Is Your Supply Chain Protected Against Cyberattack?

When you think about supply chain risks, what's often mentioned is not something related to the physical supply chain. Rather, it's the growing number of IT-related cyberthreats that could do serious damage.

A recent report from the Georgia Institute of Technology on emerging cyberthreats, for instance, includes information around exactly this theme. Give the report a quick scan, and phrases and section headlines like these could leave many supply chain executives and CIOs wondering what's lurking in the background undetected:

  • Insecurity of the Supply Chain: Hard to Detect, Expensive to Fix, and a Policy Nightmare
  • Supply chain insecurity is both hard to detect and expensive to defend against
  • On an international policy level, supply chain issues will continue to be an intractable problem
  • Cloud Security Enters Its Teenage Years: Data in the Cloud Will Have Better Overall Security, but Failures Will Be Severe

So, it's not a stretch to believe that we'll be seeing more companies and governments trying to curb these risks in the next couple of years. In fact, we're already seeing some of this conversation happening in Europe.

Earlier this month, the EU proposed new cybersecurity rules that provide the region's “comprehensive vision on how best to prevent and respond to cyber disruptions and attacks.” With the overarching aims of “achieving cyber resilience, drastically reducing cybercrime and establishing a coherent international cyberspace policy for the European Union,” the directive is looking for ways to address problems like these listed in its press release:

  • According to the World Economic Forum, there is an estimated 10 percent likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.
  • The 2012 Eurobarometer poll on cybersecurity found that 38 percent of EU Internet users have changed their behavior because of these cybersecurity concerns: 18 percent are less likely to buy goods online and 15 percent are less likely to use online banking.
  • Eurostat figures show that, by January 2012, only 26 percent of enterprises in the EU had a formally defined ICT security policy.

According to media reports, each EU member state would set up “CERTs,” or Computer Emergency Response Teams, to deal with hacking and malware crises and there will be more pressure placed on private companies across many vertical sectors — banking, energy, Internet search engines, cloud service providers, transportation, stock exchanges, to name a few — to report major security breaches and cyberdisruptions. The Wall Street Journal, citing EU officials, said as many as 40,000 companies could be impacted if the proposal becomes law. That means many companies either directly in or touching the electronics supply chain may be included in the reporting requirements.

The proposal has to go to the European parliament and be approved by the leaders of the EU's 27 national governments before being signed into law, a process that could take a couple of years. Even though companies don't have to comply with this right now, it seems pretty clear the handwriting is on the wall.

Cyberthreats will continue to be a significant risk on many levels. Governments will try to protect their constituents from cybercrimes with rules that will impact businesses. Supply chains — and the IT systems supporting them — could face serious disruptions in the wake of major security breaches. So, maybe now's a good time to ask — what are you doing to curb such risks?

21 comments on “Is Your Supply Chain Protected Against Cyberattack?

  1. t.alex
    February 14, 2013

    I can see a number of companies are still ignoring this threat, even though we are 24-hour connected to the internet at work or out of work. 

    Not much has been done to establish company policy or building proper firewall to prevent sneaky attacks. And with the rising use of mobile phones at work, hackers can have more ways of intruding the system. 


  2. Houngbo_Hospice
    February 14, 2013

    Many companies don't seem to be taken the threats seriousely unless they are directily affected. But some of the attacks are so subtle that they can bypass the most sophisticated firewalls. 

  3. _hm
    February 15, 2013

    It is difficult to protect all supply chain and other infrastructure with ever changing fire walls. Some time proper action may be to counter attack and impose sanctions against country or group of people. This is may be major deterent for criminals. 

  4. Houngbo_Hospice
    February 15, 2013


    “Some time proper action may be to counter attack and impose sanctions against country or group of people. “

    You cannot for sure know if specific countries government officials are behind the attack and a counter attack as a retaliation strategy may not be the appropriate solution as you will be commiting the same crime. The best thing to do will be  the implementation of a better security strategy in order to detect and deflect the threats before they hit their target.

  5. Houngbo_Hospice
    February 15, 2013


    Everybody can be hit by a cyberattack as long as you are connected to the internet. I like the idea of “  distributed but coordinated web servers. ” for site duplication (not only content). But it will come at a cost.

  6. Houngbo_Hospice
    February 16, 2013


    “I heard the microwaves and coffee pots went out of control at EBN that day, too.”

    I can imagine why. It might be because of too many solliciations from the editorial staff and the IT team. I am sure that a record was broken that day.

