“Data breach” is a phrase that is becoming all too common in today’s world. From Target and Sony, to the Office of Personnel Management, there has been no shortage of news relating to high profile data breaches. In 2014, the New York Times devoted more than 700 articles to covering data breaches. This is up significantly from only 125 articles in 2013.
Large companies aren’t the only companies at risk. Small and medium sized companies are becoming prime targets for hackers. These companies typically have a small technology staff, which is more focused on helping the company grow and maintaining the existing technology environment than addressing security concerns and weaknesses. Vast quantities of time and money are spent supporting the internal network infrastructure and applications making it difficult to apply the same level of resources to security in the supply chain.
Regardless of company size, companies have had no choice but to become sprawling networks of interconnected devices and third parties, which adds to the number of potential avenues a hacker has to gain access to their network. Furthermore, the systems that handle transactions in the supply chain are most often fully integrated into the Enterprise Resource Planning (ERP) system. Spend a few minutes drawing out your own supply chain, and you’ll quickly realize how complex it is. It might surprise you who you’re trusting with your data. Today’s risk in the supply chain isn’t just a focus on physical assets; it’s a mix of digital and physical.
If you were to search for the cost of the Target breach online, you would find numerous articles and analysis estimating the cost at greater than $150 million. This breach is a textbook example of a breakdown in the supply chain, as the breach occurred as a result of a vulnerability in Target’s HVAC vendor. Now think about your own company, what makes you confident your supply chain is secure? Furthermore, do you have a clear understanding as to how business partners are connecting to your network and to whom they are connected with?
Companies that avoid security in the supply chain are putting future revenues, as well as the reputation of the company, at risk. Strengthening the security around the supply chain could provide an advantage in the marketplace as more companies start requesting security information from their business partners. Conversations with customers, vendors and other business partners around security are going to become more common in the sales process. Consider the recommendations below as you assess the state of your supply chain:
- Conduct a risk assessment to understand where vulnerabilities exist
- Prioritize your key supply chain relationships by type of data being passed or managed
- Automated alerts for unauthorized access and multi-level authentication
- Review user access levels for business need
- Lunch and learn for employee awareness training
Barnes Dennig helps organizations across multiple industries with their information systems risk management. This includes Service Organization Controls, IT audits, PCI-DSS, HIPAA and OCC third-party vendor management. Contact Bryan Gayhart via email, or by calling (513) 241-8313 if you would like to discuss how security measures within your supply chain are currently organized.