There are several other types of potentially damaging data that hackers may covet according to de Crespigny. The sensitive information that resides around the logistical transaction of a company, including shipment of goods and deliveries, especially very high-value products is a concern.
Organizations that are undertaking a transaction, whether it is renegotiating a contract, setting up a subsidiary in a new country or acquiring a business, will use lawyers and other advisors to guide them. This opens another avenue for a potential breach. The information that a law firm holds about a company’s pending negotiations is a data thief’s crown jewel.
Finally, there is also commercial and management information that can provide details related to a company’s financial performance, which if you’re a publically traded company, you wouldn’t want leaked to the wrong party as it could adversely affect share prices.
To help organizations manage their supply chain information risk, the ISF has created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their thousands or tens of thousands of suppliers. This focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk. It also provides a scalable way to manage contracts so that efforts are proportionate to the risk.
But de Crespigny admits there are no magic bullets to ensuring a secure data supply chain, although common sense approaches can prevent major brand damage.
"The first step is to force full disclosure from your global suppliers and then require that they put into place the same controls and gain the same assurances that you’re insisting on from them. In high-risk circumstances you can ask your supplier to provide you with an audit report signed by one of the (major) accounting firms registered under the AICPA that conforms to the association’s standards. This policy is costly, but in situations where it is imperative to ensure privacy of information, it is crucial.
"Any procurement activity can lead to sharing of sensitive information with a supplier. We have developed an outline of several key questions any procurement team should ask itself to identify if this is high risk situation. In very high risk situations you’d want management to involve information security people to help define the terms of any request for information or RFPs or in any evaluations. Bottom line is you want to make sure your suppliers have the same controls in place you insist on," concludes de Crespigny.