The list of highly visible companies that are hitting the headlines for having fallen to cyber attacks grows daily: Target, Home Depot, JPMorgan, Apple, and even the United States Post Office. OEMs and their supply chains are being targeted as well. The only difference is that it hasn't hit the headlines yet.
“The challenge when you look at supply chains, with so much data being transferred back and forth, you always have to be looking for the Trojan horse that is being used to get in and wreak havoc,” said Drew Smith, founder and CEO at InfoArmor, which sells corporate data, identity, and privacy protection services, in an interview with EBN. “The way that breaches for data incidences occur in the supply chain arena means that they are less newsworthy and can go undetected longer.”
In the electronics industry, OEMs, CMs, and component makers make lucrative targets for bad actors that range from hackers doing governmental espionage to cyber criminals selling their abilities as a do-it-yourself hacker service. “Unfortunately, many organizations have the mentality that it can never happen to them,” said Smith.
However, if a breach does occur, the potential costs are huge. Far-reaching consequences include loss of proprietary and confidential information, harm to the corporate brand, systems disruption, loss of revenue, and loss of customers, according to PricewaterhouseCoopers' “2014 US State of Cybercrime Survey.”
Most supply execs are aware of the issue but don't know what to do. “Organizations are stifled by security anxiety,” Mike Kirschner, vice president of sales at InfoArmor, told EBN. “No matter how much money they throw at the problem, the question always remains: Has it been enough?”
As with any risk analysis, supply chain organizations need to consider their risk tolerance and work toward doing enough to mitigate the risk. “Identify critical paths that represent the highest risk,” said Kirshner. “There are limited resources in every organization, and there has to be a prioritization process.”
Further, a multilayered approach that includes technology, people, and processes is critical, said Kirshner. “Then there's pen testing, security assessment, and constant evaluations.”
As with any IT decision, organizations must consider whether to take a make-it or buy-it approach. “You have this tradeoff between simplicity, between buying pre-packaged packages or moving to cloud-based services versus building it yourself and the investment it takes to build it and put it in place,” Kirschner told us.
Further, organizations need to take a continuous improvement approach. “It's really a marathon, not a sprint,” said Smith. “So many folks want to complete the project and check the box.”
We'll be chatting live with Drew Smith about the reality of today's threat landscape and what supply chain organizations can do about it. Join us on Wednesday, November 12, at 2:00 p.m. EST/ 11:00 a.m. PST in the EBN chat area. Come by with questions, comments, and thoughts about cyber security as we tackle this increasingly critical topic.
— Hailey Lynne McKeefry, Editor in Chief, EBN