This dialogue occurred on Tuesday, December 10, at 1:00 p.m. EST.

Today's supply chains are ripe for cyberattack as organizations work to open lines of communications with their partners. We'll be chatting with Steve Durbin, global vice president of the Information Security Forum, about the risk to the supply chain and best-practices for mitigating those risks.
You must login to participate in this chat.

@hailey thanks for having me, been fun, see you all soon

User Rank   Stock Keeper

Good supply chain info risk mamangement needs to be integrated with vendor management and based on a follow the information approach - I'll leave you with that thought!

User Rank   Stock Keeper

I'm going to draw us to a close, but thank you very much for coming by Steve! We're glad to have you come anytime. And thanks everyone for asking some great questions.

User Rank   Blogger

@ glad to know I'm in good company - and there's plenty of guac to go round too :)

User Rank   Stock Keeper

@Steve, and EBN is glad to provide the forum for your mission! I'm right there with you!

User Rank   Blogger

Hey Mitch, good to have you with us. That's a critical comment that you are making! your partners mistkae can be your downfill.

User Rank   Blogger

@hailey I'm on a mission... :)

User Rank   Stock Keeper

@mitch - that's right Mitch and also the provider of paper and and and 

User Rank   Stock Keeper

@Steve, that would be an idea world with security close to the business. Let's hope people listen to you!

User Rank   Blogger

Sorry, folks - I have to jump off. Thanks for the insight!

User Rank   Stock Keeper

I just came out of a meeting where we discussed some points very relevant here: Security isn't just an internal matter. Partner security impacts your security. The nuclear power plant doesn't have to just worry about its own security; it has to worry about the security at its catering company. 

User Rank   Stock Keeper

Security can be built in to operations. Financial companies look fro behavioural trends with traders, as well as changes in trading pattern. It's sophisticated, but it can trap problems early.

User Rank   Blogger

and patching! Don't get me started about the need to patch applications and OSes regularly and with alacrity.

User Rank   Blogger

@jim spot on jim, that's why I'm a fan of embedding security in the business - put a security guy out with the business teams so that security understands what is going on and can provide advice and guidance constructively and in a timely way

User Rank   Stock Keeper

@Rodney, and the really scary thing is that there's no telling what that 53 percent are calling "annual security training". it might be a ten minute video or an email reminder.

User Rank   Blogger

Awareness is a biggy, we've said it for years and we'll continue to say it for many more to come

User Rank   Stock Keeper

Training only goes so far. The pace of operations often puts security on a back burner, especially if people develop a high level of comfort in relationships.

User Rank   Blogger

Hailey, another troubling stat I saw -- 53% of companies conduct security tranining only yearly, and 14% only do it "ad hoc" -- when someone screws up, basically.

User Rank   Stock Keeper

@hailey, that's right, there were some stats I saw around phishing that said that I think if you received the same phishing email twice or three times you were more inclined to click and open it to find out what it was all about than if you only received it once - I love my spam filter and junk mailbox!

User Rank   Stock Keeper

We are past the half hour mark...so dear guests, its time to get your last questions in. Steve, thoughts that you haven't had a chance to share?

User Rank   Blogger

Also can be the most difficult to detect

User Rank   Stock Keeper

@Steve, the training piece is hard. everything i've seen and read has said that you have to make it part of the day to day business, by putting it in people's job descriptions (to protect corproate assets including data and systems); to do regular trainings, mention it in meetings, even put signs up on the wall (Don't share your password).  the problem is that the cybercriminals have unlimited attempts and only need one mistake

User Rank   Blogger

@jim good point jim, I agree, some of the most damaging have been the small frauds which add up

User Rank   Stock Keeper

that makes a lot of sense - let the data path indentify the riskiest links

User Rank   Stock Keeper

Bite-size based on risk profile, right

User Rank   Stock Keeper

Steve, It would be worth checking the riskiest transaction types out early in the process, independent of size. Often large amounts of fraud occur in small deals.