  7. prabhakar_deosthali
    February 17, 2013

    The protection from a cyber attack has to be anticipated by every company doing business over the web. True. But what kind of protection ? That is not clear . Currently there is not a single solution which can say that it can protect us 100% from the cyber attack.

    The solution has to lie in the technology itself. May be the new IP V6 internet protocol will help us in the matter . With IPV6 if we are able to do away with dynamic IP address allocation and have static IP addresses for all the devices connected to the web then all the activities happening on the web would be traceable to a specific computer or device and reaching the source of the cyber attack may become easier , in my opinion

  8. Ashu001
    February 17, 2013


    Anyone who thinks a Bunch of Laws are gonna Delude Cyberattacks is beyond Deluded.

    A better option is to have robust Redundancies in place with all Requisite Patching and Protection Done.

    If one Goes Down,you have to be able to move things to another Server and very,very quickly.


  9. Brian Fuller
    February 17, 2013

    Redundancy is a no-brainer, yet the very fact that we keep bringing it up suggests that, overall, we're not very good at instituting it. There has to be a simple equation in someone's spreadsheet somewhere that says 1 day of outage equals $x lost revenue and potentially X lost goodwill. The annual maintenance of a redundant server = $Y. 

    Thanks for the good comment @tech4people.

  10. Brian Fuller
    February 17, 2013

    Is THAT who was behind that DDOS! Those rascals! 

    (Thanks Rich, that was hilarious!)


  11. Brian Fuller
    February 17, 2013

    Rich, another winner! However, some of us here may not have redunandancy but we do have a French press, so when the lights and the bits go down, we'll still be good to the last drop. 

  12. Ashu001
    February 17, 2013


    In a way its quite funny.

    Most Companies today have such Plans with ROI and all the assorted Cost-Benefit Ratios.

    Its just that when it comes to implementation that Redundancy falls to the Back of the Spending(&Priority Queue).

    Saying I want Money for Backups is Simply not Sexy enough for most Organizations out there!



  13. Brian Fuller
    February 17, 2013

    Ashish, you quite correct. I remember many years ago, we as a company reacted to some major U.S. power outage by pulling together a company-wide contingency plan. It was probably the most detailed work in this area we'd ever done. 

    It was impressive. 

    The plan was completed and promptly forgotten. There was no annual review or ownership assigned to it. 

    Human nature. 


  14. t.alex
    February 18, 2013

    Yes this is so right. Your company email may be already sniffed by your competitor and you may not know it. 



  15. Ashu001
    February 18, 2013


    What did I tell you?

    If you work with the fact that in more ways than One ;your company is a representative of the Average Company in America it becomes pretty obvious how few companies have Robust and Resilient Disaster Recovery plans.

    It just does'nt get the importance it deserves.

    That's until Disaster strikes Of course!!!



  16. Jennifer Baljko
    February 18, 2013

    Prahakar – Agreed – what kind of protection is key. Maybe there's truth in Rich's link.. maybe Dr. Who would have some answers… at least his response would be entertaining 🙂

  17. Jennifer Baljko
    February 18, 2013

    Hospice, HM – being proactive and identifying threats are key. But I imagine that many teams of people could spend nearly all their time tracking all the different threats a company could face on a daily/weekly basis. Maybe that's not a bad thing either…

  18. Jennifer Baljko
    February 18, 2013

    I agree with Brian on this issue of redundancy. With all the info companies track, this data has to be somewhere, on some spreadsheet. But, I'm sure companies are not so willing to share some of this data. Why tell the hackers how much would be lost with an outage, why not keep people guessing?

  19. Jennifer Baljko
    February 18, 2013

    Ashish, Brian, t.alex – this is consistently a problem everywhere. Disater recovery plans are sitting in some file cabinet, and everyone scratches their head when their attacks, wonderingwhat happen. It seems, though, investing in this and seeing it all the way through to execution, with a team responsible for regular maintanence and updates, shouldn't be too hard to accomplish. It is 2013, not 1990 – we have tools and stuff to manage this, right?

  20. Ashu001
    February 18, 2013


    I will just reiterate what I said earlier to Brian.

    “Disaster Recovery is just not Sexy enough for most Organizations”



    So Funny but so true!!!!



    February 18, 2013

    I reckon a lot of high tech companies spend more time trying to innovate and stay ahead compared to protectng what IP they already have.  Now direct cyber attacks that result in theft of “cash” is a different matter handled normally by expensive insurance policies.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.