Jonathan Heinz acknowledges that it took a while for his company to get moving on cybersecurity. But Metalcraft, a nameplate and ID tag manufacturer in Mason City, is now behind no longer.
Heinz, Metalcraft’s chief information officer, said it was roughly three years ago when the company became vaguely aware that the U.S. Department of Defense had begun circulating new rules for how its suppliers should handle government data. Known as DFARS (Defense Federal Acquisition Regulation Supplement), the new rules eventually would impose tough new requirements on a host of government contractors.
“We were kind of behind,” Heinz said. “A lot of companies in the Midwest are kind of naive about the risks that are out there. Unless you have something pushing you, you tend to try to kick the can down the road, thinking ‘Who’s going to hack us? Who’s going to want our data?’ ”
“It kind of took some or our larger DOD customers putting out surveys for us to wake up,” Heinz said.
Once they did, Metalcraft quickly realized the potential to leap ahead of other vendors who were continuing to be slow to complying with new cybersecurity requirements. “We realized we could become the government’s trusted provider.”
Roughly two years ago, Metalcraft’s four-person information technology department began working with ProCircular, an information security and privacy firm based in Coralville, to toughen the company’s protections. ProCircular helped the company with event monitoring and toughening its protection against hackers, while Metalcraft used help from another company to install a “next generation antivirus,” write formal information security policies, and launch regular phishing tests for company employees.
Heinz said the company now has roughly 30 security policies that didn’t exist two years ago. And only around 1 percent of Metalcraft employees are ensnared in any given month by fake emails that the security company sends to test who’s willing to click on malicious links. (Anyone who does gets sent to refresher training.)
“Most of our users are pretty good now,” Heinz said.
It’ll all about being aware and taking reasonable steps.
“You’re never going to 100 percent secure,” Heinz said. “That’s impossible. It’s all about staying on top of it, always updating and patching the holes…. But you don’t realize how bad things are until you start.”
CIRAS is hosting a number of cybersecurity events in the coming weeks, including webinars on September 11, October 9, and November 13 covering various types of challenge the issue poses. A separate event is being planned for December.
For more information visit the above links and contact Shankar Srinivasan at srigshan@iastate.edu or 515-290-6702.