A free online environment where users can create, edit, and share electrical schematics, or convert between popular file
formats like Eagle, Altium, and OrCAD.
schematics.io
Find the IoT board you’ve been searching for using this interactive solution space to help you visualize the product selection
process and showcase important trade-off decisions.
transim.com/iot
Transform your product pages with embeddable schematic, simulation, and 3D content modules while providing interactive user
experiences for your customers.
transim.com/Products/Engage
AspenCore Network
A worldwide innovation hub servicing component manufacturers and distributors with unique marketing solutions
aspencore.com
SiliconExpert provides engineers with the data and insight they need to remove risk from the supply chain.
siliconexpert.com
Transim powers many of the tools engineers use every day on manufacturers' websites and can develop solutions for any company.
transim.com
Security is with the user. They have to maintain the system well with frequent security updates and new protecting methods. Security auditing is the best way to identify such loop holes and they have to conduct such audits once in 6 months to measure the vulnerability.
Indeed, Jacob, security and privacy always begin with the user. In the same way you lock your door for your home's security otherwise any stranger can come into your private space, you need to protect your devices from anyone entering into the system without authorization. Having the latenst possible equipment as well as the latest upgraded software and being extra careful where you download your applications from are of paramount importance.
And if having Apple products never, ever, download anything from third party stores. The only way to keep your devices safe is downloading your apps from the AppleStore.
First, please make a copy of your post before hitting the “post” button – just in case. If the system “eats” one of your carefully crafted thoughts, please hit “Ctrl-Z” to recover it.
This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions. There are no dumb questions and we value everyone's point of view.
Second, if you have problems posting, we suggest trying a different browser. IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.
As you arrive, please introduce yourself so we can offer words of welcome, and offer you a seat as well as a bit of EBN's famous virtual guacamole and chips.
Hi KDawon. glad you could make it! Pull up a chair. Guacoamole and chips are on the table to your rihgt. (Red, white and blue in honor of the just-passed Veterans Day in the US)
Good afternoon. This is Drew Smith, CEO and founder of InfoArmor. I look forward to our discussion. And thank you Hailey. Data security is near and dear to my heart.
Hi Drew. You are right on time! Thanks so much for stopping by to talk about this important topic. Let's get started with getting the lay of the land: Are these threats real? Do electronics companies have to be particularly concerned?
Unfortunately, these threats are all too real. And yes, all companies need to be concerned, especially when they are in the business of sharing data with their vendor ecosystem.
That's a great point and one of the larger problems facing companies with a broad, global reach. The key is being proactive when it comes to data security and adapting to a security framework that addresses both internal and external threats.
In research released in 2013, the Information Security Forum (ISF) found that, “of all the supply chain risks, information risk is the least well managed,” and that, “forty percent of the data-security breaches experienced by organizations arise from attacks on their suppliers.”
@Drew, and once you have the framework in place, how do you manage the task of ensuring that partners are adhering to it and doing appropriate training?
I know with risk management in general there has to be a triage process about which threats are most compelling. The same seems to be true with cybersecurity. Limited budgets and time and all that. How should organizations go about figuring out which suppliers and which systems to focus on?
Plus a lot of the threats are under the radar–with the newest malware, it is designed to go in, siphon off information for as long as possible, and with the really sophisticated programs to remove itself later or when it is detected. I've heard that problems can go on for months and years with the organization not even realizing it!
@hailey Setting up a framework is only the beginning of the marathon. The key is ongoing, real time monitoring. Depending upon annual audits and self-assessments is simply not enough.
@Drew. Actually, after I posted my question I was on another window and say an ISACA press release saying that even with all the attention to consumer-side breaches, consumers aren't changing their shopping habits. Maybe they are just so beaten down by the break-ins tha they don't care any more. Could the same thing happen in the supply chain?
@hailiey The focus should be on mission critical information. That really depends upon the organization. For some, it might be product plans, for others pricing or cost data.
