An OEM's information network may be locked down tight, but a weak external link in the supply chain is not a threat to ignore. Among the many possible security holes in the supply chain, inside attacks are potentially lethal and often overlooked as well.
According to a comprehensive PricewaterhouseCoopers (PwC) analysis, the information flow from electronics buyers to their suppliers is surging, representing potentially valuable data to attackers inside the firewall who have the necessary passwords to access the information. The data they can comprise is low hanging fruit since most suppliers do not have a security plan in place to prevent and respond to insider security threats.
A lack of resources that leave suppliers' IT departments unable to counter inside threats can have major implications on the supply chain and harm electronic buyers in a number of ways. With little visibility into how secure electronic suppliers are, OEMs and electronic buyers also often fail to understand the implications of not monitoring how exposed their suppliers are to inside threats.
Among the risks electronics buyers face, inside attacks within their supplier base can do a lot of damage. They include loss of brand value, revenues, profits, and market share, said Don Ulsch, a managing director for PwC Advisory. "[Supplier breaches] could also lead to contract violations that result in protracted civil litigation, which is highly interruptive to the business process," says Ulsch. "The failure to disclose cyber risk and cyber defenses to investors through the filing of required documents could result in regulatory impairment."
The statistics are sobering. According to PwC data, 49% of the respondents in a survey said they had no plans in place to respond to insider data threats. Among those surveyed, 28% of all attacks were inside jobs while 32% said inside attacks are more costly and damaging compared to external attacks, according to PwC.
Smaller suppliers with fewer than 500 employees are the most exposed. According to PwC, only 20% of small companies have security teams in place that can effectively respond to inside attacks, compared to 62% of large organizations that can invest in the necessary resources to mitigate the threat. The statistics also showed that there is usually only a single person in charge of both security and IT in an enterprise of less than 500 employees, according to PwC, as insider threats remain neglected due to a lack of human resources.
Ulsch offers a must-do list that can make sure suppliers are doing the necessary to protect themselves from both inside threats and external risks as well:
- Disclose breach histories so that the company can reasonably assess the degree of risk of dealing with that supplier;
- Meet a specified information security standard and be accountable through periodic audits;
- Conduct meaningful background investigations on their employees;
- Educate and sustain awareness about the risks associated with social media disclosures and other security awareness issues that may elevate risk;
- Have adequate levels of cyber insurance, while legal counsel and insurance specialists should review requirements for cyber insurance; and
- Be held financially responsible for the breach if a supplier is responsible.
"Also, in the event of a breach, as part of the supplier's incident response, the supplier should have acceptable procedures in place to fully and completely investigate the breach," said Ulsch. "The supplier should establish a root cause analysis, conduct the investigation under the direction of the general counsel, maintain an accurate and comprehensive investigative file, and allow the company complete access to that record."
The problem for many suppliers is how to convince upper management to allocate the necessary resources to effectively protect themselves against inside attacks.
"Some executives and boards do not believe their companies are likely targets for various reasons: size of the company, market position, lack of threat awareness, perceived lack of awareness of the value of their assets to adversaries, and so on," said Ulsch. "In some instances, companies simply don't know they've been breached. And in other cases, there is the perception that breach response is an IT issue."
At the end of the day, suppliers must also realize that protecting their data from inside attacks also means they are protecting their electronics buyers' customer data as well.
"Suppliers that meet standards will not only help to protect their customer's data, but it will help them as well," said Ulsch. "Any data breach for them due to an inside breach as well as an external attacks, of course, is bad for all buyers and sellers."