a situation like this, how the potential for insider theft is far greater.

Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on. These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.

It reminded me of a webinar we did in 2019, Close the Gap on Insider Threat: Granular Access Controls and Behavior Analytics, where we focused on the best way to protect and control unstructured data without having to think about where it is located, who is accessing it or how it is being used. It’s part of a 3-part series, so check out the other two.

In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do. But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.

I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information. The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.

Photo credit Ian Sane

Pandemic Sent Your Workers Home? Reminders for Best Data Security Practices

Overnight, companies across the globe were forced into a fully remote workforce. If you are prepared, under the best of circumstances, it can still be a challenge, but if you are not, the challenges are even greater and some things can potentially fall through the cracks. People working from home can lead to a few unintended bad habits. With business continuity being the priority, data is even more at risk as hackers and thieves see opportunity when your guard is down.

For companies that don’t have tools in place, and for that matter, those that don’t have the right tools in place, here are some things you can do while ensuring the health of your employees, and your business stays on track.

Reiterate document handling policies – remind workers creating documents of data classification schemes and to encrypt whenever possible for sensitive data. When in doubt, encrypt.
Remind your work-at-home staff of your security awareness training (SAT) (if you have a program in place) – there have been lots of reports of phishing and other types of scams going on because bad people will take advantage of the population when vulnerable. Ensure your employees know how to identify these things, whether you have programs in place or not.
Data sharing across email – it is always a best practice to remind workers that care be taken when sending an email with unprotected documents attached – double-check who is in the “To” and that appropriate protection is applied to what is sent.
Working in cloud applications – the clogged and slow internet may have some workers pulling documents out of the application to work on locally. And for the sake of expedience, some of these documents may be sent through email (see the previous comment), shared on a Zoom or Teams video conference, or remain on a local drive or in a folder, exposed to theft from outsiders.
Ensure your Wifi has a strong password and that your computers have anti-virus software installed – for the unprepared, some workers may be working on their personal laptops or desktops, may not have a VPN, may not have renewed the free anti-virus software installed, because “that will never happen to me”, and may not have created a strong Wifi password when first setting up their internet connection. Now might be the time to ask them to change passwords and check licenses on security software.
Printing – discourage printing sensitive information on home printers. While there isn’t much you can do to prevent this and foster secure printing, discouraging workers from printing sensitive documents locally and encouraging them to work in the applications. Besides, it is good for the environment (save a tree).

While all of these might seem like motherhood and apple pie, they are just good reminders at a time when things happen so fast.

Photo by Kate

Tariffs Hitting the Automotive Manufacturing Industry Is Bad Enough, But Intellectual Property Protection is of Huge Concern!

Intellectual property is a valuable asset in manufacturing, and more specifically the automotive industry. It is particularly vulnerable to theft. In our Webinar “Close the Gap on Insider Threat: Granular Access Controls & Behavior Analytics” , we cited a Deloitte survey where the respondents put the automotive industry at the highest risk of insider cyber threat. Executives, IT and security groups need to put serious consideration into protecting their intellectual property in files, especially when handled by multiple parties.

The auto industry is suffering because of the trade war between the U.S. and China. While they have enough to worry about with tariffs, it doesn’t mean they can let their guard down with protecting CAD/CAE designs, which are very critical to their success. It’s a very competitive market for both talent and designs. In fact, one of our customers considered themselves the “University of Auto Manufacturing”. They would put time, effort, and money into training individuals on their designs, giving them access to their precious CAD/CAE files only to see them walk off on a USB stick and show up at a competitor. They got tired of that and took control of their intellectual property by encrypting files and assigning them granular access rights. They stopped the bleeding since only authorized users could access the files.

Fasoo recently talked to Engineering and Manufacturing executives seeking solutions to safeguard their intellectual property. We talked to one executive who said protecting data going into and out of the machines in their manufacturing environment was the “big challenge”. Another was looking to integrate security into its recent standardization on a new PLM platform. Seamlesss integration into existing workflows is critical to success.

