In the physical security world, protecting the supply chain is a tangible effort of RFID tracking devices, GPS locators and titanium padlocks. But when it comes to securing sensitive information along the global supply chain, the process is extremely tenuous.
Recent incidents highlight just what is at stake if global corporations fail to seal the data leaks and do their due diligence with every supplier, vendor and contractor in their network. The information an organization works so hard to secure internally can evaporate into the open global market in an instant if strict procedures are not in place.
One of the most damaging examples of supply chain infiltration occurred a couple of years ago when Chinese spies hacked into computers belonging to BAE Systems, Britain’s biggest defense company. Details about the design, performance and electronic systems of the $300 billion F-35 Joint Strike Fighter and F-22, a multinational project, were stolen and full blueprints made available to the Chinese.
The Chinese were also the culprits in another recent event where they attempted to sabotage a $40 billion acquisition of the world’s largest potash producer by an Australian mining company by hacking into the offices of a Toronto-based law firm that was brokering the deal and stealing sensitive documents.
In a report entitled, "Securing the Supply Chain," recently released by the Information Security Forum (ISF), a global, independent information security body and a leading authority on cyber security and information risk management, organizations go to great lengths to secure intellectual property and other sensitive information internally, yet when that information is shared across the supply chain, security is only as strong as the weakest link.
"Fortune 500 and smaller mid-range companies have become much more proficient in managing risk and information internally. How they secure data on the corporate network is getting better and how they are controlling access to that data is as well. IT managers are making sure that the correct people are able to access pertinent data they need and not information that is sensitive and doesn’t apply to their jobs. This has become a priority," says Michael de Crespigny, chief executive at ISF.
"Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers," de Crespigny adds. "There is a black hole of undefined supply chain information risk in many organizations – they understand and manage this risk internally, but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers.”
Because of the global nature of business today and the complexities of multi-faceted projects, sharing information with suppliers is an essential part of doing business. Yet as an organization spreads its global footprint, it also increases the risk that the confidentiality, integrity or availability of that shared information could be compromised. Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address – the latter of which can be disruptive to supplier relations.
Organizations need to think about the consequences of a supplier providing accidental, but harmful access to their intellectual property, customer or employee information, commercial plans or negotiations says de Crespigny.
"Across the range of industries the array of data that is shared with suppliers includes items like intellectual property, databases and itineraries. If you are in the aerospace and defense industry, there are consortia that you rely on that are third parties providing various components. You share personal identifiable information that is subject to privacy laws in most countries if you outsource your payroll, or you have customer information that is being stored by suppliers in some way," he continues.