@jimc Data breaches are a reality. It is no longer if, but when. The stance a company takes regarding breaches within its supply chain is largely going to be dictated by how sensitive they deem the data impacted. The risk to consumers is nothing (they are made whole) relative to a business.
@Tim, I talked to a guy the other day who argued vehemently against the dollar valuation approach. He had an example where the inavailability of $2 part cost the company millions. I wonder if there is a cyberthreat equivalent. Perhaps the biggest dollar suppliers aren't necessarily the ones that would give a bad actor a door into the organizatoin.
@hailey It is a lot like a 7 layer dip (keeping that virtual chips and salsa analogy going)…if the refried beans are breached, the guacamole often follows. Multi-layer means technology, training, procedures, audits and monitoring support one another. You are only as strong as your weakest link.
@hailey Audits are a good place to start. A good one includes risk and gap assessments followed by clear remediation efforts. Annual is the absolute minimum!
on the technology side, too you have hardware, software, firmware all providing points of entry. Networks, mobile devices, etc. Are there technology areas that often get overlooked?
@hailey Another good point. BYOD (bring your own device), especially in the smart phone arena, can be challenging for a company to monitor. One has to weigh cost and convenience against greater security risk. The next frontier is cybercriminals focusing on our mobile devices.
@Drew and on the supply chain side, supply chain management, e-procurement and other apps, especially those in the warehouse and manufacturing floor often use mobile devices. that's only going to get more pervasive.
Do you think information security is currently part of the average vendor/supplier agreement? Would adding language around corporate data security and incident response policy to this kind of agreement? Would it raise awareness? Compliance? What do you think?
@jimc That's a million dollar question. Many times a firm finds out about an incident far too late. The key is putting SLAs into contracts from the beginning to make sure security concerns are shared as quickly as other issues. We recommend incident management practices are developed before they are needed.
Got a question about training. People are often the biggest problem in cybersecurity. How do you get employees and supplier employees to really understand the threat to the point that they actually adhere to the systems in place, the procedures? Too often people try to get around them.
@trandallck, it seems to me that SC systems are closly integrated into the general enterprise. If hackers get access to one area it can spread. The hackers just follow the money right?
@drew, i think too it ought to be language added to every job description and perhaps mentioned regularly at meetings–too often awareness just fades into the background. Which brings us to Kdawson's question about training.
@kdawson Data security training needs to be ongoing and compelling, yet not an impediment to daily operations. It also needs to be easy to understand and practical. Signing an annual policy statement after a one hour review is not good enough. One walks a fine line, but its importance needs to come from the top.
I've heard that some companies test their vendors and employees…sort of a war games approach. Do you think that's helpful? can the average organization manage it?
@trandalick, i think the focus will be on combining data streams to create something even more valuable. Those hackers are getting smarter every day. 🙂
@alison You need complete company-wide buy-in to a security framework (for example ISO 27001). You also need one person responsible…a CSO, CTO, CEO or data steward. Whether or not you need external resources is dependent upon the type of exposure/risk you have and size/complexity of the organization.
@hailiey We've tried the war game approach and it can be an interesting part of ongoing training. Unfortunately, it can be like standing with a carrot in one hand and a bat in the other. We want people to be willing to admit concerns or possible incidents, not hide them. If you are testing your vendors, you need a pre defined agreement to do so. I would suggest the same with employees.
Do you think there are threats at the back end of the manufacturing chain? It was suggested to me that malware, for example, might get loaded onto consumer electronics products during manufacturing by a hacker that got into the system. that would be a terrible black eye for an electronics company.
@Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.
@hailey All companies are targets every day. We see targeted threats directed at InfoArmor just like any other organization that monitors it. Good question.
@Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.
So we're hitting the 40 minute market. let's take a look at the future. What do you see on the horizon? How will the threat landsape evolve? How will organizatoins need to evolve to meet those changes? (I know these are huge questions! 🙂 )
@hailey Absolutely. We know for a fact that USB sticks have contained malware placed on them during manufacture. It is not at all unimaginable to envision this impacting all types of consumer goods.
