Securing Supply Chain Data: Mission Impossible?

When reports surfaced earlier this year that hackers had penetrated the network of Foxconn Electronics Inc. , the news sent shivers down the spines of many supply chain executives in the electronics manufacturing industry. After all, if the contract manufacturing giant that makes Apple's iPhones and iPads can have its computers compromised, what does that mean for the rest of the electronics industry, which has linked its supply chain data to globally connected networks?

What it means is this: A digitized electronic supply chain isn't just a source of information; it's the network that contains data that drives business decisions, improves efficiency, and advances a company's competitive differentiation. Supply chain data is gold; it can be valued in the millions, and maybe even in the billions. It is, therefore, imperative that original equipment manufacturers, contract manufacturers, and distributors protect their financial, operational, and product information -- but these days, the challenges to doing so are becoming increasingly difficult.

Today, the electronics industry operates in an era of mobile device connectivity, social media, and hackers with ever more sophisticated tools to conduct more persistent attacks. In fact, according to recently released research, there has been an increase in the number of data breaches across the globe. In the "2012 Data Breach Investigations Report," published by Verizon, it is revealed that in 2011 there were 855 data breaches that involved more than 174 million compromised records. This was the second-highest data loss that the Verizon RISK (Research Investigations Solutions Knowledge) team has seen since it began collecting data in 2004.

The report reflects the global challenge facing companies conducting international business online. To gauge the global scale of cyberattacks, Verizon collaborated with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting and Information Security Service, and the Police Central eCrimes Unit of the London Metropolitan Police.

The international nature and scope of cyberthreats has a direct impact on the electronics supply chain, which relies on a global shipping and logistics network infrastructure to conduct its business.

One company that understands the dangers of these threats is UPS, a global logistics company that collaborates with security agencies around the world for information exchange, risk assessment, regulatory compliance, and preventive action. This includes participating in various cybersecurity task forces and industry working groups.

"Certainly, as technology becomes more sophisticated, new threats emerge. We believe our collaboration helps to develop and share best-practices for responding to threats and enhances our preparation," Susan Rosenberg, UPS public relations director, said in an interview with me. "We add to that technology tools that UPS provides for visibility of packages and information management to operate our multi-modal transportation networks around the world."

Like other companies connected to a global electronics supply chain, UPS is faced with the arduous task of trying to provide transparency and visibility while protecting sensitive business information. Without divulging details about UPS's security measures for fear of compromising them, Rosenberg broadly outlined two distinct aspects of the approach UPS has taken, both of which safeguard the high-tech and strategic component shipments of their customers.

First, UPS examines its processes and compliance for data protection and internal systems, including the architecture and redundancies of its own technology and training to routinely reinforce the protection of internal data as well as customers' information assets. "We have continually enhanced authentication processes for using ups.com or any of our shipping systems or UPS tools that may be APIs integrated into other technology platforms for accounting or inventory management systems," Rosenberg told me. "We have frequent and periodic requirements for password changes and rules for encryption and use of any auxiliary devices."

Second, Rosenberg said UPS counsels customers on risk assessment in their supply chains to help minimize data breach threats through effective logistics planning with sourcing partners, multiple modes of transit, aligning regional and global geographic needs, planning for warranty repair, and parts inventory management.

"In the UPS multi-layered approach to ensure security, we have processes, systems, and procedures in place designed to protect our people, aircraft, vehicles, and customers' shipments. It's very dynamic, and much is tied to 'Sensitive Security Information' by government entities that cannot be disclosed to the public."

In the meantime, companies that provide data security tools and services are feverishly working on ways to prevent the electronic supply chains from succumbing to cyberattacks. One such company is Redspin Inc., which provides penetration testing and IT security assessments. In June the company announced a new assessment service that helps Fortune 1000 companies reduce their vulnerability to advanced persistent threats (APTs).

Daniel Berger, Redspin's president and CEO, told me that high tech companies involved in tackling the problem of data breaches should rethink their strategies. "It is impossible to construct a security defense that can protect all data and every data exchange," he said. "We recommend company's conduct a data-centric risk analysis so that the most resources can be allocated to safeguard the most important in the electronic supply chain."