User Rank   Blogger

Ane then start from there - its more manageable 

User Rank   Stock Keeper

Work with those supplers and identify the ones "at risk" - could be down to geography, could be that they dont have the most robust systems in place

User Rank   Stock Keeper

bite-size based on risk profile, though

User Rank   Stock Keeper

Then track that info flow across suppliers, that'll identify where you need to focus yoir efforts

User Rank   Stock Keeper

What I mean by that is start with the information - whats the most important and critical to the business

User Rank   Stock Keeper

@michael s I'd say not, that's a bit like trying to boil the ocean - I'd say look at it in bite sized chunks

User Rank   Stock Keeper

Good Food ALWAYS ROCKS!

User Rank   Supply Network Guru

@hailey yes its about all those things, but more about looking at the access points to those systems and ensuring that the basics are covered - the people awareness things are important too, its not just about technology and of course in many countries where supply chains extend, it can be a relatively low cost exercise to influence the people side to let you have info you would otherwise not have

User Rank   Stock Keeper

Hailey, you've twisted my arm. It's delicious.

User Rank   Stock Keeper

@Steve - is it wisest to set up security procedures across the organization and apply them equally across all suppliers?

User Rank   Stock Keeper

@Michael, I know chrisrtmas isn't your gig...but guacamole and salsa are really festive. Start with the abstinence in the New Year... Besides, our virtual guac is very low cal. :)

User Rank   Blogger

Risk assessment is aboiut determining the potential impact of the loss of data to your organisation - you'll want to take into account geography yes but also the degree of maturity of your suppliers' security, their willingness to share info with you and to discuss security

User Rank   Stock Keeper

Thanks, Tech4people. 

User Rank   Stock Keeper

Thanks, Hailey! I'm trying to cut down on the guac, though.

User Rank   Stock Keeper

@MIchael-Factor No.1 Is Employees.Factor No.2 is Technology involved.

User Rank   Supply Network Guru

@Steve, what might be a proportionate response? is it about securing data, apps, systems, endpoints? What are the best practices from a technology standpoint?

User Rank   Blogger

@michael s I'm thinking here of the traditional supply chain management approach which mostly done by procurement has tended to focus on risk by size of contract - so a $100m contract gets attention but IP which has no $ ticket - yet - would get missed

User Rank   Stock Keeper

WHat factors go into risk assessment? Geographic location? Security of the suppliers' systems?

User Rank   Stock Keeper

Hey Michael, welcome to the conversational fray! Glad you could be here. Have some guacamole.

User Rank   Blogger

@Hailey-complications can be endless,if you do so.

User Rank   Supply Network Guru

Overcoming some of the challenges is about identifying the info shared with suppliers and quantifying the risk to determine a proportionate response

User Rank   Stock Keeper

Data scrubbing and reasonability checking look like huge SaaS opportunities

User Rank   Blogger

Sorry for the repeat, everyone.

User Rank   Stock Keeper

@Steve - what are some examples of a 'most obvious' contract not being the most risky?

User Rank   Stock Keeper

@Hailey: Are the people taking the data able to create a picture from all these different parts? Do you need a certain skill set to assemble it all?

User Rank   Stock Keeper

@Jim, glad you could make it... pull up a chair.

User Rank   Blogger

Humans can make judgments or at least call odd figures into question

User Rank   Stock Keeper

@Steve - what are some examples of a 'most obvious' contract not being the most risky?

User Rank   Stock Keeper

@jbos Doesn't it always

User Rank   Stock Keeper

@tech4people, insider threat is a big deal, whether the insider is malicious or ignroant.

User Rank   Blogger

@SteveD, It does, but the human touch therefore, oddly, becomes desirable.

 

User Rank   Stock Keeper

Some of the big fraud cases were insiders manipulating data trends. Barings comes to mind.

User Rank   Blogger

The key to managing info risk in the supply chain is to employ an info-led, risk based approach

User Rank   Stock Keeper

@Steve, what sort of questions should OEMs and distributors be asking to figure out the riskiest items to focus on?

User Rank   Blogger

The thing that has me worried is the way that differeent types of data can be culled from different systems and be made into more valuable information (customer names and bank routing numbers, etc.) The big data craze has systems much more closely connected.

User Rank   Blogger

@jbosavage-Outsider Intrusions are easier to detect and monitor ;its the inside ones which are more worrying.

