Cyber security and protection from information breaches remains a top-of-mind concern for many firms, but it takes on special dimensions in the context of multi-industry supply chains.
Vulnerability to a third-party or supplier focused breach became evident in the massive credit card hack that involved retailer Target in late 2013, exposing upwards of 40 million credit card numbers to hackers. Subsequent investigations of that incident indicated that hackers gained entry via a refrigeration maintenance supplier’s login credentials to Target’s internal systems. A recent report from Industrial Safety and Security Source further provides amplification that the supply chain represents the greatest risk in industrial control systems.
Three year later, it would appear that not much has been gained in learning from that incident. Tripwire, a global provider of endpoint detection, security and IT compliance recently contracted for a survey to study of current information security practices. This study, carried out in December, included upwards of 320 IT professionals having visibility into the security of their organization’s supply chain.
Supply Chain Matters recently spoke with Tim Erlin, Director of IT Security and Risk Strategy at Tripwire regarding the results and implications of this survey.
The Tripwire study headline was that while 81 percent of IT professionals are confident in their ability to protect sensitive customer data within internal systems, nearly half are not as confident about the security practices of partners and suppliers. Less than half (44 percent) indicated that their organization’s require partners and suppliers to pass security audits before signing a contract. A quarter of the respondents indicated their organizations do not evaluate whether suppliers meet their information security requirements.
Other data indicated that 95 percent of IT professionals believe that a breach could indeed expose valuable data but such concerns are related to one’s own organization. Unfortunately, it would appear that other operational and overall cost concerns trump that of supply chain wide security. Other Tripwire survey data indicates that while certain industry areas such as retail finance or software related industries provide a stronger focus on broad value-chain security while other industries particularly manufacturing, energy related and others are less aware. While the majority of the security industry is aware that these information security incidents will continue to occur there is surprise as the lack of broader focus.
Erlin indicated that such results reflect on what IT professionals can directly control and have direct accountability vs. what ends up often being that related to influence. Many IT organizations have their own internal budget and resource constraints. However, Erlin stressed that organizations must invest in securing their points of information entry and interaction with partners. He further indicated that some initial Internet of Things (IoT) initiatives are currently utilizing rather old information service protocols that are highly vulnerable.
The obvious takeaway for the broader supply chain and procurement focused community is another wake-up call to increase diligence on potential information security vulnerabilities related to suppliers or trading partners with access to a customer’s internal systems. This includes periodic audits and checks that involve either your IT resources or those of your supplier.
Information security remains a supply chain wide threat, particularly as the new era of IoT enabled business models take hold. Information security needs to component of any supplier management plan involving a direct or indirect materials vendor with external access.
The financial and brand stakes involved in an information breach involving sensitive customer data can far outweigh budget constraints. It is also an area where two-way collaboration needs to occur.