The best supply chain software solutions are designed to support “mobility as a work style.” If they’re not, then chances are, they’re quickly losing competitive ground. With that in mind, last week’s news that 600 million Samsung Galaxy phones were discovered to have a major security flaw is more than a bit unsettling. According to the cyber-security firm NowSecure, the Samsung flaw originated with one of its software suppliers. It turns out that this particular supplier provides Samsung with its basic keyboard functionality. That’s all.
Remember the Target breach? It only resulted in exposing the personal data of 70 million customers, including their credit card information. In that case, the hacker launched its attack by going after one of
And also last week, although it doesn’t seem to be getting the news coverage it deserves, the federal government discovered that China has likely hacked the Office of Personnel Management (OPM), stealing highly sensitive personal information covering more than 4 million former, current and prospective U.S. government workers.
Are there some common denominators at fault? The truth is, most security breaches occur from within. In other words, they are not only the result of not having the right technology-based defenses, they are the result of poor internal security policy and/or lack of compliance to the controls that employers have put in place. Many occur due to simple oversights, like laptops that are taken home for weekends – laptops that should probably never leave the building. But an increasing number of successful hacks are being traced to supply chains. We now live in a world where most every supplier of products and services is expected to conduct business electronically. And worse, the systems that clear the transactions of day-to-day business are fully integrated to corporate Enterprise Resource Planning (ERP) --the keys to the kingdom.
Not to overstate it, but there’s a lot of truth to the idea that networked models of security “are only as strong as the weakest link.” And because big business will continue to outsource and pursue new markets of customers and supply, the scope of the problem is exploding.
“Companies in almost every industry are more reliant than ever upon their vendors, and particularly those in their supply chain. The demand for constant online communication creates enormous opportunities for hackers to exploit weak vendor security practices as a point of entry into their ultimate target,” said Steve Bridges, senior vice president at JLT specialty, an insurance broker specializing in cyber insurance. “Both the buyer and the vendor have issues here. The buyer now needs to somehow ensure that all of its vendors are secure, as those vendors face liability issues from their customers should a breach be traced to their failure.” And while a cyber-attack aimed at stealing employee or customer data remains the most talked about risk, attacks designed to deny or disrupt service are also gaining in popularity. “These attacks can jeopardize production and delivery schedules and cause delays that can have rippling impacts upon their customers and their customers’ customers,” added Bridges.
Clearly, a company’s roster of approved vendors must meet basic network security standards. But if they can’t meet the required thresholds, there’s no need to panic. Bringing a system up to speed or replacing something that's obviously missing is easier than discovering that a supplier who appeared to have its act together, clearly didn't. Network security –especially in a supply chain context—is a team effort that not only requires constant vigilance, but a community-oriented, proactive mindset. Put another way, everyone needs to realize that the weakest link in the chain is going to change. These days, it seems almost silly to point out that among the first, most basic and effective steps a community of networked companies can enforce is strong system-to-system authentication. “Corporate usernames and passwords are highly coveted by hackers,” said Darren Guccione, CEO and Co-Founder of Keeper Security, Inc, a password management and secure file storage provider. “Once they attain an employee’s password they can infiltrate the entire company’s system and lurk there for days, weeks or even months without being detected.”
A network security expert once told me that “the only foolproof and guaranteed solution to not getting hacked is to unplug,” but that isn’t going to happen. So the next best alternative is to apply the latest and greatest network security technologies with an understanding that they are a beginning, not an end. The promise that most of these solutions are sold under is that they won’t stop you from being hacked, but at least you’ll know when it’s happening. That’s the world we live in. Of equal importance is the rigorous enforcement of an enlightened and continuously updated security policy. In fact, there are many industry experts who would argue that on a percentage basis, assuming reasonable technology-based defense solutions are in place, here’s where business gets its biggest bang for the buck.
