Supply Chain’s Information ‘Black Hole’

We worry about hackers infiltrating the supply chain and causing mayhem, but what about our customers and suppliers?

That's the gist of a new report, out today (April 9), that warns of an information “black hole” that forms inside the supply chain.

“Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers,” says Michael de Crespigny, chief executive of the Information Security Forum.

He added:

There is a “black hole” of undefined supply chain information risk in many organizations – they understand and manage this risk internally but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers.

Blissfully Unaware

Nearly half of company information breaches come from the company's  supply chain, where more vigilance and tighter processes are required.

Nearly half of company information breaches come from the company's
supply chain, where more vigilance and tighter processes are required.

How bad is the problem? De Crespigny cites a report from the Ponemon Institute that found 41 percent of information breaches that harm companies start within their supply chains. When Canadian mining concern Potash was a takeover target in 2009, the Chinese hacked into law firms, financial institutions, and public-relations agencies reportedly to gain insight into the company's negotiation strategy.

A model system
De Crespigny, in an interview before the report was released, told me that a model for improving information security within the supply chain is the banking system. Inspection teams spend time inside banks and run independent examinations, and personally identifiable information is subject to disclosure rules.

He held up the aerospace industry as another good example: Suppliers collaborate, not only on the design and construction of an aircraft, but on the information chain as well, using the Transglobal Secure Collaboration Program, he told me. “The standards they use embed tight security, tighter than you generally see in the business community.”

He says a tighter information chain requires a cultural shift within companies to collaborate in a different manner with customers and suppliers:

The key thing is that information security can't do this on their own. They need to with procurement and vendor management and as part of the normal vendor-management cycle. Organizations have to almost template the approach.

What do you think? Does this come as a surprise to you? What types of information-security processes does your company have in place to keep a lid on valuable information?

Related posts:

3 comments on “Supply Chain’s Information ‘Black Hole’

  1. _hm
    April 9, 2013

    Espionage may be omni present, at all place in the world. Some country does commercial espionage -e.g. China, but other countries are equally active in this field e.g. USA. There are many ways of espionage – easy way is company employee. It may be very difficult to prevent this. It can be reduced if it published to only very few relevant people.

  2. Eldredge
    April 11, 2013

    Breaches of information through the supply chain does not come as a surprise at all. The more widely dispersed that valuable information is distributed to engage in business, the greater the opportunity for information to be mis-used.

  3. SP
    April 11, 2013

    Wont they sign some legal documents like NDA or something else before getting into supplier contracts. In US breach of NDA is taken very seriously.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.