Cybersecurity and the Supply Chain

The recent cyber-attacks on US-retailers Target and Neiman Marcus have brought security risks to the spotlight.

According to various reports, technology failure and cyber-attacks represent a bigger threat to most businesses than adverse weather, fire and social unrest combined.  In fact, according to a study by the Center for Strategic Studies and security software maker McAfee, cybercrime costs the United States economy about $100 billion each year.

Intellectual property is among the primary targets for such security breaches – particularly for those industries in which competition is fierce for that next new product. A recent example of this allegedly involved three of the largest medical device companies – Medtronic, Boston Scientific and St. Jude Medical.  Very disturbing was the fact that these companies were not even aware of the intrusions until federal authorities contacted them.

However, this apparently is not surprising. According to the CEO of the Information Security Forum (ISF), Michael de Crespigny, many companies are not fully aware of the scope and seriousness of the issue.

So how can a company protect itself from cyber-attacks? Look towards the supply chain.

The globalization of supply chains has resulted in increasing risks – weather, political, economic etc. – along with these risks, the number of suppliers have increased for many companies. For example, as of 2012, Apple had about 156 global suppliers whereas Qualcomm had 759 global ones.

The very nature of global supply chains calls for visibility, collaboration including exchange of sensitive information with multiple partners, some of them several tiers removed from the manufacturer. The ability to protect data can be highly variable.  A report published by the ISF notes that although sharing information with suppliers is essential, it also increases the risk of that information being compromised.

To mitigate risks, identify which suppliers pose the greatest risk for data theft.  A process and auditing standard such as ISO 270001 can help. It takes companies from basic risk assessment through policies for managing information, communications, human resources, physical sites, business continuity and compliance. ISF has also developed its Supply Chain Information Risk Assurance Process (SCIRAP), which assist companies assess suppliers in order to identify the riskiest contracts.

An interesting project is underway at Ford Motor Company along with its partner, Achilles, in which it is mapping its global supply chain to identify and mitigate potential risks. According to the company, the goals of the project are to:

Ensure supplier data is accurate.

  • Map out which supplier manufacturing sites are potentially exposed to risks, including natural disasters, to proactively mitigate any potential impact on global production.
  • Address potential bottlenecks, reliance on single suppliers and identifying companies with long lead times that could impact production.

The project has now been expanded to invite Tier 1 suppliers to provide information about their operations.

As more and more supply chains expand and globalize, risks will increase. Among the biggest risks is cybersecurity.  Investments to combat this rising risk are growing and according to Allied Business Intelligence, global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier. Expect this amount to grow even quicker in 2014.

comments powered by Disqus