With the Wannacry ransomware attack fresh in everyone's memory, and scary stories and statistics in the news constantly, there's no need to harp about the odds and potentially devastating effects of a cyber assault on your small business. The evidence is overwhelming that taking steps to protect your organization and employees must be a priority. For those in the Department of Defense supply chain, the deadline is also fast approaching to have your cybersecurity program, mandated by recent revisions to the DFARS, in place.

In December 2016, the National Institute of Standards and Technology (NIST) published a revision to its Special Publication 800-171, which outlines 14 areas of security against cyber threats. The publication details requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. DOD contractors must be in compliance with these requirements by no later than December 31st of this year.

For those not in the DOD supply chain, the NIST publication is also useful in developing any organization's cybersecurity strategy. In addition to the Special Publication, NIST has also developed a voluntary Framework, which is scalable for any size organization and intended to help guide businesses and other organizations through implementation of security measures in gradual steps.

As with most things in our information-dense environment, a plethora of information about cybersecurity is available at our fingertips, but figuring out what's most important and undertaking the task of planning and implementing changes in the best manner for your business can be challenging. MMEC is one of many resources in Montana who can help. A great opportunity to learn more will be the Cybersecurity session at the Innovate Montana Symposium on July 12-13 (if you're not already registered, you should!).

One thing is certain, and that's the need to act sooner rather than later to ensure that your company is as protected as it can be. An analogy that hits home to us in Montana could be made: it's like running from the bear – your odds are better at the front of the pack than bringing up the rear!

DOD Contractor Resources:
Defense Cybersecurity Requirements for Small Businesses
Cybersecurity: What Small Businesses Need to Know

Additional resources available on the MMEC website.

David Allard

MMEC Business Advisor

Intellectual Property, or IP can be defined as a product of the human mind or intellect; including ideas, inventions, expressions, methods, processes, unique names or chemical formulas which have potential commercial value and can be expressed in tangible form. The United States Patent and Trade Office (USPTO) has the duties of governing IP in the USA.

By the above definition, IP could be as straight forward as the secret ingredient in your Perfect Bloody Mary.   IP can also be more complex, such as a highly engineered, Rare Earth bearing Nano-structured catalyst that is integral to the production of some esoteric and valuable wonder material.    
IP not only refers to patents, but also to Trade Secrets, Copyrights and Trademarks, as well as affording certain rights to the owners or inventors of distinct company names or packaging designs.

Patents, perhaps the most commonly known area of IP, are divided into three categories:

  • Utility Patents – Ideas and inventions such as new drugs (Viagra), mechanical devices (better mousetrap), manufacturing methods (anodizing), etc.  In 2015, the USPTO received 589,410 Utility Patent Applications, resulting in 298,407 awarded patents.
  • Design Patents – Used to protect ornamental objects, unique designs etc. – such as a USB charger shaped like a conventional telephone.  Determining if something should be covered by a design patent or a utility patent can be tricky, but there are a few simple tests that can help.
  • Plant Patent – Applies to asexually reproducible plants (grafts and cuttings).  New plants, both asexually produced and produced via pollination can also be potentially protected by a Utility Patent. 

It is important to remember that IP rights are offensive in nature, not defensive. Having a patent issued by the USPTO does not afford the owner automatic protection from infringement.  Rather, it grants the owner certain rights to exclusivity and potentially affords them a framework for offensive legal recourse.  The USPTO is not responsible for making sure no one else is using your patented ideas; that responsibility falls to the patent owner.  Rather, the USPTO role is to keep others from patenting ideas or inventions that too closely resemble patents already granted, also known as “Prior Art.”
Any inventor, entrepreneur or business entity developing or using IP should be familiar with the basic concepts and terminology used to describe IP.  In particular, understand the importance of confidentiality; do not disclose an idea or innovation publicly if the intent is to patent it or treat it as a trade secret.  Prior to discussing or disclosing un-protected IP, be sure to have an executed NDA (Non-Disclosure Agreement) in place.   

