A visitor to Ferrari plant may find some of our rules too restrictive. Absolutely no cameras allowed inside, and we will need your signature to confirm that you were informed about this and some other key security measures. And if you need a laptop at the premises, be prepared to provide an explanation. But there is a good reason behind all this: when you make the best racing cars in the world, you’d better keep your secrets away from the competition.
What matters is not just the design and technology blueprints, but also the way we pass cars from one employee to another on a production line, how we stitch leather upholstery and assemble the engines. Our visitors have to understand our approach to security. In fact, our employees have to understand it even better. To achieve this we apply certain strict rules, but also invest heavily in employee education and, of course, in technical means of protecting sensitive information. Procedures and educational efforts do have something in common, and in this blog post I will explain why. But first let me describe in simple terms some of the challenges that we face.
Intentional data leaks
An employee deliberately handing commercial secrets to a competitor is by far the most complicated threat that we have to address. At the same time it is the most simple in terms of the range of measures to be applied. There is no need to tell a spy that he’s doing a wrong thing – he knows it! So the only choice here is to make it harder to steal the most sensitive information. We have to know when the protected documents are accessed, by whom and was there an attempt to copy it to a USB drive, print or send out via e-mail or another online service. We have to limit these types of activity and apply all possible security сountermeasures to our most guarded secrets, like the car design.
Accidental data leaks
Well, an employee may simply see things differently than a CISO: “sending tech specs of a new Formula One car to a competitor is a bad thing to do, but installing Dropbox for personal documents on an office computer is okay”. No, it is not. So you have to make people understand this, keeping in mind that not everyone is an IT professional. Education efforts like seminars and internal memos here have to be combined with technical measures.
Security rules at Ferrari are hard: the company doesn’t take chances.Tweet
‘Social’ data leaks
If you are a car fan, you have seen those blurry shots of new cars being tested, often with a certain camouflage on them. Unlike many other companies, we are always under constant attention from media. Who will become the new Ferrari Formula One driver? When Ferrari releases the new model? At some points in time we are glad to share this information with everyone, but there are obvious circumstances when we are very, very secretive. Now imagine a situation when our technical specialists travel to another country to conduct a very important testing of a new car. What if every expert checks in via Facebook at the airport close to the nearest race track? Does this qualify for a security breach? Well, sometimes it does, and while we can’t (and won’t) control our team’s personal online activity, we have to think about it is well. No technical means to combat such threats exist, though. This is when education is the only option.
Finally, a simple example of a challenge that can be addressed only via technical means. Whether it is a generic malware, or a highly sophisticated targeted attack, it has to be blocked at all costs. An efficient security solution, combined with certain limits to access data, separation of different parts of the infrastructure and restricting the use of removable storage is the right combination in this case.
So how exactly do we address these challenges? First comes the education: we teach people about handling sensitive information with security in mind. It is not always about knowledge: our team needs to understand that security is not just the problem of an IT department. It is an everyone’s problem! Procedures and restrictions help us as well. When one can freely copy and share any work documents, he or she may not understand what is dangerous and what’s not. When you have to apply for a permission to copy any file to a USB drive, you really think twice before doing that. And you do understand that this is a potentially dangerous operation. Such approach may bring a certain level of frustration (especially true for people responsible for communications), but we can’t take any chances.
Ferrari’s sensitive data is never kept in one place in its entirety.Tweet
Second important part is the technology means of securing our data. We have implemented a system, which controls and restricts the exchange of data. We have set up a protection perimeter for our corporate network. We have separated different parts of our IT infrastructure with firewalls. Finally, we fiercely guard certain types of data like car design and technology know-how. Such data is never kept in one place in its entirety. The list of employees with access to this information is short, and everyone has to request permission to work with it every time. Finally, the data is stored in physically guarded rooms.
Third part is the protection from cyberthreats: this is now done by Kaspersky Lab’s security solution. Of course, our main requirement for such security solution is the ability to block all types of cyberthreats, but it is not the only one. Performance and reliability are very important as well. And this is another big challenge that we will cover in one of the next blog posts.