User Rank   Supply Network Guru

So, it becomes a real toughie to spot

User Rank   Stock Keeper

Another issue of course is that many organisations focus only on managing info risk for a limited number of the most obvious - not necessarily the most risky - contracts

User Rank   Stock Keeper

Distortions could be subtle. Sentiment based forecasting is on the rise, and it's susceptible to someone jamming YouTube or Twitter with spurious hits.

User Rank   Blogger

@jbosavage-That would be brutal.

User Rank   Supply Network Guru

@jim O'R absolutely Jim and thats why the financial markets are so hot on monitoring  - other imndustries are not at the same level of sophistication yet

User Rank   Stock Keeper

And the data can be manipulated from the inside, as well as outside intrusion, sadly.

User Rank   Stock Keeper

So you get a figure for 100,000 t-shirts, but it should be 50,000. A casual observer might not detect the error.

User Rank   Stock Keeper

@tech4people NSA has changed lots of conversations :) Assume they have a view... well, don't be shy guys...!!!

User Rank   Stock Keeper

@jbosavage. glad you stopped by. Guacamole and chips are on the table in the back. still plenty to go around.

User Rank   Blogger

Steve I'm not sure a Big Data distortion would be detectable. The stock markets come to mind, You can make millions from a transient event.

User Rank   Blogger

@Hailey-Absolutely.which is why most don't even want to think about Supply Chain Security.

User Rank   Supply Network Guru

I fear that businesses could rely so much on data that there is no one doing a common sense, reality check on the numbers.

User Rank   Stock Keeper

@hailey yes, takes us onto the notion of how to effectively combat this and it is about collaboration, within the business and with other businesses across sectors and geographies

User Rank   Stock Keeper

@jimC, great question.

User Rank   Blogger

@tech4people: Thanks for helping make that distinction. Have the issues regarding the NSA and it's ability to collect massive amount of information changed some of the conversation betweeen what China and India do and what the US can do?

User Rank   Stock Keeper

@jimc not seen anyone prepared to publicly admit - doesnt mean its not happened :)

User Rank   Stock Keeper

@Steve, for supply chain users, i could see that being catastrophic. What you buy, from whom, how much, when it will arrive, there are so many variables that could be potentially manipulated. I"m sure there are many breaches of security that never make headlines.

User Rank   Blogger

@hailey correct, phishing is getting more and more sophisticated and keeping track of your second and third tier supliers becomes even more important - the further away from the source the more atractive to the cyber thief and the more difficult for the main enterprise to manage

User Rank   Stock Keeper

Steve. Have you seen that big data manipulation happen in real life yet? Or is it still in the "possible" class?

User Rank   Stock Keeper

@steve-That is Good news.

User Rank   Supply Network Guru

@SteveDurbin, that's a huge issue with retail.

User Rank   Stock Keeper

@hailey big data = big issue - potentially!  What I mean by this is that the biggest concern for me around big data is not the theft of information but the manipulation of data to cause big data analytics to come up with erroneous conclusiuons that take the business off course

User Rank   Stock Keeper

@Steve to your point, phishing and other social engineering stuff is getting much more sophisticated as well. it's not suprising that many of these weak links fall for the lures.

User Rank   Blogger

@scott I'm seeing very much more interest these days from the "professions" in terms of them having to address their security than before

User Rank   Stock Keeper

@Scott-With China it tend sto get Institutionalized(at the Nation-State Level).With India,its more at the Individual Level(Hired Guns so to speak).

User Rank   Supply Network Guru

how do some of the other headline topics (I'm thinking of big data and internet of things, for example) shift the way supply chain organizations have to think about IT security?

User Rank   Blogger

@tech4people yes IP theft for competitive gain is a biggy

User Rank   Stock Keeper

@Steve: An interesting point. Has the supply chain been particuarly weak when it comes to this type of cyber security?

User Rank   Stock Keeper

@Scott, for electronics manufacturers, there's an additional and newly emerging threat--that malware makers try to get into the system so that their malware is loaded into the firmware of electronics products that connect to the internet--and so everyone who buys the product is infected and infects others. This one is less common but can you imagine the corporate PR nightmare that could ensue?

