Friday, October 27, 2017

Cyber-Attacks Are Here to Stay – Here’s What You Can Do to Protect Your Business

By: Elliot Forsyth

There’s a popular saying in cybersecurity circles:  Businesses today fall into two categories—those that have been hacked, and those that have been hacked but don’t know it yet.

Clearly, cyber-attacks are becoming increasingly sophisticated and frequent, with a reported 4,000 attacks on small businesses each day. These attacks take many forms, from ransomware to spoofing to phishing, among others, and for most manufacturers, just one cyber-attack could be catastrophic. Guarding against cyber threats may seem to be a daunting task, but it is no longer optional; cybersecurity is a business decision, and there are methods and safeguards that can help protect your company from cyber threats. Below is a list of strategies for avoiding dangers from both inside and outside of your business.

Address the Human Component of Cybersecurity

Employees within a company may not be aware that they are responsible for the majority of security breaches that occur. In fact, more than 61% of cyber-attacks involve end users, or inside users who have access to sensitive data as a part of their job. Additionally, 63% of attacks stem from password breaches due to employees using weak or default passwords. As a result, it is necessary to educate staff about the implications of cybersecurity and how their actions may impact it. Lower the possibility of cyber criminals hacking into accounts by enforcing password complexity and prohibiting password reuse. Screening employees prior to entrusting them with confidential information also could prevent security breaches. Implement ongoing training on cybersecurity procedures to keep policies and practices top of mind.

Limit & Control Access

Have you considered how your physical facility may be enabling cyber-attacks? Think about who has access to what, and how secure your building and systems are. By limiting access to organizational systems, equipment and operating environments to authorized personnel only, your business will be significantly more protected from outside threats.

Conform to the Latest Security Standards

Because cybersecurity presents a growing risk to industries nationwide, government agencies increasingly are instituting formalized cybersecurity requirements for businesses to follow. The National Institute of Standards and Technology (NIST), for example, has developed the guiding document for contractors working with the Department of Defense (DoD). NIST 800-171, as the publication is called, requires these manufacturers to become compliant in 14 policy areas, all dealing with information security and by Dec. 31, 2017. If your existing contract says that you must meet all DFARS requirements, then by signing this contract you are obligated to meet these cyber security requirements by December 31, 2017.  Future DoD contracts are at risk for those who do not comply. This risk is real, and it’s not going away. In reality, cybersecurity is only going to grow for our state’s manufacturers, as automotive OEMs are developing plans for a consistent approach to cyber requirements. Other industry segments are looking to do the same.

An Invitation to Learn More

For those interested in learning more about this subject, the upcoming Integr8 conference in Detroit, hosted by Automation Alley, will cover cybersecurity, as well as a number of other issues currently facing manufacturers. The one-day conference on November 9th will feature more than 70 speakers who will discuss topics related to the eight technologies currently disrupting the manufacturing industry, including big data, cloud computing and additive manufacturing.

The cybersecurity session that I will be a part of will focus on a seven-step approach to navigating cybersecurity and the importance of prioritizing information security within your business. Those who attend the conference gain insight into new technologies that are becoming a part of the industry, understand what the future of manufacturing looks like, and how to handle the increasing threat of cybersecurity. To learn more or to register, visit


Elliot Forsyth
Vice President of Business Operations

Elliot Forsyth is Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center) where he is responsible for leading practice areas that include cybersecurity, technology acceleration, marketing, market research and business development. The Center plays a lead role in coordinating and streamlining technology-related services to Michigan’s established industries and in assisting businesses to diversify into new and under-served markets.

As a National Institute for Standards and Technology (NIST) affiliate, The Center has developed a state-of-the-art cybersecurity service for companies in the defense, aerospace and automotive industries. Over the past two years, Elliot led this effort and expanded his expertise in cybersecurity, supporting Michigan companies to safeguard their businesses and maintain regulatory compliance. As a result, Elliot has been quoted and interviewed by print, broadcast and online media outlets, as well as presenting at numerous conferences and events.