@hailey We really don't know yet what they means for organizations. We just need to stay focused on emerging threats so we will hopefully be able to stay just ahead of the ever-increasing sophistication of global bad actors.
@trandall Not necessarily. It depends where the opportunity lies. Target was breached due to one of their HVAC vendors. Not a large company at all, yet it impacted millions of consumers.
@trandall, in the electronics world, i'd argue that small organizations often are the innovators and so would have valuable IP–and a lot less resources to protect them. Couple that with teh reality that there are simply more of them…i'd have to argue that small organizations are more at risk but large companies have a higher profile.
electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
You must verify your email address before signing in. Check your email for your verification email, or enter your email address in the form below to resend the email.
Please confirm the information below before signing in.
{* #socialRegistrationForm *}
{* firstName *}
{* lastName *}
{* displayName *}
{* emailAddress *}
By clicking "Sign In", you confirm that you accept our terms of service and have read and understand privacy policy.
{* /socialRegistrationForm *}
Registration
Please confirm the information below before signing in. Already have an account? Sign In.
AspenCore Network
News the global electronics community can trust
The trusted news source for power-conscious design engineers
Supply chain news for the electronics industry
The can't-miss forum engineers and hobbyists
Product news that empowers design decisions
Design engineer' search engine for electronic components
The electronic components resource for engineers and purchasers
The design site for hardware software, and firmware engineers
Where makers and hobbyists share projects
The design site for electronics engineers and engineering managers
The learning center for future and novice engineers
The educational resource for the global engineering community
Where electronics engineers discover the latest toolsThe design site for hardware software, and firmware engineers
Circuit simulation made easy
Brings you all the tools to tackle projects big and small - combining real-world components with online collaboration
Hardware design made easy
A free online environment where users can create, edit, and share electrical schematics, or convert between popular file formats like Eagle, Altium, and OrCAD.
Find the IoT board you’ve been searching for using this interactive solution space to help you visualize the product selection process and showcase important trade-off decisions.
Transform your product pages with embeddable schematic, simulation, and 3D content modules while providing interactive user experiences for your customers.
A worldwide innovation hub servicing component manufacturers and distributors with unique marketing solutions
SiliconExpert provides engineers with the data and insight they need to remove risk from the supply chain.
Transim powers many of the tools engineers use every day on manufacturers' websites and can develop solutions for any company.
Hi All
Early bird
Security is with the user. They have to maintain the system well with frequent security updates and new protecting methods. Security auditing is the best way to identify such loop holes and they have to conduct such audits once in 6 months to measure the vulnerability.
Indeed, Jacob, security and privacy always begin with the user. In the same way you lock your door for your home's security otherwise any stranger can come into your private space, you need to protect your devices from anyone entering into the system without authorization. Having the latenst possible equipment as well as the latest upgraded software and being extra careful where you download your applications from are of paramount importance.
And if having Apple products never, ever, download anything from third party stores. The only way to keep your devices safe is downloading your apps from the AppleStore.
I'm glad to see the conversation has already begun! This is clealry a hot topic.
We should be getting started at 2PM PST sharp, as soon as our guests arrive. First, though, there are two housekeeping notes:
First, please make a copy of your post before hitting the “post” button – just in case. If the system “eats” one of your carefully crafted thoughts, please hit “Ctrl-Z” to recover it.
This will be a fun, fast, and friendly conversation, so please do not hold back with your comments or questions. There are no dumb questions and we value everyone's point of view.
Second, if you have problems posting, we suggest trying a different browser. IE9 is a popular choice, but sometimes find Firefox, Chrome, or Safari work better.
Questions, theories, ideas, real world experiences and even friendly rants are welcome here.
As you arrive, please introduce yourself so we can offer words of welcome, and offer you a seat as well as a bit of EBN's famous virtual guacamole and chips.
