Security Trends Heading into 2020 from Nymi
December 12, 2019
An interview with Andrew Foxcroft, VP of Sales & Marketing at Nymi. Grantek is a Technology Partner of Nymi. Nymi delivers secure, Always On Authentication to the enterprise Pharmaceutical and manufacturing industries that deploy the Nymi authentication solution provides employees with a quick and easy way to achieve compliance and security standards without compromising productivity. Nymi Enterprise Edition is an industry-leading solution that makes audits simpler and less intrusive by ensuring uncompromised data integrity, traceability, and non-repudiation of a company’s electronic records.
What are Nymi clients most concerned with from a cybersecurity perspective as we head into 2020?
A lot of the companies that we’re dealing with are in the process of digitalization, looking at Pharma 4.0, artificial intelligence and big data analysis. So, a lot of new systems, technologies and techniques, all of which give them more power to understand the manufacturing process and how they can improve production and yields, in a whole range of different areas.
But as they start to embrace these new technologies, this acceptance of new technology effectively increases the attack surface. Many of the Pharma manufacturing companies where we have a lot of experience at the moment, traditionally their systems have all been closed off from the internet. Many of them haven’t allowed any connection at all. But as they embrace these new technologies it increases the attack surface. So, one aspect people are looking at doing is increasing the level of security they have over those systems. And that’s where Nymi has a role to play.
With that larger attack surface as a main cybersecurity concern, what are some of the things Nymi clients identify as vulnerable aspects of their operations?
Well it’s partly the security but it’s also the compliance. The two go hand in hand. So, from a security point of view, now that many of their systems are open to the internet, there’s more information that can flow across different areas. Knowing the identity of those who are accessing systems and having very good control over that is one aspect that is important to our customers. But at the same time, people are also very aware, and in such a highly regulated industry, that they need to be compliant. They need to know that when they are performing certain processes, signed off by the individual, that it absolutely is that individual.
Our customers are starting to do more activities around artificial intelligence and big data analysis, and they’re starting to make important business decisions based on the data. Not only from a compliance point of view but knowing who the individual is that performed the task becomes increasingly important to them.
So, you have new technologies increasing the attack surface, the continual requirement for compliance, and the need to ensure it is the correct individual accessing systems and performing particular jobs. These are all becoming more and more important as they embrace new technologies.
Are those vulnerabilities mainly with specific machines, manufacturing processes or corporate procedures?
It’s a mixture of other alternative ways of providing that security. This causes a lot of friction. So, if a production environment is looking for efficiencies on an ongoing basis, when you start turning the dial to increase security, generally speaking it has an impact on productivity and increases friction.
It’s something that end users don’t like – and as a result of that, human beings, being human beings, will try to find ways around that friction. So, a consequence, ironically, of companies looking to increase security with traditional measures is that their systems can become less secure because human beings try to find ways around those security measures, whereas if you have a security system that doesn’t cause friction people will not try to find ways around them.
So, it’s a bit of a dichotomy that organizations must deal with; the need to increase security while reducing friction. That’s generally talked about with some of the drivers for that new technology; borderless networks, etc. But if you just look in the general population, the number of cyber attacks are increasing and people’s general understanding of technology is increasing. So, there’s a desire to generally improve security, but as I mentioned, as you do that with traditional mechanisms you increase friction. People are people, and they will then look to find ways around that.
To counter that, for your Pharma clients, do you feel current regulations provide enough of a safeguard against those security concerns?
The regulations are fine in themselves, but it’s down to how companies implement them. One of Nymi’s customers currently has a 9-character password that a user must enter as part of their security policy. They change that password every 90 days, and that’s fairly standard.
In order to increase security, next year the corporation is moving to an 18-character password. The reason why Nymi is being deployed is that they understand in advance of that increasing security they need a viable solution. If they didn’t have a solution like Nymi it would have a massive impact in terms of their overall performance, employee satisfaction, people trying to find ways around those security procedures, etc.
That does sound very frustrating. Striking a balance between compliance and productivity must be tough for Pharma manufacturers, what are some of the other frustrations Nymi clients have shared with you as they work to improve both productivity and compliance?
A lot of companies that we are working with either have or are in the process of implementing workflow systems, manufacturing execution systems (MES) and other tools and techniques in order to theoretically improve performance. They also want to improve the quality and the consistency of their output. Ironically, something that we hear, time and time again, from end users or operators of the systems, is they feel resistant to change and they don’t actually like the new systems that are being introduced by companies.
And part of the reason for that is it now requires them to change how they work and how they operate, requiring them to type in again and again the username and password. So, when Nymi is being implemented with their systems, it takes away that point of friction. Some of the feedback that we’ve had from operators and users when they’ve deployed Nymi is: “It’s the best solution that our IT Group have ever deployed, because it takes away pain points and friction.”
We get very strong feedback from operators on how Nymi improves the perception of their overall day-to-day work. It helps the company achieve the benefits that they were looking for when they decided to deploy the automation systems in the first place.
Are there particular aspects of Nymi’s Enterprise Edition that have helped your clients relieve those frustrations?