Prior to joining The Center, Elliot spent more than 20 years gaining broad, global business experience in high tech and manufacturing companies. He has a proven track record and practiced methodologies to transform global corporations for high growth and profitability.

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Friday, October 20, 2017

How to Proactively Manage Supply Chain Disruptions

By: Roger Tomlinson

It can often prove essential to be a proactive problem-solver in business. Even the smallest problem can snowball into an issue that is detrimental to the success of a company. As a result, many manufacturing facilities have found it more and more conducive to adopt a highly proactive approach towards managing their supply chain disruptions. Manufacturers must make it a priority to closely examine potential hazards in order to minimize corresponding risks.  

Suppliers Risk Assessment
Wondering where to begin? Start with a risk assessment that identifies and analyzes risk. Consider four fundamental risk questions:

  • What might go wrong?
  • What is the likelihood (probability) it will go wrong?
  • Can I detect it in time to prevent the event from occurring?
  • What are the consequences (severity)?

To proactively manage risks, build a risk management program tailored to fit your company. 

Here are two key points to keep in mind:  

  1. Consider the amount of the revenue (Value at Risk) that is at risk for each of your value streams
  2. Remember to evaluate sub-tier suppliers risk

A Supply Chain Risk Management Plan has four key components:

  • Risk Identification
  • Risk Assessment
  • Risk Action Management
  • Risk Reporting and Monitoring

Score Your Suppliers
Certain suppliers have more inherent risk than others. To track the risks that come with different suppliers, be sure to calculate the impact of the risk event. This will enable you to rank different suppliers based on their risks. Laying out different risks will help you better understand your suppliers, and it also will enable you to discover risks that may have not been immediately visible before.

Identify Your Critical Suppliers
Critical suppliers should be ranked by the amount of revenue that is at risk, rather than top spend or top threats. The location of each supplier matters. Look at historical disasters and note their geological locations to get a better sense of how at-risk a certain supplier is.  

Next determine a mitigation strategy to reduce the Value at Risk for each supplier. A mitigation benefit analysis can then be compared for each supplier. 

This will help to determine if the proposed mitigation strategy is cost effective. The cost to implement is compared to the reduction in the Value at Risk for each supplier. This comparison can be very useful in supplier decision making.

Continuous improvement in supply chain operations is a key component in the future success of manufacturing facilities around the world, and yet there always will be an element of risk. Every manufacturer will experience glitches in their supply chain management system at one point or another. It is how you choose to manage these glitches that will ultimately decide your level of success.

The Michigan Manufacturing Technology Center regularly offers courses that include an FMEA-based Risk Assessment tool that helps identify the triggers of risk events, the importance of developing a plan to mitigate them when they do occur, and how to establish monitoring metrics and activities to be prepared for the inevitable. Search The Center's full course schedule here.

Roger Tomlinson
Lean Program Manager

Roger Tomlinson has been a Program Manager in The Center’s Lean Business Solutions program for 14 years. He has trained and mentored hundreds of Michigan manufacturers in the entire portfolio of Lean strategies and methods (e.g., Kaizen events, Standardized Work, 5S/Workplace Organization, Value Stream Mapping, Total Productive Maintenance, Culture Change, Team Building, operations management and process re-engineering). He is also involved in Transactional Lean Office, which identifies and eliminates waste in the office areas in a company.

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Friday, October 13, 2017

Small-Business Cybersecurity is Twice as Nice as Pumpkin Spice

By: Pat Toth, National Institute of Standards and Technology (NIST)

I think we’ve taken this pumpkin spice thing too far. Don’t get me wrong, I love fall. That first crisp
evening when you need to put on a sweater, the crunch of leaves under your feet, homecoming football games, but pumpkin spice? It’s obvious that the pumpkin spice council’s marketing team has done an outstanding job because it’s in everything now: cookies, chocolate candy, ice cream, oatmeal, pancakes, marshmallows, and now even in a special “limited edition” of my favorite breakfast cereal.