User Rank   Blogger

@tech4people: So it's all corporate esponiage at this point. Is it other companies, or does it involve nation states, such as China, where there's a history or trying to compromise IP for a competitive gain?

User Rank   Stock Keeper

@scott to secure the supply chain we need to look beyond just the traditional partners and bring in our lawyers, accountants, the non traditionals - and they may be the weakest linkand so the easiest route for the cyber thief

User Rank   Stock Keeper

@scott I'll give an example, say pharma, if you can steal the IP on new drugs before a patent is filed - and towards the end of the process before filing that info is shared with lawyers as well as research partners, then that can be a hefty cost and a massively attractive target

User Rank   Stock Keeper

@Tech4people, the golden triad for me: people, processes and technology. You gotta have them all to succeed.

User Rank   Blogger

@Scott-Its all about Individual IP.

User Rank   Supply Network Guru

@Hailey-Its always about the people.Its the people who make it hard to do something usually.

User Rank   Supply Network Guru

(Quick commercial: EBN's most recent Velocity e-mag just tackled the topics we are discussing now, so take a read: http://dc.ubm-us.com/i/207639)

User Rank   Blogger

How much of a threat is DDOS for the companies you deal with?

User Rank   Stock Keeper

@hailey, absolutely, but this is where the security guys can relly make a difference, by working with business owners to understand what they're trying to achieve and then supporting that effort

User Rank   Stock Keeper

@Steve: Thanks. So what are the benefits or trying to steal data from the supply chain, as opposed to typical attacks on a company network or DB? Is it a matter of stealing info to be sold later, or is a bit of corporate spying, trying to gain an edge?

User Rank   Stock Keeper

Tech4people, why would better clarity make the policies harder to enforce? Maybe less of a need to enforce them, sure, but I don't see how it would make enforcement harder.

User Rank   Stock Keeper

@Steve: Thanks. So what are the benefits or trying to steal data from the supply chain, as opposed to typical attacks on a company network or DB? Is it a matter of stealing info to be sold later, or is a bit of corporate spying, trying to gain an edge?

User Rank   Stock Keeper

@rodney for me enforcing policies are about winning hearts and minds - its about making sure that your policy is coauthored with the business and getting the business to enforce it not the security guy

User Rank   Stock Keeper

@Rodney-Otherwise one would have seen BYOD isues getting totally sidelined and sorted out by now.

User Rank   Supply Network Guru

@Steve, "practical, focused and relevant to your business" I suspect easy to say and hard to do.... and then you have policy enforcement on top of htat.

User Rank   Blogger

@Rodney-I have a feeling its because these things are becoming crystal clear and more transparent today.

User Rank   Supply Network Guru

The kind of attacks tend to be theft of data, we see insider based attacks, its all about the data really since thats where the value lies and also about attacking the big company via one of the suppliers

User Rank   Stock Keeper

For companies in manufacturing isn't securing the supply chain one of those situations where you want to ensure that your suppliers have all their T's crossed, but then you have to turn around and comply with the demands of the customers that you are supplying? Does that present any conflict in terms of security standards?

User Rank   Stock Keeper

Steve, I just saw a disturbing stat -- More IT managers find it harder to enforce security policies in 2013 than in 2012, Is BYOD making this tougher or is it just a matter of lack of desire to push the enforcement?

User Rank   Stock Keeper

@Hailey-Absolutely Threat Mitigiation is extremely crucial

 

User Rank   Supply Network Guru

Having done that, you're ready to start!

User Rank   Stock Keeper

Maybe this was asked before, but I wanted to see what the most common types of attack on the supply are? Are there ones we see over and over again?

User Rank   Stock Keeper

Then you need to make the policy practical, focused and relevant to your business - and of course understandable from the supplier side

User Rank   Stock Keeper

Hey Scott, happy holidays... Steve says he's ready for our hardest questions on security. so don't hold back. :)

User Rank   Blogger

@Rodney, glad you could make it!  Pull up a chair and have some guac.

User Rank   Blogger

Before starting on the policy its about understanding the risk appetite you have in the organisation

User Rank   Stock Keeper

@Jim, glad to have you with us! We've got fresh guacamole on the table in the back. Help yourself!

