Nobody likes business to be slow. If you’re in a fast-paced world like manufacturing, seeing your machines or employees idle can drive a person insane. If you’re used to your production line working to capacity and suddenly business slows down, it can be a frustrating time.
When I was in the Army, we used our down-time to train and clean. On one occasion, we spent nearly two weeks waiting for a change of orders. By the end of the first week, every weapon, every desk and every blade of grass was spotless. There was nothing left to clean, so we cleaned it all over again!
Over time, I learned that down-time can actually provide a good opportunity to refocus before driving forward again. It offers time to take inventory, get a little creative and do some renovation, literally and figuratively. My personal down-time to-do list includes: organizing my papers, redesigning my closet, playing with my 3D printer, replacing my stair treads, fixing that one light switch, learning something I’ll soon forget and – though you may laugh – improving my cybersecurity posture.
It’s true, I’m a cybersecurity geek. I’ve been a cybersecurity researcher at NIST since 2011 and am now detailed to NIST MEP as the Cybersecurity Services Specialist.
You may also have a long down-time to-do list, but I want to encourage you to add three simple things that can have big cybersecurity rewards.
Just like with most projects, the first step in cybersecurity is knowing what you are working with. Two kinds of assets are critical: (1) any equipment that has a computer chip inside, including things like cell phones, robot arms and of course, computers, and (2) information.
Taking inventory of these items may not be as complex as you might imagine. One of the easiest ways is simply to have a notebook or whiteboard where, for a week or so, you write down every piece of information and equipment you can think of that you use, as you think of it. When taking inventory of your information, include where that information is stored. Make sure to include those things that aren’t written down anywhere, that might be essential to your business, like your grandmother’s secret dumpling recipe. For equipment or technology, try to find out if it’s connected to your network or the internet, what operating system it runs on, and if there is a log-in option (whether you use the log-in option or not).
People don’t usually think creativity and cybersecurity go well together, but those people are straight up wrong. Cybersecurity is a world of “what-ifs.” It’s storytelling, designing and creating. While looking through your inventory of information and equipment, ask yourself, “what if somebody wanted to steal it?” and “what if it was messed up, broken or incorrect?” Tell yourself a story.
If your story sounds like something Stephen King might have come up with, it’s probably time to change the narrative. Now here’s the deceptively fun part: dig out that old, dusty business plan of yours along with the safety policy, quality manual and any other documents you might have. Is it like looking at your high school yearbook, full of outdated ideas (and haircuts)? Use this opportunity to write a new plan, but this time, instead of a horror novel, write one where things aren’t so scary.
A cybersecurity plan should document what your business currently does to protect information and equipment, but you can also use it to document what your business could do. This is science fiction time: tell a story of how you are going to become a company that does cybersecurity well. It should be specific and include details on how and when you plan to reach your goals. For example, you may need to purchase new hardware, but it isn’t in your budget this year. Decide when you’ll make the purchase and include that in your plan. Basically, your cybersecurity plan is a roadmap to a more secure future for your manufacturing company. If you do business with the Department of Defense, you may have heard of the term Plan of Action and Milestones (POA&M) that serves as a formalized version of this futuristic story.
There are two things in cybersecurity that people tend to put off until it’s too late. These two things can have the biggest, most immediate impact. People put them off because they are tedious and often interrupt normal workflow, which makes them perfect for what to do when business is slow.
First, looking through your inventory of equipment, are you using obsolete operating systems or software packages? What about your browsers? Run those updates! Most updates fix security holes that are well-known and easy for somebody to crack into. Not updating your systems is like leaving the window down in your car and leaving your wallet on the seat. Don’t do it!
Second, change your passwords. All of them. It takes a bit to get used to a new password, so it’s best done when you’re not stressed about being able to log in immediately. Check those machines that don’t have a user log-in, as they may have a hidden, administrative password used to change settings. Make your passwords (or passphrases) long and difficult to guess but easy to remember. A good example might be a lyric from your favorite song or four seemingly unrelated words that have meaning to you.
Times when work is slow can often be times of worry and frustration, but they don’t have to be. Wisely using this time to refocus can be an immensely valuable exercise. Taking an inventory of information and technology is a simple yet powerful tool for building future cybersecurity capabilities. Imagining what a company might look like and designing a plan on how to get there can be an educational and inspiring activity. Updating systems and passwords is a must, and easiest to do when work is slow.
As a bonus, learn more about what you can do for your business with this NIST cybersecurity guide, and learn more about cybersecurity in general with this list of free and low-cost online educational content. If you’d like further advice customized to your business’ cybersecurity needs, reach out to your local MEP Center to connect with an expert from the MEP National NetworkTM.