We worry about hackers infiltrating the supply chain and causing mayhem, but what about our customers and suppliers?
That's the gist of a new report, out today (April 9), that warns of an information “black hole” that forms inside the supply chain.
“Supply chains are inherently insecure and organizations create unintended information risk when sharing information with their suppliers,” says Michael de Crespigny, chief executive of the Information Security Forum.
There is a “black hole” of undefined supply chain information risk in many organizations – they understand and manage this risk internally but have difficulty identifying and managing this risk across their hundreds or thousands of suppliers.
supply chain, where more vigilance and tighter processes are required.
How bad is the problem? De Crespigny cites a report from the Ponemon Institute that found 41 percent of information breaches that harm companies start within their supply chains. When Canadian mining concern Potash was a takeover target in 2009, the Chinese hacked into law firms, financial institutions, and public-relations agencies reportedly to gain insight into the company's negotiation strategy.
A model system
De Crespigny, in an interview before the report was released, told me that a model for improving information security within the supply chain is the banking system. Inspection teams spend time inside banks and run independent examinations, and personally identifiable information is subject to disclosure rules.
He held up the aerospace industry as another good example: Suppliers collaborate, not only on the design and construction of an aircraft, but on the information chain as well, using the Transglobal Secure Collaboration Program, he told me. “The standards they use embed tight security, tighter than you generally see in the business community.”
He says a tighter information chain requires a cultural shift within companies to collaborate in a different manner with customers and suppliers:
The key thing is that information security can't do this on their own. They need to with procurement and vendor management and as part of the normal vendor-management cycle. Organizations have to almost template the approach.
What do you think? Does this come as a surprise to you? What types of information-security processes does your company have in place to keep a lid on valuable information?