There are several good IP reference books readily available.  Over the years, Patent It Yourself(D. Presseman; 2014) has become a common reference tool used by many inventors and the like.  It provides a thorough, comprehensive and straightforward resource to guide users from idea to marketed invention.  For those looking to gain an understanding of how IP is used at the highest levels, the book Triumph of Genius (R. K. Fierstein; 2015 ) provides an in-depth account of the landmark IP suit brought by Edwin K. Land and Polaroid against Kodak

- Dave Allard MMEC

Claude Smith

MMEC Business Advisor

The most important aspect of starting a food manufacturing operation is Food Safety. Nothing will be more important to you and your business than never having a customer become sick, or injured, or worse from consuming your product. Food Safety in the food manufacturing world is overseen by the FDA, State and Local authorities, and many times large distributors of your product. Generally this oversight will consist of on-site audits. An auditor will walk through your operation from start to finish and will conduct a paperwork review of your production records.

Over the years, Food Safety in the US has become formalized and standardized in an effort to provide the best possible safeguards for you and your customers. The FDA has mandated Good Manufacturing Practices to be followed by every food manufacturing facility. These practices are published in the Code of Federal Regulations (CFR117) and provide guidance in cleaning ability, sanitation, and cleanliness of processing areas and prevention of microbial and chemical contamination.

A good Food Safety Program in your facility can be broadly thought of in two ways:

  • First: Reduce the chance for any hazardous material to become introduced into your product stream. Control them at the source. This requires a variety of programs, called Prerequisite Programs, which you should have in place. Your employees should be trained in them, and they should be followed. In addition, you should be checking frequently to ensure that they are being followed. Think of them as your SOP’s, or Standard Operating Procedures. In other words: what things do you do, how you do those things, when you do those things, where you do those things, who does those things, and how do you know those things were done. 
  • Second: If a failure occurs in one of your Prerequisite Programs and a critical hazard should become introduced into your product that could cause harm to a customer, how will you detect, and remove it before you ship the affected product? Or better yet, how will your business design a system that doesn’t allow this to happen in the first place.

This is the purpose of a Hazard Plan, better known as a HACCP Plan. HACCP stands for Hazard Analysis and Critical Control Point. These plans have been mandated by the FDA for certain high-risk foods like juices and canned foods, although many other manufacturers follow a HACCP Plan because it is good business to not harm your customers, and because many retailers, wholesalers, and distributors require a HACCP Plan regardless of the product you make.


The two efforts mentioned above work best together. Relying only on your HACCP Plan while utilizing weak Prerequisite Programs is a recipe for disaster. For example, relying on a vision system to inspect finished product works best if the incoming load of hazards is infrequent. If chemically tainted product, broken glass, insects, etc. are being detected by the vision system, then the Prerequisite Programs upstream are in need of an overhaul. The possibility exists that some of these issues may pass through the vision system due to faulty maintenance, operator error, or any number of other reasons.

Prerequisite Programs can be varied depending on the facility and processes involved. The 12 most commonly found are: Facilities (clean, well laid-out, secure, weather proof), Suppliers, Sanitation, Pest Control, Employee Training, Specifications, Production Equipment, Personal Hygiene, Chemical Control, Warehousing and Shipping, Traceability and Recall.

You should have procedures or policies in writing for each of these, detailing what and how your company handles the areas of operation. Some may be brief, while others may require a set of written procedures that require step by step procedures and training. Signed off check sheets are important to serve as records of your sanitation activities. All Prerequisite Programs should list on the front page who is in charge and their job title, where the actual program manual or documents are located, who has revision authority, how often the program is reviewed, and which personnel are trained in the program.

Generally speaking, think of a hospital. We expect there should be no dirty dressings or bandages on the floor, utensils and equipment should be properly stowed, doctors wearing proper clothing, hand washing available, etc. That image in your mind is what your operation should be like. After all, you’re making people’s FOOD.

