It would not surprise me if high-tech supply chain executives tasked with protecting valuable supply chain data said they are on pins and needles as they evaluate news reports that technology companies, including Apple Inc., have suffered cyberattacks.
In a rare disclosure explaining the widest known attack of its computers, Apple officials said Tuesday that hackers infected Macintosh machines belonging to some employees when they visited a software development website. Reuters reported that the malware, which manipulates a flaw in a version of Oracle's Java software used as a plug-in web browser, was designed specifically to attack Macs.
Facebook revealed a similar attack last week, and Twitter announced in early February that it had reset the passwords of 250,000 users whose information was compromised after hackers attacked it. At the end of January, The New York Times revealed that Chinese hackers had spent four months trying to infiltrate its computer systems to steal the passwords of reporters and other employees.
These attacks and others show that hackers are attacking corporate data more frequently. This doesn't bode well for an electronics industry battling to secure product designs, intellectual property, supplier agreements, and data associated with manufacturing and business processes across the supply chain.
Keeping sensitive supply chain data safe is even more challenging in the face of the ongoing cyberwar allegedly being conducted by the People's Liberation Army (PLA), a group supported by the Communist Party of China. According to a report published last week by the American computer security firm Mandiant Corp., the PLA conducts cyberwarfare from its base on the outskirts of Shanghai. The APT1 group has systematically stolen hundreds of terabytes from at least 141 organizations, including high-tech companies.
Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim's network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations' leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed.
This is a chilling revelation, as well as a reminder that the high-tech industry must be on guard. Such threats can interrupt business planning, stall growth, and lower revenue.
Undoubtedly, supply chain executives face a daunting task, which becomes more difficult when we consider the increasing number of component suppliers, the quest to add manufacturing locations, and the demands of managing transportation, logistics, and other segments of the supply chain.
In mid-2012, Deloitte Consulting surveyed 600 executives about the supply chain. Forty-eight percent of respondents said “the frequency of risk events that had negative outcomes” had increased over the past years. “Executives from high-tech companies were most likely to report an increase, with roughly two thirds saying that was the case.”
Things may very well get worse before they get better. Executives in the high-tech, industrial product, and diversified manufacturing industries (which all have complex supply chains) were most likely to report an increase in costs associated with supply chain risk, Deloitte found. It seems inevitable that companies in the electronics industry will see more cyberattacks. I agree with the Deloitte report's conclusion that companies need to think beyond simply preventing attacks and craft a plan to reduce their impact.
Deloitte outlined four key critical attributes of supply chain resilience.
Visibility : The ability to monitor supply chain events and patterns as they happen, which lets companies proactively — and even preemptively — address problems. Critical enablers include people capabilities and analytics capabilities. Flexibility : Being able to adapt to problems quickly, without significantly increasing operational costs, and make rapid adjustments that limit the impact of disruptions. Critical enablers include people capabilities and governance processes. Collaboration : Having trust-based relationships that allow companies to work closely with supply chain partners to identify risk and avoid disruptions. Critical enablers include people capabilities and analytics capabilities. Control : Having policies, monitoring capabilities, and control mechanisms that help ensure that procedures and processes are actually followed. Critical enablers include governance processes and analytics capabilities.
What are you doing to protect your supply chain from breaches? What is your plan for dealing with the challenges after a cyberattack? And how are you collaborating with your supply chain partners to formulate a comprehensive data protection plan?