Mmm guacamole.
Good afternoon, Tim Randall from Cramer-Krasselt. Hoping for a great dialogue!
I am interested in hearing the size of the problem and its reach.
Hi KDawon. glad you could make it! Pull up a chair. Guacoamole and chips are on the table to your rihgt. (Red, white and blue in honor of the just-passed Veterans Day in the US)
Hi Tim, so glad you could make it! Feel free to throw questions or thoughts out–or just enjoy the guacamole!
We'll be starting in about five minutes
@tim, PWC came out recently with an indepth report on this topic. you can find it here: http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf
Hi, Hailey
Hi, Jim… thanks for stopping by. pull up a chair. Can I offer you refreshment. We've got guacamole and red/white/blue corn tortilla chips.
Good afternoon. This is Drew Smith, CEO and founder of InfoArmor. I look forward to our discussion. And thank you Hailey. Data security is near and dear to my heart.
That is great, I will definitely look at it.
Hi Drew. You are right on time! Thanks so much for stopping by to talk about this important topic. Let's get started with getting the lay of the land: Are these threats real? Do electronics companies have to be particularly concerned?
Unfortunately, these threats are all too real. And yes, all companies need to be concerned, especially when they are in the business of sharing data with their vendor ecosystem.
Drew, with the supply chain so diverse globally how can firms adequatley prepare for the differences in protocols across their partners?
Are there particular data types that hackers are targetting? Is the profile of the hacker evolving?
Drew, do companies in the middle of the supply not get the attention when it comes to breaches simply because they aren't “consumer-facing”?
That's a great point and one of the larger problems facing companies with a broad, global reach. The key is being proactive when it comes to data security and adapting to a security framework that addresses both internal and external threats.
Well, there's the “Advanced Persistent Threat,” that one is pretty well known. And identified. And denied by China.
In research released in 2013, the Information Security Forum (ISF) found that, “of all the supply chain risks, information risk is the least well managed,” and that, “forty percent of the data-security breaches experienced by organizations arise from attacks on their suppliers.”
@hailey Bad actors (i.e. hackers) are interested in any data they can monetize…PII, healthcare, IP, pricing information, etc.
@Drew, and once you have the framework in place, how do you manage the task of ensuring that partners are adhering to it and doing appropriate training?
@jimc Absolutely. Just because it isn't newsworthy, doesn't mean it's not happening.
I know with risk management in general there has to be a triage process about which threats are most compelling. The same seems to be true with cybersecurity. Limited budgets and time and all that. How should organizations go about figuring out which suppliers and which systems to focus on?
JIMC, consumer facing is an excellent point. Production and transportation are not as news worthy like say a Home Depot
Plus a lot of the threats are under the radar–with the newest malware, it is designed to go in, siphon off information for as long as possible, and with the really sophisticated programs to remove itself later or when it is detected. I've heard that problems can go on for months and years with the organization not even realizing it!
@hailey Setting up a framework is only the beginning of the marathon. The key is ongoing, real time monitoring. Depending upon annual audits and self-assessments is simply not enough.
@Drew. Actually, after I posted my question I was on another window and say an ISACA press release saying that even with all the attention to consumer-side breaches, consumers aren't changing their shopping habits. Maybe they are just so beaten down by the break-ins tha they don't care any more. Could the same thing happen in the supply chain?
On the triage point, is there simply a dollar value that can be assigned?
BTW: another great research resource is the Verizon Data Breach report: http://www.verizonenterprise.com/DBIR/2014/
@hailiey The focus should be on mission critical information. That really depends upon the organization. For some, it might be product plans, for others pricing or cost data.
We talk a lot about the need for “layered protection”. What does that realisticaly mean today?
@jimc Data breaches are a reality. It is no longer if, but when. The stance a company takes regarding breaches within its supply chain is largely going to be dictated by how sensitive they deem the data impacted. The risk to consumers is nothing (they are made whole) relative to a business.
