Securing the digital supply chain

Companies are open to attack from malicious rivals and other nations seeking to steal valuable data, but it is possible to secure your information with the right approach.

Companies worldwide are open to cyber-attack because of the potential for their supply chains to be penetrated by infiltrators trying to steal intellectual property (IP). Yet, with the right approach, there is plenty corporations can do to reduce their exposure.

It may seem like a distant or abstract threat, but the importance of securing your supply chain’s IT systems should not be downplayed, says Mark Anderson, US tech expert and Chief Executive of Strategic News Services.

According to Anderson, “backdoors” to gain access to host IT systems can be, and may well already have been, deliberately and widely inserted into microchips, which means compromised equipment could range from toasters to fighter planes. And he says the scale of the potential problem is greater than many firms acknowledge publicly.

In the most serious cases, failing to get a grip of this could be costly, he warns: “Companies will find themselves losing bids, losing M&A deals and seeing products with their own IP in them appearing for half the price in their own market.” Fortunately, there is much companies can do to protect themselves, but only if they understand what is required, says Dr. Emil Lupu, Associate Director with the Institute for Security Science and Technology.

Most corporations protect their systems by creating a virtual boundary they can defend and control, says Dr. Lupu, but they need to think more carefully about the problem. “Supply chains partially breach that boundary either because the systems of the company need to be integrated with the systems of the supplier, or because software products provided by the supplier are brought within the company’s IT systems.”

It is important to defend these potential weak points, says Dr. Lupu. “Many companies have not considered the vulnerability of their suppliers’ systems at the same level of importance as they would their suppliers’ quality control processes.”

An open and transparent approach to IT security in supply chain agreements, including provisions on how to notify, manage and respond to IT security incidents on either side, is advisable, he adds. Making cybersecurity a board-level responsibility that must be managed like any other business risk is also advisable, as is admitting that the problem exists in the first place.

Google’s response to 2009’s “Operation Aurora” hacking attack, which is thought to have originated in China, provides a corporate model for an honest and pragmatic response to cyber-attack, says Anderson. “Google stepped up and said it had happened and what had been taken: they deserve a medal for that.”

Anderson adds that it is, of course, much better to prevent attacks in the first place – and isolating key information within your system is the immediate step. “Identify your crown jewels – your IP – and unplug it,” he says. “Reduce the number of people who have access to it and increase your monitoring of those people.”

The article was written by:

  • Adam Hill

Download the article as pdfpdf209.47 kB

EY refers to one or more of the member firms of Ernst & Young Global Limited (EYG), a UK private company limited by guarantee. EYG is the principal governance entity of the global EY organization and does not provide any service to clients. Services are provided by EYG member firms. Each of EYG and its member firms is a separate legal entity and has no liability for another such entity's acts or omissions. Certain content on this site may have been prepared by one or more EYG member firms