The very nature of global supply chains demands that companies exchange sensitive information with multiple partners, some of them several tiers removed from the manufacturer. Their ability to protect data can be highly variable. Internet thieves and predators are looking to take advantage of the slightest weakness.
The Information Security Forum puts it best. "Sharing information with suppliers is essential," it says in a new report on "Securing the Supply Chain," "yet increases the risk of that information being compromised." It wouldn't be inaccurate to say that in the world of business, cybersecurity is first and foremost a supply-chain problem.
Many companies aren't fully aware of the scope and seriousness of the issue. They suffer from a "black hole" of undefined information risk, especially when it comes to the extended supply chain, says ISF chief executive officer Michael de Crespigny. "They understand and manage this risk internally," he adds, "but have difficulty identifying and managing [it] across their hundreds of thousands of suppliers."
In fact, some of the biggest and most complex supply chains have so many external partners that they are unable to assess the risk of doing business with each one.
They are paying a steep price for their ignorance. According to de Crespigny, 40 percent of the data-security breaches experienced by organizations arise from attacks on their suppliers. Criminals are increasingly realizing that "this is a channel they can attack."
Intellectual property - the very heart of many manufacturing operations - is a highly vulnerable area. The threat comes from both private offenders and governments, the latter of which might be seeking to protect domestic industries by undermining competition from outside their borders. Or they could be looking to establish dominance in global markets by stealing technology from foreign companies.
Sensitive data can take many forms. The most obvious is personal information about consumers, in the form of credit card numbers that can be easily converted to cash in "dark markets."
Other sources of potential leaks include the legal advisers called upon to help companies engaged in confidential negotiations about acquiring businesses or new customers. A criminal can quash a deal just by making it public, or alert competitors when a company is preparing to expand into new markets. Confidential customer lists can be lucrative sources of illicit income. Logistics details can clue a thief as to the future location of a valuable shipment. Leaked financial details can have a serious impact on one's stock price. (Banks, says de Crespigny, "are a huge target.") And information related to a company's dealings with government regulators or public entities can be highly destructive when disclosed.
What to do? The trick, says de Crespigny, lies in identifying which suppliers pose the greatest risk for data theft. Many companies focus only on the most obvious contracts, instead of the ones that are the most vulnerable.
A process and auditing standard such as ISO 270001 can help. It takes companies from basic risk assessment through policies for managing information, communications, human resources, physical sites, business continuity and compliance.
To de Crespigny, however, ISO 27001 is merely "a baseline requirement." He says companies need to define individualized controls for ensuring that information is being protected in the most sensitive areas, such as supplier relations.
ISF has developed a Supply Chain Information Risk Assurance Process (SCIRAP), designed to help companies assess tens of thousands of suppliers, with an eye toward identifying the riskiest contracts. Like any good internal review, it involves asking the right questions: Which products, components or raw materials are we outsourcing? To whom? What is the significance or sensitivity of those relationships? What's the potential fallout from a data-security breach? What's the track record with particular suppliers? What kind of processes and controls are in place? Are inspections being carried out on a regular basis? How frequently do we want to receive confirmation that our information is being protected?
With the riskiest relationships, additional information or tighter controls are often called for. A supplier might be asked to appoint an independent accounting firm to ensure that the controls specified by a given contract are firmly in place. Reports might be required annually or with even greater frequency. In cases where cloud computing is involved, companies might want more frequent assurances from suppliers, given the relative immaturity of that technology.
How a company deploys the SCIRAP depends on where it falls on the maturity scale, with respect to maintaining an effective risk-management program for data protection.
Beginners need to create a basic action plan which lays out the business case, while securing senior-management backing. According to ISF, they should be focusing on building "a coalition of support" across the organization, embracing vendors and other business partners. From there, they can proceed to secure the necessary resources and craft strong information-security policies.
For companies that are well aware of the problem, yet have too many suppliers to assess individually, the model can help to target contracts that pose the greatest risk, while grading relevant suppliers on their security arrangements.
Finally, organizations that know which contracts require the greatest level of care need to embed their data-security processes into the procurement and vendor-management lifecycle. In this way, information protection becomes a key issue at the outset of any acquisition or contract.
"The integration of existing processes is fundamental," says de Crespigny. "You need to work with existing procurement teams, not lay something on top from a distance."
Some of these actions will impose additional costs on suppliers, not to mention the original equipment manufacturer. But the alternative - failing to have in place a good security program - is far more expensive and damaging in the long run.
Perhaps the best outcome of a rigorous supplier-management program is that it places responsibility for data protection where it belongs - at critical points within the supply chain. "It's a big issue, but not just for security people," says de Crespigny. "Procurement people realize they need to get their act together."
RSS