Protecting designs in CAD/CAE files from insider threat and ensuring security across the supply chain and third-party sharing apps are becoming part of the conversation when developing data governance and policy management strategies. Companies need solutions that regain control of their sensitive data with particular emphasis on encryption and access control.

Geese at the ISMG Cybersecurity Summit in New York? It’s all about teamwork!

Last week, Fasoo sponsored and participated in the ISMG Cybersecurity Summit in New York City. It was a great event, well attended and in the Theater District and the ISMG folks were awesome to work with!

As part of our sponsorship, Fasoo had a 10 minute Tech Spotlight where, rather than providing a “death by powerpoint” tech dump, we thought it would be good to get everyone thinking about working together as a team with respect to their data security initiatives by following the example of geese. Below is the recap for the greater audience.

When geese fly south for the winter or are moving from one pond or lake to another, they do so in a V formation. There is a bunch of science around this, but to make a long story short they:

Flap their wings to ensure better lift and a more efficient flight
They take turns leading the way to ensure each have had a break
They stick with each other in times of trouble

Geese are sensible in that they share the responsibility of working together as a “team” to help them get to their destination efficiently and meet the goal of the journey! For the purposes of this post, we equate the journey to better data security across all businesses.

Many organizations’ stakeholders (C-Level, business unit leaders etc.) don’t talk to one another with respect to how they need to handle data security. Each has their own agenda, process, budget, ideas and such, but much more can be accomplished when working together. Understanding each others’ goals and coming up with a plan on which to execute. And so, think about the flock of geese and their relocation journey (to the south, from body of water to body of water) the way you should think about your data security projects and initiatives. Work as a team. Talk to one another and get on the same page. Talk about your data and make a plan with the goal toward protecting it and creating a stronger data security strategy that, as a company, you can achieve. Understand each other’s goals and ensure that you reach them.

Now, some geese – you may or may not know – get what is called “angel wings” – they are little tufts of feathers sticking out of the side of the wings. It is usually caused by a poor diet (i.e. bread – please don’t feed geese bread – it is no good for them) – so for the purpose of this blog, an incomplete or non existent data security strategy – but it leaves them unable to fly and vulnerable to attack from a predator (much like data to a hacker or thief without a good strategy), and ultimately – left behind.

Like the geese, work together and make sure that your journey toward stronger data security is attained. And keep in mind, things don’t happen overnight. There will be disagreements and things might feel as if they are going nowhere. But don’t give up!

The upside? There are many, but great things can come of working together as a team because, you will find that by talking to one another, you’ll discover commonalities across the organization about how data is collected, handled, and used making the journey simpler than you think. And if you feel that your organization is NOT talking? Be the thought leader or pioneer for your company or business unit. Start the conversation. I’ll help you!

Bring your ideas to the table and don’t let your business be the goose that wound up with angel wings, left behind and vulnerable to attack.

Photo credit Vivek Kumar

Blog

Document Virtualization

Get Rid of ROT

Access Control

Wrapsody in Action

What is an “insider threat”?

1. Raise your organization’s threat awareness.

2. Know the IP theft threatscape.

3. Identify what’s most at risk of IP theft in your organization.

4. Determine who’s posing an insider threat.

Negligent insiders

Insiders are compromised when

5. Prevent the #1 IP theft scenario.

6. Establish or expand your threat intelligence program.

7. Monitor to identify insider threat warning signs.

8. Choose productivity over paranoia.

9. Put manageability and flexibility first.

10. Select DRM that enables centralized policy and visibility

No happy endings on security islands

CAD file password protection is for victims

How to protect CAD drawings without productivity loss?

CAD file protection without gaps or friction

“A ton of new risk has bubbled up”

Wanted: IP protection that “works everywhere”

Data protection is about auditability, too

“Shift towards location-agnostic model” of data protection

IP Protection Challenges in Manufacturing

“Not just your standard Office-type documents”

“Pulling the rug out” is not an option

IP protection and work-from-home: communicate and educate