• United States

How secure is your supply chain?

Apr 13, 20176 mins

If you're like many organizations, your security focus is on protecting email, financial data and customer data. What if your greatest threats come from your vendors and supply chain?

pulling companies apart chain broken
Credit: Thinkstock

Today’s global supply chains carry risks that run the gamut from pirates off the coast of East Africa to bad guys tampering with goods in transit. And international supply chains also put companies at risk of violating legislation and policies mandating corporate social responsibility. How can your company make responsible decisions for your supply chain under these conditions?

Improving the security of the global supply chain system is a key part of the strategy. With billions of dollars of goods at stake, many companies are working at solving the problem. Blockchain firms like Skuchain have developed ways to secure supply chain information to improve tracking. Other firms like CNL Software and Esri focus on improving the security process at key facilities like ports and warehouses. And firms such as Fleetmatics, Shaw Tracking and Optical Lock are working on securing the “moving supply chain” of trucks, railways, ships and planes. Whether your supply chain includes service providers, software services or goods, there are important risks to be mitigated.

Rising security expectations

Outsourcing was once a simple value proposition for organizations: Move work to a vendor to achieve cost savings. But the landscape has changed. “The National Institute of Standards and Technology (NIST) has proposed adding cyber supply chain risk management to the Cybersecurity Framework,” says Edna Conway, CSO for global value chain at Cisco. “A mandate by the Federal Energy Regulatory Commission has resulted in electric system bulk operators to develop security controls for supply chain management for industrial control system hardware, software, and services,” Conway adds. In addition, a draft executive order from the Trump administration may require heightened security requirements for suppliers serving the U.S. government.

What do these new standards and policies mean for technology leaders? Solving this situation will require a close review of current vendor contracts regarding security, audit and subcontracting provisions. If your organization uses vendors on a “white label” basis, then the vendor’s cybersecurity measures have to measure up to these new standards. Start the review process now before fines, regulations and public failures force the issue.

Reducing theft

Each year, theft and fraud result in serious costs and delays for both companies and governments. Steady increases in global trade volumes mean that traditional border security methods such as random spot checks have limited effectiveness. At the same time, governments are under pressure to do more with less. In this environment, improving supply chain security technology plays a vital role.

Governments take a critical interest in supply chain security for financial and security reasons. If trade evades official channels, governments lose revenue and the ability to enforce their policies. “In Kenya, Savi provided a sensor and software solution to its customer SGS, which ultimately benefit the government,” says Vicki Warker, CMO at sensor analytics providerSavi. “SGS provides the OMNIS cargo tracking system to the Kenya Revenue Authority to secure transit shipments and detect and deter theft. In one year, SGS has helped the Kenya Revenue Authority reduce theft by 81 percent,” adds Warker. The hardware involved also includes electronic locks that record attempts at unauthorized access. By reducing cargo theft, Kenya gives businesses with a supply chain footprint in the country added confidence. 

The way to cyber security

Optimizing cyber security requires constant trade-offs — a reality that can be exploited by attackers. If your security staff focuses on protecting email, financial data and customer data, the security of your vendors and supply chain may be given less attention. “Supply chain attacks are particularly dangerous because success opens access to dozens of companies. A breach can be hard to detect since risk management strategies often don’t encompass the security of supply chain partners. In Target’s case, the adversary accessed point of sale technology through the HVAC system. In the software supply chain is Kingslayer, which targeted a sysadmin software system used by Windows administrators to review logs,” says Paul Kurtz, co-founder, and CEO of security intelligence exchange platform TruSTAR. The Target example, in particular, shows us that securing PCs and mobile devices is no longer enough.

Many banks added reviews of supplier cybersecurity vulnerabilities and processes to their procurement process after the Federal Reserve issued a report in 2013 called “Guidance on Managing Outsourcing Risk,” which includes cybersecurity. Other companies in other industries, especially privately owned companies, may not have developed the same level of sophistication in managing supply chain risk. But reducing your company’s cybersecurity risk may depend on it.

If your cybersecurity budget and staff are at their limit, collaboration with industry peers could make a critical difference. “Cloud providers are responding to supply chain attacks by pooling incident data through exchanges such as the Cloud Security Alliance’s Cyber Incident Response Center,” explains Kurtz. There is naturally some sensitivity around sharing threat information and disclosing successful attacks. Fortunately, there is a solution: “Companies can share indicators of compromise without attribution,” Kurtz says. This anonymized sharing is akin to medical databases that aggregate patient data for researchers and clinicians without including personal information.

As outsourcing and cloud services grow in popularity, IT leaders can expect supply chain cybersecurity to become increasingly important. Your choice is either to proactively invest in cybersecurity throughout your organization and value chain or wait until you suffer an incident.

Bruce Harpham, PMP, writes on technology and project management at Project Management Hacks for growth-oriented professionals.

The opinions expressed in this blog are those of Bruce Harpham and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author