IT Case Study Podcast – Machine Parts Manufacturer in NH & MI
Dave Hodgdon talks about how PCG’s managed IT services helped a machinery parts manufacturer improve their IT network and cybersecurity by:
- creating an IT budget
- centralizing two remote networks
- enhancing cybersecurity
Then, Dave explains how PCG’s services helped this company land valuable government contracts and expand its business.
TRANSCRIPT
Case Study of a Machinery Parts Manufacturer
John: So Dave, today, we’re talking about… We’re doing a case study of a machinery parts manufacturer, located in New Hampshire and Michigan. And we should just say that, because we’re talking about their network, and security, and things like that, we won’t name the company, but this machinery parts manufacturer… tell us a little bit more about them, and the number of employees they have, that sort of thing.
Dave: Yeah, we are engaged with this client about 10 years ago. Again, they have locations in New Hampshire and Michigan, both locations are manufacturing something a little bit more specific, but they are a machine shop. They have approximately 85 employees, a lot of them on the floor, and about 30 of those users are what we call the PC-based users. Those are the ones that we are managing, John.
IT Challenges for a Machinery Parts Manufacturer
John: And what was it that made them come to you? What are some of the issues that they were having with their IT?
Dave: Well, originally their IT was managed in-house. They had a person who was about retiring, like anything he was working the floor, and part of what an IT does was, helping with the network.
They had reached out to us, probably about 2010, 2011, to take a look at the network and right away, we could definitely see that… and this is kind of the norm when people take care of their networks John… they take kind of a band-aid approach in that they do what they can, and they’re not doing anything wrong, or intentionally wrong, they’re just trying to keep the pieces moving, but the network was definitely… well, it needed some severe help, and so they hired PCG not only to help with some network upgrades, but also to help manage them.
Assessing IT Challenges
John: So then what was their strategy? And some of the first things that you did in order to, assess what their issues were, and figure out where you needed to go from there?
Dave: Well, we brought them on some time ago, that was in 2010 or 11, but then in 2016, 17, some major events happened. So at that point there were some new strategies in place, and a lot of it were based upon the security for some new business, as well as getting their network up-to-date, because they were looking to get a new line of business application and they had to make some changes.
So there were two things that we had to work on. Not only getting some risk compliance items in place to match the department of defense and government agencies, as well as getting their network up and running.
They had two distinct networks in Michigan and here in New Hampshire. And the goal was… there was a lot of data being shared with both, there wasn’t really an easy way to centralize. So we opted at that point to bring these two networks together, and have a single network.
Performing IT Network Assessments
John: And so talk a little bit about that, and how you assessed the work, and figured out the best way to move forward?
Dave: Well, through any assessment, your job is similar to how you do a house inspection, as you do the walkthrough, you try to determine where potential issues are and what you need to prioritize… there’s a big difference between needing and wanting.
So, some things were definitely usable, but it’s our job to take a good look in the big picture, and where they’re trying to go. Not only looking at the switches… there’s a big difference between a good switch and an average switch.
I always tell my clients, it’s like riding on a route one, verse 95. You think you have a good switch, but there’s a big difference driving on 95 and the open lanes there. We noticed then as the end of life of windows seven, some aging machines, and it’s a machine shop, it’s dirty. A lot of these machines weren’t performing well. They were using these old spinning disks, not solid state drives.
And it’s amazing John, when you actually do your assessment, you actually speak to the users of “Tell us what do you like, if you could have something new, what’s the biggest thing you could see.” You take that feedback and you bring it back to ownership, that really resonates to them, that, their staff… if they know they’re investing in them well, hopefully so they can be more productive and more reliable.
So we also reached out to the line of business vendor to determine the new requirements for the server and hardware. We came up with the plan, we came up with the budget, and a timeframe to do these items, and also how to enhance our Managed Services Plan, moving forward.
At that point, we had both the unnecessary hardware, software, and what it would take for our managed services to give them a solid plan moving forward.
Examining IT Cybersecurity
John: And what about security and compliance? Did this company have issues with that? And how did you assess where they needed to be with security?
Dave: That was a more recent one, the last in 2020. So they were being required again by their vendors and partners… so being a machinery, and they’re making various things for… the weapons for the military. With these contracts, it is imperative for them to get up to speed, and meet the necessary compliance requirements.
We did a risk assessment for them to come up with a baseline, their gaps and vulnerabilities. Based upon our initial call, and seeing the documentation from their vendors, it was determined that we had to run the NIST 800-171, as well as the CMMC level two. Just briefly, what those are standing for is, NIST is the National Institute of Standards and Technology. It follows five key principles for identify, protect, detect, respond and recover.
The big part for the CMMC is a big one in the manufacturing world, stands for Cybersecurity Maturity Model Certification. This is a documentation that allows your practices, and enables your users to perform in a repeatable manner.
What I mean by that is, if you have a process, it’s something that’s detailed, it’s a documentation that you can do, and the same thing. It’s just like an old pair of shoes, it’s the same stuff if you love it.
Improving Cybersecurity
John: What are some of the things that you implemented in terms of security?
Dave: Well, first of all, once we did our security team, we went out and ran the audit, we ran external vulnerability scans, John, to see where the issues could be. Then we do a two-hour strategy with the ownership team, we ask the key questions all in English… if this is not IT stuff, how do you handle your data?