User Rank   Blogger

Hi everyone. Happy holidays.

User Rank   Stock Keeper

Sharing with suppliers is essential, yet increases the risk of that information being compromised

User Rank   Stock Keeper

I know many organizations try to create security policies and push them through the supply chain. What are the elements of a good security policy?

User Rank   Blogger

Howdy all.

User Rank   Stock Keeper

Keep em coming :)

User Rank   Stock Keeper

Hi, Hailey

User Rank   Stock Keeper

@Steve, we ask the hard questions here. :)

User Rank   Blogger

So many organisations have multiple tiers of suppliers that keeping track can be difficult

User Rank   Stock Keeper

Biggest challenges have to be really understanding who is in your chain, what info you're sharing and then what the 3rd parties are doing with it

User Rank   Stock Keeper

Thats a tricky one to start us off

User Rank   Stock Keeper

Hi Steve, you're right on time! Welcome... pull up a chair and help yourself to some virtual gaucamole and chips.  Everyone, steve's bio and some info on ISF are at the start of the chat.  Steve, to get us started, what do you see as some of the biggest challenges for the supply chain today in terms of security?

User Rank   Blogger

Hi Hailey, Hi everyone, this is Steve, thanks for inviting me along to the chat

User Rank   Stock Keeper

And always, please announce your arrival so we can give you a warm EBN welcome and offer you some virtual  guacamole. :)

User Rank   Blogger

Questions, theories, ideas, real world experiences and even friendly rants are welcome here.

User Rank   Blogger

This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions.  There are no dumb questions and we value everyone's point of view.

User Rank   Blogger

Second, if you have problems posting, we suggest trying a different browser.  IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.

 

User Rank   Blogger

We will be starting at 10:00 a.m. PST/1:00 p.m. EST sharp. First, though, there are two housekeeping notes:

First, please make a copy of your post before hitting the "post" button – just in case.  If the system "eats" one of your carefully crafted thoughts, please hit "Ctrl-Z" to recover it.

User Rank   Blogger

@tech4people, it's certainly more about mitigation than total security.

User Rank   Blogger

If it was easy when everything was in one place but now that we have everything spread all over the Globe what are you going to do about it?

User Rank   Supply Network Guru

I mean how can you monitor/police such a disparate chain of events in one place?

User Rank   Supply Network Guru

The Thing about Supply Chain Security is that its a topic which hardly anyone is prepared to deal with currently.

User Rank   Supply Network Guru

Feel free to font load thoughts or questions while we wait.

User Rank   Blogger

@Hailey-I hope so!

User Rank   Supply Network Guru

Hang in there, @tech4people. Only 20 minutes until we start!

User Rank   Blogger

Thanks, Jennifer!

User Rank   Blogger

I hope to make it.Kinda late for my time!

User Rank   Supply Network Guru

Excited about the chat in one hour! Should be interesting, especially for those of us in the retail sector.

User Rank   Stock Keeper

Here's a little more informaiton abou the Information Security Forum:

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

 

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

User Rank   Blogger

Here's a little more information about our guest:

Steve Durbin is Global Vice President of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, Cyber security, Consumerization of IT, Big Data, outsourced cloud security, third party management and social media across both the corporate and personal environments.Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner's consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors.

User Rank   Blogger
EBN Dialogue / LIVE CHAT
EBN Dialogue enables you to participate in live chats with notable leaders and luminaries. Open to the entire EBN community of electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
Archived Dialogues
Live Chat 4/3: Business Networks Emerge as Procurement's Future
Rachel Spasser, SVP and CMO at Ariba, discusses the key elements of a strong business community.
Live Chat 3/27: Finding the Procurement and Technology Sweet Spot
Increasingly, choosing the right software and technology tools is critical to empowering procurement to realize strategic advantages.

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
Latest Poll
The Velocity Report Archive
Click here to see our newsletter archive.
EBN Newswire
THIEF RIVER FALLS, MN   4/15/2014
Digi-Key Debuts Innovative Mobile App for Freescale
SANTA MONICA, CA   4/9/2014
Master Electronics Acquires Electro Sonic
Twitter Feed
EBN Online Twitter Feed