There is a lot of talk these days about cybercrime. News of large-scale IT security breaches are not unusual. Blame is often assigned to the sinister motivations of rogue governments, terrorists, or anarchists. But those closest to the problem say the root cause behind most data breaches is lax internal security, not the skills of cunning hackers.
A recent survey by the Ponemon Institute claims 71% of employees have access to data they should not see, and more than half say this access is frequent or very frequent. Other findings from the survey point to lax internal security as a serious problem in organizations of all sizes:
- 4 out of 5 IT practitioners (80%) say their organizations don’t enforce a strict least-privilege (or need-to-know) data model;
- 73% of end users believe the growth of emails, presentations, multimedia files, and other types of company data has very significantly or significantly affected their ability to find and access data;
- 76% of end users believe there are times when it is acceptable to transfer work documents to their personal devices, while only 13% of IT practitioners agree;
- 67% of IT practitioners say their organization experienced the loss or theft of company data over the past two years, while only 44% of end users believe this has happened;
- 43% of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs, and only 22% report that access is typically granted within minutes or hours.
“This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when this access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences,” says Dr. Larry Ponemon, chairman and founder, The Ponemon Institute.
Engineering-driven companies are not immune to these problems; they might even be more open to problems due to reluctance to update software and IT infrastructure to modern capabilities. In my experience, engineering-driven companies are also more likely to treat engineering IT as “their problem” and not include it in more general IT oversight.
Synergis Adept client Gloucester Engineering Company (GEC) makes capital equipment for blown, cast, foam, and sheet products for a variety of industries. They were a pioneer in extending polystyrene into the food packaging industry. When GEC decided to leave behind an evolved legacy IT system that could not reliably track, protect, and efficiently deliver engineering documentation, it searched for months. Not only did GEC want engineering document management, they also wanted:
- A streamlined engineering change order process;
- Modern project management capabilities;
- Internal best practices for IT;
- Digitization for paper documentation from the 1970s;
- Protection of intellectual property.
The last one on the list could have easily been at the top. “Intellectual property security is absolutely critical,” says Dustin Weir, mechanical engineering manager at GEC. “Adept allows us—especially through this digitization effort—to go to all these different places and collect all the intellectual property and store it, organize it, and actually find that information when you need it.”
Not only did Adept bring the security GEC needed to engineering IP, but it also relieved the company’s IT department of a lot of day-to-day hand-holding. “Once the server is set up and your locations and ports are set up, you don’t need somebody from IT to do it,” says Weir. “It’s really a hands-off system for them.”
Good security begins at home. When employees are working with the data they need, and allowing their engineering document management system to take care of the security details, it is easier to protect the company from IT threats both inside and outside the organization.
You can read more about GEC’s decision-making process that lead to choosing Synergis Adept in a case study: http://www.synergissoftware.com/clients/case_studies/gloucester.html
Randall S. Newton is the principal analyst and managing director at Consilia Vektor, a consulting firm serving the engineering software industry. He has been directly involved in engineering software in a number of roles since 1985. More information is available at https://www.linkedin.com/in/randallnewton.