 -Claude Smith

Alistair Stewart
MMEC Senior Business Advisor

The very first baby boomers turned 65 in 2011; 10,000 turn 65 every day. Baby boomers own 63% of the private businesses in U.S., and 80-90% of their wealth is tied up in their businesses, where it is highly illiquid. Here in Montana, many of those businesses have been managed as a source of cashflow to support lifestyle; rather fewer owners have viewed their businesses as a source of wealth beyond income.

A recent Exit Planning Institute survey confirms that 76% of baby boomers who own businesses plan to transition over the next 10 years, and 48% plan to do so in the next 5 years. Alarmingly, the survey found that 12 months after selling, 3 out of 4 business owners surveyed “profoundly regretted” the decision, and 75% of private businesses put on the market don’t sell. A very common reason for ‘no sale’ is the gap between value expectations of the seller, and the price that potential buyers are willing to pay. Fully half of all business exits were not voluntary, but resulted from death, disability, divorce, disagreement, or distress.

Owners wishing to leave on terms and at a time of their choosing should focus on exit planning well in advance; I’ve heard it said many times that owners who don’t sufficiently plan for a successful exit are busy preparing for an unsuccessful one. So what’s an owner to do? In my experience, owners ‘lean in’ when asked a fundamental question “Do you know what your business is worth?” That difficult, triggering question gets to the heart of an essential, early step in exit planning; correlating owners’ “life-after-business” plans with their personal financial plans and the value of their biggest and most illiquid asset, their business. That eye-opening data frequently jumpstarts serious exit planning endeavors, about which, more next time....

Jenni West
MMEC Associate Director

One of my dad’s favorite sayings when I was growing up was, “Better safe than sorry.”  That old adage really rings true when it comes to protecting your business from cyber and other information security threats.  Considering the devastating potential consequences of suffering a security breach, and the exponential rise in cyber attacks among small manufacturers and businesses in general, making the time to implement some basic security protocols such as the ones mentioned below could have a significant ROI for your business.
  1. Train your employees on how to protect sensitive information.  This includes everything from installing new applications on company computers to use of social media to how to handle tax and other important information and even handling email phishing and spam.
  2. Update, update, update.  Always ensure your applications are up to date – checking your settings to make sure automatic updates are allowed is a good way to do this.
  3. Install, update and run antivirus and malware protection regularly.  Make sure to keep your subscriptions up to date, and periodically check to see if an upgrade to your application is warranted.
  4. Require everyone (including yourself) to use strong passwords, and consider two-step authentication whenever possible.  Don’t store passwords where they could be easily stolen or hacked (such as in Notes or a similar app on your smart phone).  A good rule of thumb is to use a minimum of 12 characters, including upper and lower case letters, numbers and symbols.  Passwords driving you crazy?  There are a number of password manager apps available now, as well.  Here’s a link to a recent review article in PC Mag: http://www.pcmag.com/article2/0,2817,2407168,00.asp.
  5. Install a Firewall
  6. Secure your network Wifi with a strong password (always change the factory-set password right away!), and set it so that it doesn’t broadcast the SSID.
  7. Ensure everyone has their own individual accounts and passwords, and control administrative/full-access privileges.
  8. Ensure your email provider offers adequate filters, and engage security settings in web browsers to keep employees from accessing malware-infected websites.
  9. Backup, backup, backup your data.  Run regular backups and always keep important information in more than one location.  Cloud-based storage services often provide backup of your data, in addition to allowing access from anywhere with internet.
  10. Control physical security of laptops and other sensitive information.  Know where important and sensitive information is stored and who has access, and keep it secure.  Don’t leave your laptop on your car's back seat, or open and logged in where anyone could access it.
For more information and guidance on how to protect yourself and your business, check out the new free NIST Cybersecurity Framework and Small Business Information Security: The Fundamentals available for download on our website.