In the physical security world, protecting the supply chain is a tangible effort of RFID tracking devices, GPS locators and titanium padlocks. But when it comes to securing sensitive information along the global supply chain, the process is extremely tenuous.
Recent incidents highlight just what is at stake if global corporations fail to seal the data leaks and do their due diligence with every supplier, vendor and contractor in their network. The information an organization works so hard to secure internally can evaporate into the open global market in an instant if strict procedures are not in place.
One of the most damaging examples of supply chain infiltration occurred a couple of years ago when Chinese spies hacked into computers belonging to BAE Systems, Britain’s biggest defense company. Details about the design, performance and electronic systems of the $300 billion F-35 Joint Strike Fighter and F-22, a multinational project, were stolen and full blueprints made available to the Chinese.
The Chinese were also the culprits in another recent event where they attempted to sabotage a $40 billion acquisition of the world’s largest potash producer by an Australian mining company by hacking into the offices of a Toronto-based law firm that was brokering the deal and stealing sensitive documents.
In a report entitled, "Securing the Supply Chain," recently released by the Information Security Forum (ISF), a global, independent information security body and a leading authority on cyber security and information risk management, organizations go to great lengths to secure intellectual property and other sensitive information internally, yet when that information is shared across the supply chain, security is only as strong as the weakest link.
"Fortune 500 and smaller mid-range companies have become much more proficient in managing risk and information internally. How they secure data on the corporate network is getting better and how they are controlling access to that data is as well. IT managers are making sure that the correct people are able to access pertinent data they need and not information that is sensitive and doesn’t apply to their jobs. This has become a priority," says Michael de Crespigny, chief executive at ISF.
"Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers," de Crespigny adds. "There is a black hole of undefined supply chain information risk in many organizations – they understand and manage this risk internally, but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers.”
Because of the global nature of business today and the complexities of multi-faceted projects, sharing information with suppliers is an essential part of doing business. Yet as an organization spreads its global footprint, it also increases the risk that the confidentiality, integrity or availability of that shared information could be compromised. Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address – the latter of which can be disruptive to supplier relations.
Organizations need to think about the consequences of a supplier providing accidental, but harmful access to their intellectual property, customer or employee information, commercial plans or negotiations says de Crespigny.
"Across the range of industries the array of data that is shared with suppliers includes items like intellectual property, databases and itineraries. If you are in the aerospace and defense industry, there are consortia that you rely on that are third parties providing various components. You share personal identifiable information that is subject to privacy laws in most countries if you outsource your payroll, or you have customer information that is being stored by suppliers in some way," he continues.
There are several other types of potentially damaging data that hackers may covet according to de Crespigny. The sensitive information that resides around the logistical transaction of a company, including shipment of goods and deliveries, especially very high-value products is a concern.
Organizations that are undertaking a transaction, whether it is renegotiating a contract, setting up a subsidiary in a new country or acquiring a business, will use lawyers and other advisors to guide them. This opens another avenue for a potential breach. The information that a law firm holds about a company’s pending negotiations is a data thief’s crown jewel.
Finally, there is also commercial and management information that can provide details related to a company’s financial performance, which if you’re a publically traded company, you wouldn’t want leaked to the wrong party as it could adversely affect share prices.
To help organizations manage their supply chain information risk, the ISF has created the Supply Chain Information Risk Assurance Process (SCIRAP), an approach for larger organizations to manage this risk across their thousands or tens of thousands of suppliers. This focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk. It also provides a scalable way to manage contracts so that efforts are proportionate to the risk.
But de Crespigny admits there are no magic bullets to ensuring a secure data supply chain, although common sense approaches can prevent major brand damage.
"The first step is to force full disclosure from your global suppliers and then require that they put into place the same controls and gain the same assurances that you’re insisting on from them. In high-risk circumstances you can ask your supplier to provide you with an audit report signed by one of the (major) accounting firms registered under the AICPA that conforms to the association’s standards. This policy is costly, but in situations where it is imperative to ensure privacy of information, it is crucial.
"Any procurement activity can lead to sharing of sensitive information with a supplier. We have developed an outline of several key questions any procurement team should ask itself to identify if this is high risk situation. In very high risk situations you’d want management to involve information security people to help define the terms of any request for information or RFPs or in any evaluations. Bottom line is you want to make sure your suppliers have the same controls in place you insist on," concludes de Crespigny.
Note: Securing the Supply Chain is available now for purchase from the ISF website at www.securityforum.org as is a free executive summary.