How are users accessing? Do you allow people to take USB thumb drives and allow them to copy data? How are you connecting externally from outside the building? How are you setting up policies for, who can have access to each file? Do you run a background check on your employees?
So again, common things that are pretty straightforward… all of these lead to you having a more secure network, as well as it truly helps with your cyber security. I think a lot of people don’t realize when they get insurance, John, they think they’re covered, but it’s pretty obvious if an event happens, unless these things are in place to document, there’s a very good chance you won’t get that payout.
So once we had that data, we’re able to meet with the ownership team, and give them our recommendations. We came up with a plan together, we came up with the various service tools necessary.
We didn’t do it all at once, we did this in phases, because you know security… like changing a password policy, it’s a pain. You’re going to change it, and everyone’s going to not like that, they have to change their password, they’re going to forget it.
You have to do security training, you have to implement the various tools… So we just stepped our way through. So over the past six months, we’ve been working to get them to where they have to be. So we now have a… what we feel is a very robust security plan in place.
Centralizing Remote Networks
John: What are some of the issues in terms of, this company has a location in New Hampshire, and another location in Michigan. And you said that, initially at least, they were both on two separate networks and you wanted to combine those together.
Talk a little bit about some of those issues that you deal with, when you have a company that split, but two different locations. And even in this case, two different states.
Dave: Great question, Neo. The same users are trying to access both networks, so when an ownership was in Michigan, they want access to this system where people are coming back and forth. There weren’t standards for how you had a username, there weren’t standards on how you set up a user, or how you’re going to access your printers.
The file locations and names weren’t the same. When I log into one network, I didn’t have access or privilege to get into the other network. So you want to have an active directory… so you can have two sites, but I can be a member of both sites, when I log in, I’m part of both of those.
Having the site-to-site connection of secure users, that could go one way or the other. That you actually want the ownership of a leadership team here in the New Hampshire site, that wanted access to certain financials, they would have to call or email, “Hey, can you get me this information?”
So by having a single network that was broken down by site, broken down by the users and the permissions they could have.
Now we’re able to save some money on the licensing, make it easier for employees to have access to either network. It became easier to manage, which is a cost savings. It made it easier when they changed their line of business, that each business… Before John, their line of business application was using different applications, now we’re able to deploy and train over the same network. So there are so many advantages to being on the single network.
Implementing Security Services
John: And what are some of the security services that you implemented?
Dave: A couple of big ones today are… the most important ones to me is what’s known as MFA, Multi-factor authentication. That is within your email, within 365, it’s confirming it’s you.
And John, if you were working here from Massachusetts, but all of a sudden it sees you log into your email in Wisconsin, it’s going to ask you, is this really John trying to access my email? And you’d use your phone, you’d get a little ping on there through your authenticator, so you can verify “yes, that’s me”.
So MFA is a key point, because if the bad actor gets into your email, they can wreak havoc. Another big buzz word in what’s critical… you see on the TV all the time, there’s two big players out there, SentinelOne and Cybereason, they’re on the TV advertising all the time.
They use the buzzword called EDR, which stands for endpoint detection and response. It’s looking for unusual activity, behavior changes and administration rights. For instance, if someone’s trying to copy data from New Mexico, but wait a minute, there’s no employees there, and that’s the type of issue managed by a security operations center.
We also updated their firewall to add the necessary security services, and a big one that they wanted was, knowing that their network was being monitored by a security operation center, 24/7, that looked for any unusual activity.
How PCG’s IT Services Improved This Business
John: And what was the result of all of this work that you did… I know you did a number of different projects over a number of years, but where does the company stand now? And what is it that, is sort of the outcome of all of this work over these years, that you’ve done for them?
Dave: Well, they now have a network that is robust, it is scalable, it has redundancy, they have an IT plan in place, we meet yearly now, so it’s a budget. So a lot happened to get the network up to place.
We provided them the needed documentation for their vendors and partners to stay compliant. That was a key component they needed to get these additional bids and awards, but also opened the door for them to get more contracts from the department of defense, and the military.
They now meet and exceed their requirements to do business with these vendors, and they realize now, the investment they made is paying off, and also shows to their current partners out there that they’re making a commitment to stay compliant. And it costs money, and unfortunately, it’s one of those things to do business now. Similar to why you have to have insurance on your business or your car.
And I explained to people, it’s kind of like, if you live near the water, you weren’t expected to have flood insurance, but now you do, so it’s just part of doing business. A key component to them was to have a true, dedicated help desk 24/7, and having that support under five minutes, and a lot of people working after hours, so we’re able to give them that service.
And they really liked our IT strategy, giving them the ability from a business standpoint… of giving them a plan, not only for their IT and security. It’s just not about IT, John, we’re asking them, what’s keeping you up at night? What are your current issues? What are your business goals? Are you having issues with employees? How’s your website doing? What are you guys doing with your sales and marketing? Are you having HR issues? How are you handling hiring?
So, there’s a lot of knowledge and camaraderie, that we’re able to share with each other to help out. All of the small businesses are sharing a lot of the same problems, so it’s good to have those high-level meetings.
Contact PCG for Managed IT and Cybersecurity Services
John: All right. Well, that’s really great information, Dave. Thanks again for speaking with me today.
Dave: My pleasure, John.
John: And for more information, you can visit the PCG website, @pcgit.com or call (603) 431-4121.