Every cybersecurity expert’s favorite axiom is that security is only as strong as its weakest link. This truth makes supply chains particularly vulnerable, since they frequently involve hundreds or thousands of contracts, stretching over multiple continents. Managing information flow across these systems is a challenge, since a manufacturer may not even know who their second and third-tier suppliers are, much less how much information they have access to. Unfortunately, in 2019, attackers have never been more numerous or sophisticated, the new generation of network-connected devices have introduced new vulnerabilities, and laws are being passed that will harshly punish businesses that don’t do enough to safeguard their data. This is the year to tackle the challenge of supply chain security, which means taking a hard look at the security standards for your own organization and every vendor you work with.
There are plenty of cautionary tales about data breaches caused by third-party vendors. The Verizon breach, which exposed millions of customer records, was caused by a customer service firm, Nice Systems. Target’s infamous breach was caused by an HVAC vendor. However, neither of those smaller companies made headlines or absorbed the brunt of the public’s blame: that fell on Verizon and Target for failing to appropriately cordon off access to sensitive data.
The Threats and Consequences of Security Breaches
The risks associated with information security breaches are threefold. First, there is the matter of public accountability and legal liability if consumer data is compromised. The repercussions for a breach are especially serious in the wake of Silicon Valley’s privacy scandals, and can hurt both a company’s reputation and bottom line. With the passage of the General Data Privacy regulation (GDPR) in the EU and California’s Consumer Privacy Act, any company found to have mishandled customer data can be subject to massive fines. Regardless of where your business is headquartered, if you have customers in California or the EU, you can still be prosecuted, which makes these nearly universal laws. Furthermore, sweeping federal legislation on data privacy is almost certainly on the horizon, so the standards for security are only going to get tougher.
There can be legal and PR blowback for a data breach even if was an accident with no malicious intent, but there’s also the serious matter of hacks by business competitors, thieves, and even foreign governments. The US government takes supply chain security very seriously, and the office of the Director of National Intelligencedescribes supply chain attacks as a “systemic assault” that can “penetrate sensitive research and development programs, steal intellectual property (IP) and personally identifiable information (PII), insert malware into critical components, and mask foreign ownership, control, and/or influence (FOCI) of key providers of components and services.” Taken as a whole, the intelligence community agrees these attacks “erode our nation’s competitive advantages in commerce, technology, and security.”
Finally, there is the very real issue of how shoddy digital security can affect the quality of real-world products. The pharmaceutical industry, in particular, has struggled with counterfeit medicine making its way into the market through falsified records. In 2017, the World Health Organization (WHO) found that 10.5 percent of the total drugs on the market were bogus, which came at a cost of hundreds of thousands of lives. As medicines made their way through vast international supply chains, there were simply too many touches and too little reliable record-keeping.
Where to Start with Risk Assessment
Improperly handled data, malicious attacks, and mislabeled goods are three seemingly disparate problems, but the solution to all three is basically the same: keep a closer eye on your vendors. The Information Security Forum, a non-profit cybersecurity group, recommends starting by grouping contracts according to how much information is shared with vendors. That’s a great place to start an informal audit, because doing so might reveal that certain vendors have access beyond what is necessary, which can quickly be corrected.
Of course, some information sharing is inevitable and beneficial, but vendors with access to potentially sensitive data need to be held to higher security standards. Sit down with these crucial vendors and determine who owns the data being shared and how they are permitted to use it. Ensure that vendors with access to your data meet current regulatory compliance, which they will ideally prove through a third-party security expert. Finally, have a plan in place for notifying one another in the case of a breach. These can be challenging conversations, so the first step is to prepare as much as possible by mitigating your own vulnerabilities through third-party assessments and ongoing training. The potential of new technologies to improve supply chain security is exciting, and increasingly affordable. Blockchain ledgers create immutable records of transactions involving both data and goods. The pharmaceutical industry has used blockchain to reduce counterfeit medicine. Meanwhile, Walmart developed a blockchain platform with IBM to trace food to its suppliers, which has reduced the amount of time needed to trace food from seven days to mere seconds. There is also AI-powered security software on the market that can sound the alarm when anyone attempts to access information in ways that seem suspicious. These can be worthwhile investments, but the process has to start with a holistic look at who has access to your supply chain data. The task might seem overwhelming, but the consequences of putting it off could be much worse.