Well one of the main aspects is that Nymi can work with pretty much any systems that are out there. We’re open and we have various ways to integrate the systems. But often what we find is in a particular environment – whether that’s factory, laboratory, packaging fulfillment, wherever it is, there’s often more than one system. So, by using Nymi you can have a consistent solution and a consistent user experience, irrespective of what applications or what environment they’re working in. That’s one of the architectural aspects that we built into the product, that clients can actually use Nymi across many different applications and different use cases and create a consistent and easy user experience.
You mentioned, Nymi’s Enterprise Edition can deliver some versatile solutions. What are a few of the more unique use cases you have seen when your clients implement the Nymi Band across their operations?
We think about our solation as a really good way to authenticate and to log into a system and do sign in to perform repetitive tasks in a very secure and easy way. And what we found is many times the systems exist because of security policies that were put in place to ensure application time outs. So, even if the operator is still there at the workstation the application may have automatically shut down because it has a built-in security feature that initiates after a set period of time.
With Nymi because we’re not just logging in, we can provide presence which can keep the systems open and operating. So, once we started to think about ourselves as more than just a way of signing in and realized that Nymi can actually help keep systems open and operating because we know with certainty that the operator is there, it became clear our solution can do so much more. This is how Nymi can securely change workflow practices.
Another aspect that we noticed when we started deploying Nymi into a number of different customer environments, because of the friction that customers have, particularly with manufacturing execution systems and needing operators to sign off on many different steps, some companies were designing their workflow and their manufacturing execution system to make it easier for users by grouping together a whole series of tasks or workflow steps and then asking the end user to just sign off once. With Nymi it is so much easier, as customers are now able to consider redesigning their manufacturing execution system to provide a much greater level of granularity so the manufacturing process, which by itself then increases the quality of production, consistency of production, more data, big data analysis or using artificial intelligence to produce better yields.
So, a knock-on effect of using Nymi is not just increasing security and making it easier for people, but it’s actually providing a tool to the business to allow them to re-engineer how they operate to become more effective with more data and more granularity.
Were there any concerns with compliance, adoption and functionality when it became clear that a re-engineered work flow system available through Nymi would be a possible use case for Nymi’s Enterprise Edition?
No, because most of the compliance area is already taken care of by the existing systems that customers have in place. Nymi has been deployed in a number of GMP environments with validation. Our customers have existing systems that work effectively. Nymi is replacing, in many situations, the need for an operator to type their user name and password with a simple tap from a Nymi Band. And that means that the existing systems are still working the same way, they’re still compliant. We’re just providing a solution that is a lot more secure and is a much stronger way of identifying who an individual is, compared to anything else that they had previously. We don’t change any of the compliance levels that customers had, we just make the operation more secure and easier for people to use.
Were there any equipment modifications required?
No, the only thing that people need to do is to plug in a Near-field Communication (NFC) reader. Which is the same sort of thing that you would use if you had a contactless credit card, the NFC reader is similar to what you tap your credit card against. You need to have a reader at the place that you want the operator to tap for sign or log in. That’s the only thing you need to do. Nymi’s design allows it to integrate with existing security systems, policies and applications. There is no forklift change required for the infrastructure at all.
You are just introducing some NFC readers, so you can tap against those and typically they’re just plugged in via a USB port. The rest is done through software, using software distribution tools to make that easy. Silent server installations running across the customer’s existing network can be done to ensure no major upgrade or change is required in their infrastructure at all. And beyond that we don’t actually replicate any of the data that they’ve got. We know that the existing security systems and policies that they have in place are valid, so there is no need to replicate and no need for a major forklift upgrade to infrastructure.
Lastly, are there any other unique use cases for the Nymi Enterprise Edition, that you haven’t seen so far, that you could envision being implemented by Pharma clients in 2020?
Yes, we get a lot of very positive feedback from our customers and these customers are coming up with new ideas, new use cases and new possible applications all the time. One area that customers are asking about, and where we’re looking at how we can include this, is more around the health and safety aspect. So, if you have operators that are working in a particular area that could be dangerous, they want to have things like fall detection incorporated into the Nymi Band. Maybe a panic button or some way with a Nymi Band that an operator can alert either actively or passively, if they fell for example, that they are in trouble.
Another one could be, because the Nymi Band has the idea of presence through the Bluetooth aspect of it – if there’s an emergency or a fire in a part of the building, to know that all the operators have left that building. This would prevent unnecessarily having to send someone into a hazardous fire environment to check that all the individuals have left that building. Those kind of health and safety applications are things we are considering and looking to include and incorporate as a new functional capability in the Nymi Band.
I talked in this interview primarily about the Nymi Band capability to log into systems for sign in and to have presence to talk to IT systems effectively. However, another aspect is our ability to have physical access. So, we’re starting to run a number of proof of concepts at the moment with the Nymi Band. Yes, you can use it to log on to your workstation and to sign within that, but wouldn’t it be great if you can also use the Nymi Band to access certain parts of the building, access through security doors, etc? So, the physical access is something that we’re already piloting. We’re looking to bring that into the capability of the Nymi Band during 2020 as well.