@Tim, I talked to a guy the other day who argued vehemently against the dollar valuation approach. He had an example where the inavailability of $2 part cost the company millions. I wonder if there is a cyberthreat equivalent. Perhaps the biggest dollar suppliers aren't necessarily the ones that would give a bad actor a door into the organizatoin.
One of our early bird users asked about audits–any specific advice on what should be included in a good audit or tips on how it should be done?
Do all supply chain breaches ultimately impac the individual? I.E. higher costs or stolen accounts emails?
@hailey It is a lot like a 7 layer dip (keeping that virtual chips and salsa analogy going)…if the refried beans are breached, the guacamole often follows. Multi-layer means technology, training, procedures, audits and monitoring support one another. You are only as strong as your weakest link.
@hailey Audits are a good place to start. A good one includes risk and gap assessments followed by clear remediation efforts. Annual is the absolute minimum!
on the technology side, too you have hardware, software, firmware all providing points of entry. Networks, mobile devices, etc. Are there technology areas that often get overlooked?
@Hailey, that is interesting on the $ perspective for identifying threats
@hailey Another good point. BYOD (bring your own device), especially in the smart phone arena, can be challenging for a company to monitor. One has to weigh cost and convenience against greater security risk. The next frontier is cybercriminals focusing on our mobile devices.
Are suppliers and their regular customer open enough with each other about sharing information on their security strategies? About actual breaches?
@Drew and on the supply chain side, supply chain management, e-procurement and other apps, especially those in the warehouse and manufacturing floor often use mobile devices. that's only going to get more pervasive.
@ALL…is there any corellation between Enterprise System supply chain breaches and non Enterprise Systems?
Do you think information security is currently part of the average vendor/supplier agreement? Would adding language around corporate data security and incident response policy to this kind of agreement? Would it raise awareness? Compliance? What do you think?
@jimc That's a million dollar question. Many times a firm finds out about an incident far too late. The key is putting SLAs into contracts from the beginning to make sure security concerns are shared as quickly as other issues. We recommend incident management practices are developed before they are needed.
Got a question about training. People are often the biggest problem in cybersecurity. How do you get employees and supplier employees to really understand the threat to the point that they actually adhere to the systems in place, the procedures? Too often people try to get around them.
@trandallck, it seems to me that SC systems are closly integrated into the general enterprise. If hackers get access to one area it can spread. The hackers just follow the money right?
@hailey If it is not already, it needs to be added. That is…language to address data security.
@Drew, i posted my question before i saw yours! Great minds eh? you get to take home the virtual quacamole. 🙂
@drew, i think too it ought to be language added to every job description and perhaps mentioned regularly at meetings–too often awareness just fades into the background. Which brings us to Kdawson's question about training.
Is this so complex a problem that companies need to get outside help? What should they be looking for? Pen testers? trainers? IT experts?
@kdawson Data security training needs to be ongoing and compelling, yet not an impediment to daily operations. It also needs to be easy to understand and practical. Signing an annual policy statement after a one hour review is not good enough. One walks a fine line, but its importance needs to come from the top.
@Alison, welcome to the conversatinal fray! Glad you could make it.
At InfoArmor, our data security team is the largest one in the company…as everyone is on it!
Thanks! I've been lurking!
I've heard that some companies test their vendors and employees…sort of a war games approach. Do you think that's helpful? can the average organization manage it?
@ALL…with data so prevalent will there actually be a decline in it's utility and value for cyberthieves?
That corner office suport really is critical.
@trandalick, i think the focus will be on combining data streams to create something even more valuable. Those hackers are getting smarter every day. 🙂
@alison You need complete company-wide buy-in to a security framework (for example ISO 27001). You also need one person responsible…a CSO, CTO, CEO or data steward. Whether or not you need external resources is dependent upon the type of exposure/risk you have and size/complexity of the organization.
