The Need to Ensure IP Security Measures are in Place When Engaging with an EMS Provider
06 November 2023
Though the offloading of production tasks to an EMS company clearly has numerous tangible benefits, from a cost as well as a logistical standpoint, there are risks that need to be mitigated first. It is absolutely paramount that the chosen EMS partner has implemented sufficient security measures to make certain that its customers’ IP is fully protected.
The figures speak for themselves. A study undertaken by industry body Make UK, in association with AIG, entitled ‘Cyber Security for Manufacturing’, which drew on data compiled by the Electronic Frontier Foundation (EFF), showed that 48% of all manufacturing companies have suffered the effects of some form cybercrime. Of those, 50% admitted that failures in the security mechanisms had meant that financial losses ensued. The maximum effort must be made to keep confidential and business sensitive data (such as source code, architectural layouts, CAD files, etc.) out of the hands of malicious actors.
Though many data breaches are the result of intentional cyberattacks emanating from external sources, it must be acknowledged that this is not the only threat. Research conducted by reputable financial advising firm Kroll, based on a survey of over 1,000 CEOs and CFOs, found that at least half of all IP leaks originate closer to home - with the company’s own workforce, contractors, 3rd party suppliers or distributors being responsible.
Structural and behavioural complexities accentuate security problems
The very nature of today’s multinational OEMs, with their different sites around the globe, use of consultants and their reliance on numerous external entities, heightens the opportunity for intentional and accidental data breaches to be witnessed. Furthermore, putting safeguarding in place is incredibly difficult as a consequence.
The potential threat is made even more acute through the various ways that data is now transferred between organisations, alongside our increasing dependency on the cloud. In addition to email, there are channel-based messaging platforms (like Slack and Teams), plus file transfer services (such as Google Docs, WeTransfer, DropBox, etc.). To add still further headaches, a multitude of physical and environmental security risks need to be taken into account. Often, these can be overlooked by business operations with widely distributed employees. However, if a well-defined set of data security procedures are not put in place and continuously adhered to by employees then data is certain to be made vulnerable.
Ensuring your EMS partner is data secure
When deciding upon which EMS firm to engage with, the following points need to be considered:
• Will it be possible for the exchange of sensitive data between your operation and that of the EMS partner to be done via encrypted routes?
• Does the EMS partner have a dedicated and secure document management system, or can it give you secure access to its servers for data transfer?
• How safe is your data when it arrives at the EMS partner? What document control processes have been implemented - how defined is the EMS partner’s training in relation to data protection, password protocol, file transfer and handling of hardware?
• What anti-hacking software does it utilise?
• Is it carrying out regular checks to identify any potential vulnerabilities?
• What day-to-day physical security checks of the premises does it conduct?
Since the manufacturing sector relies on a convoluted global ecosystem, supplier relationships are often dealt with remotely. Executing due diligence under such circumstances can therefore be challenging. If you are dealing with a long-distance partner, it should be established what information is needed for vetting purposes. Both cyber and physical data security measures must be evaluated when deciding on a suitable EMS provider.
Based on all this, companies should look for EMS partners who have ISO 27001:2013 information security management system (ISMS) accreditation. Through this, they will have reassurances that the partner can control data and properly protect customer IP that is being shared with it.
The importance of ISO 27001:2013
The ISO 27001:2013 standard provides a risk-based framework for data security. It requires organisations to identify breach risks within their company and adopt appropriate controls across their business to tackle them. Through the standard, a shared culture of data security can be established across an organisation - so that IP can be kept safe from the possibilities of either intentional or accidental loss. Processes are provided that will:
• Identify the stakeholders within an organisation that are responsible for information security.
• Distinguish then subsequently categorise the risks to the data held by the organisation.
• Define the controls and procedures required to cope with these risks.
• Set clear goals for information security.
• Implement all the controls and other risk treatment methods.
• Measure whether the deployed controls perform to the levels originally envisaged.
• Instigate ongoing improvements in relation to security.
By engaging with an EMS that has been ISO 27001:2013 accredited, companies can be confident that it is in a position to:
• Control the prospective threats posed by security breaches.
• Build a culture of security awareness.
• Eliminate security loopholes.
• Mitigate the risk of unnecessary system downtime occurring.
• Lower the threat posed by cyberattacks
• Reduce human error in their data handling
It is important to remember that it’s not just cyber-related threats that can put data at risk. Lapses in perimeter security, equipment security and access control, plus documentation storage and work from home (WFH) policies should all be factored in too. With EMS companies situated at multiple locations around the world, it may not be possible to visit each place where your products are being produced. Having external verification that processes/procedures are constantly kept to will be necessary. This is why ISO 27001:2013 is invaluable.
OEMs will normally stipulate that their manufacturing partners have met the requirements outlined by ISO 9001, ISO 13485 or other standards. ISO 27001:2013 can often be overlooked though. As the prospect of cyber vulnerabilities and exposure IP theft become increasingly commonplace, companies need to bolster every part of their manufacturing workflow. The more elaborate it is, the greater the risks involved will be. For this reason, assurance of ISO 27001:2013 certification from all partners will be prudent.
Contact Details and Archive...