Enough! I’m calling a timeout on pumpkin spice.

Maybe I find pumpkin spice season distasteful because it has eclipsed a less well known but much more important annual October event: National Cybersecurity Awareness Month.

While many of you may not anticipate National Cybersecurity Awareness Month with the same relish as the arrival of pumpkin spice, for me, it’s a time for renewed hope and celebration. Like Linus sitting in the pumpkin patch waiting for the arrival of the Great Pumpkin, each year I wonder, “Will this be the year that small businesses truly recognize the importance of cybersecurity? Will they act to protect their business information and assets?”

Many larger companies in the U.S. have dedicated resources—including people, technology and budgets—to protect against cybersecurity threats. As a result, they have become much more difficult targets for malicious attacks from hackers and cybercriminals. Consequently, hackers and cybercriminals are now successfully focusing more of their unwanted attention on small companies, including manufacturers.

For example, many cybercriminals view smaller businesses as being less secure and more vulnerable to attacks such as ransomware. Your business may have assets that can be valuable to a criminal; your company’s computers may be compromised and used to launch an attack on someone else, e.g., a botnet, or your business may provide access to more high-profile targets through your products, services or role in a supply chain. This is of concern to suppliers in the Department of Defense supply chain, as their systems have to be in compliance with NIST SP 800-171 by Dec. 31, 2017.

It is important to note that criminals aren’t always looking to gain from their attacks. Some may attack your business for revenge, e.g., for firing them or somebody they know, or simply for the thrill of wreaking havoc. Similarly, not all cybersecurity events are caused by criminals. Natural events such as fires, floods or hurricanes can also severely damage IT systems. We have all seen the effects of the recent hurricanes in Texas, Florida and Puerto Rico. Would your business be able to recover from a similar storm?

The overall impact of a cybersecurity incident could include:

  • damage to information or information systems;
  • regulatory fines and penalties/legal fees;
  • decreased productivity;
  • loss of information critical to running your business;
  • damage to your reputation or loss of consumer confidence;
  • damage to your credit and inability to get loans from banks; or
  • loss of business income.

Unfortunately, small manufacturers often have more to lose simply because a cybersecurity event—a hacker, natural disaster or business resource loss—can be costly enough to drive them out of business altogether. Small businesses are often less prepared to handle these events than larger businesses, but because they generally have less complex operational needs, there are many steps a small business can take to protect itself.

National Cybersecurity Awareness Month can help you learn how to protect your business. While cybersecurity is continually in the news—hardly a day goes by without some breach or cyber event—we rarely hear about ways to prevent these incidents from occurring. THIS IS THE TIME to spread good security practices within your business. Awareness, training and education are fundamental tools for small businesses to use to protect their company information, assets, IT systems and reputation.

Cybersecurity in a small business doesn’t necessarily mean hiring an expert on staff or as a consultant. The NIST Hollings Manufacturing Extension Partnership has cybersecurity resources for manufacturers as does the NIST Small Business Center.

Some basic cybersecurity topics that you may want to consider for awareness training for your employees include:

  • recognizing phishing attacks;
  • understanding the risks associated with the use of social media;
  • keeping your systems clean by installing patches and using the latest versions of software; and
  • avoiding public Wi-Fi when using mobile devices such as smartphones or tablets.

Having your employees understand these cybersecurity issues and how to address them in the workplace could potentially save your business. Your employees are your first line of defense in protecting your business against cyber-attacks.

October is a good time to enjoy a pumpkin spice latte—or cereal—if that’s your thing. But I hope you take at least a few moments to teach your employees to be more aware of the cybersecurity risks, threats and vulnerabilities to your small business. After all, ‘tis the season for your employees to learn how they can help prevent a cyber incident in the workplace.

And give me back my cereal!

(This article was originally published Oct. 11, 2017 by NIST's TAKING MEASURE blog)

Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at