@Hailey, so this eventually becomes a Big Data issue as opposed to individual accounts?
@Drew, has your company ever been targetted that you know of? I know some cyberthieves think it's a feather in the cap to hit a security company
@trandalick, exactly. small data being morphed into big data.
@hailiey We've tried the war game approach and it can be an interesting part of ongoing training. Unfortunately, it can be like standing with a carrot in one hand and a bat in the other. We want people to be willing to admit concerns or possible incidents, not hide them. If you are testing your vendors, you need a pre defined agreement to do so. I would suggest the same with employees.
Do you think there are threats at the back end of the manufacturing chain? It was suggested to me that malware, for example, might get loaded onto consumer electronics products during manufacturing by a hacker that got into the system. that would be a terrible black eye for an electronics company.
@trandall This does not appear to be the case. As more and more data is available, the opportunity is only growing…exponentially.
@Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.
@hailey All companies are targets every day. We see targeted threats directed at InfoArmor just like any other organization that monitors it. Good question.
@Drew, i talked to one pen tester who dropped a handful of USB drives in teh parking lot of the DOD (Department of Defense) and at least four people picked them up and plugged them in. I bet those people left feeling kind of bad… but it was a potent lesson. I do think that you want people to feel good about making a report though.
So we're hitting the 40 minute market. let's take a look at the future. What do you see on the horizon? How will the threat landsape evolve? How will organizatoins need to evolve to meet those changes? (I know these are huge questions! 🙂 )
@hailey Absolutely. We know for a fact that USB sticks have contained malware placed on them during manufacture. It is not at all unimaginable to envision this impacting all types of consumer goods.
@hailey The future…more and more devices available on the public Internet exponentially increase the attack surface.
ALL…on the question of the future will large organizations be at the most risk?
@hailey We really don't know yet what they means for organizations. We just need to stay focused on emerging threats so we will hopefully be able to stay just ahead of the ever-increasing sophistication of global bad actors.
@trandall Not necessarily. It depends where the opportunity lies. Target was breached due to one of their HVAC vendors. Not a large company at all, yet it impacted millions of consumers.
THank you for being our guest today…this has been a really useful conversation. A little daunting…but useful. 🙂 I hope you'll come again!
Thank you. I'm always happy to particpate.
I hope the information was useful.
@trandall, in the electronics world, i'd argue that small organizations often are the innovators and so would have valuable IP–and a lot less resources to protect them. Couple that with teh reality that there are simply more of them…i'd have to argue that small organizations are more at risk but large companies have a higher profile.
@Thank you all, EBNers. I appreciate the great questions! I'm sure we'll continue to explore this in depth!
Great material!
And in anyone wants to learn more about Drew and his organization, take a look here: http://infoarmor.com/about-us/
nice information thank you
excellent post
really excellent post
nice information
we have to see
nice post thank you
I hope the information was useful.
I hope the information was useful.
nice information thank you
If you are testing your vendors, you need a pre defined agreement to do so. I would suggest the same with employees.
The number of cyberattacks is on the rise and hackers are targeting the supply chain
hi ma name is nolanmartin i am studenta and free lancer i love to explore the good recent
and use ful wrticles whicha are published in various websites
very nice information
really excellent post
great post
I hope the information was useful.
excellent post
The number of cyberattacks is on the rise and hackers are targeting the supply chain.
yeah great post
thank u
nice post
nice post dis
electronics supply chain experts, these conversations see ideas shared, comments made, and questions asked and answered in real time. Listed below are upcoming and archived chats. Stay tuned and join in!
i hope the information was useful
cool information was useful.
great one cool buddy
very good post
good one
nice one
kattapa bahubali ni yenduku senduruva
If you are testing your vendors, you need a pre defined agreement to do so. I would suggest the same with employees.
it was grest information
I hope the information was useful
nice information thank you
GOOD INFORMATION
nice good one dis post
good post
gfreat post buddy
graey blob buddy
nice post
great post nice