Cybersecurity incidents are on the rise, and cybercriminals are taking aim at new types of information and using different attack vectors. More than ever before, the crooks are setting their sights on the supply chain with greater skill and attention.
In PWC's 2015 US State of Cybercrime Survey, 76% of those surveyed said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59% the year before. Concern was well founded, with four out of five reporting that their organization has experienced a security event in the previous 12 months. The survey polled 500 US executives, security experts, and others from the public and private sectors.
Large OEMs are faced with greater demands for both product volume and speed to market. To meet demand, these organizations expand their supply chains to get the materials they need—and increase their risk. In the e-book Cybersecurity in Our Digital Lives, the National Cybersecurity Institute wrote:
Smaller firms that offer the innovative or specialized capabilities and products essential to maintaining a competitive edge are often not financially positioned to afford adequate defenses, especially if they are being squeezed by customers to lower costs.
Both OEM and related suppliers are potential targets for hacks that put malware into the network. Consultants Booz Allen Hamilton offer a three-step process for organizations that want to increase supply chain cybersecurity. The organization recommends that starting by evaluating the maturity of the organization's security in this way:
- Build a roadmap based upon a maturity assessment. Evaluate the gap between the security practices your organization has in place now and the best-practices that should be in place. Identify the key controls that apply to supply chain risk management, conduct a baseline assessment, and use that data to build a roadmap.
- Identify key risks throughout the supply chain lifecycle. Start by breaking down the supply chain life cycle into small discrete phases that can be tackled individually. Assess the likelihood of each potential risk. Use the resulting list as an agenda for change.
- Decompose some of your key product lines. Look at your products with a lens of understanding the individual cyber sensitive components within the product. Do some research. How much can you find out about their manufacturing sources, acceptance testing, suppliers, and intended customers? In most organizations, internal policies and systems preclude this level of visibility—but more customers will be demanding this type of understanding in the future. Build toward being able to provide that by assessing processes, risks and controls associated with each product.
It's also good to understand the enemy. The infographic below, from Supreme Systems, offers a primer on the most virulent and destructive viruses in history. Take a look and then let us know how you are tackling cybersecurity in your supply chain n the comments section below.
— Hailey Lynne McKeefry, Editor in Chief, EBN