80% of all cyber breaches occur in the supply chain, but too many companies are acting like the problem will fix itself.
Even though our new President-elect Trump believes that “The whole age of computers has made it where nobody knows exactly what’s going on. We have speed, we have a lot of other things, but I’m not sure you have the kind of security that you need,” it’s too late for people (and businesses) to abandon technology to communicate and transact business and go back to sending handwritten notes sent via courier to keep information secure (other than on a rare occasion) as he prefers.
As I’ve mentioned before, if we are to operate in the global supply chain we need to understand that there are many risks involved, including cybersecurity. Organizations—supply chain and otherwise—need to identify the potential risks (information security included), estimate both their potential impact on our organization and the likelihood of them occurring, and put together a mitigation strategy to avoid the most likely high-impact risks.
In a paper presented at the 2016 RSA Conference by Jon Boyens of the National Institute for Standards (NIST) titled, “Integrating Cybersecurity into Supply Chain Risk Management,” it was pointed out that there are three trends exacerbating cyber risks to supply chains:
• Internet of Things—everything is smart and interconnected.
• IT-enabled supply chain management—product and supply chain data run on top of business software that connects supply chains, and weak links abound globally.
• 3-D printing—production is going viral and digital.
These trends can result in a variety of negative consequences, including the delivery of poor quality, compromised or counterfeit products that diminish brand reputation, loss of intellectual property shared with supply chain partners, access to company IT networks, customer information, or operational control systems through supplier access impact on revenues, brand reputation and shareholder value.
More surprising perhaps was that Boyens’ paper mentions that 80% of all cyber breaches occur in the supply chain, and that 72% of companies don’t have full visibility into their supply chains.
To relate this in terms we can understand, some examples include:
• Supplier-provided keyboard software gave hackers access to owner data on 600 million Samsung Galaxy phones.
• Poor information security by service suppliers led to data breaches at Target, Home Depot, Goodwill, and many companies and organizations.
The findings of the presentation concluded that existing tools to mitigate other types of supply chain risk are also relevant for cyber risks, and that best practices and tools to mitigate cyber risks in the supply chain often exist in other parts of the company. Furthermore, we also need to be aware that other functions such as R&D, engineering, etc., affect cyber risks in the supply chain.
So, on a national security level, if our new President openly doubts the intelligence community’s ability to accurately assign risks and responsibility for cyber attacks, he could find it difficult to identify and fend off cyber attackers. The same could be said from a business perspective as well.