In 2013, Target experienced one of the largest known data breaches in the country. The breach resulted in 110 million stolen credit cards’ information and cost the company millions upon millions of dollars. The 19-day heist contributed to a 46 percent drop in year-over-year quarterly profits for the company, resulted in 100 lawsuits, and ultimately led to the resignation of Target’s then CEO Gregg Steinhafel, and its CIO, Beth Jacobs.
The attackers gained access to Target’s network through Fazio Mechanical Services, a third-party provider of heating, ventilation, and air conditioning services.
As more and more companies rely on third-party companies for services within their supply chain, they become increasingly vulnerable to network attacks and data breaches. With examples from Target to Android, data breaches are a growing concern for organizations, both small and large. It is no wonder that 30 percent of supply chain professionals are very concerned about a data breach.
To help your organization mitigate these risks, follow these steps today to secure your digital supply chain.
Step 1: Map your supply chain and identify where you have cybersecurity risk exposure
Laying out the players in the supply chain and where they are located will help you understand the scope and complexity of your supply chain. Including geographic locations will also help you decide if the location of certain suppliers presents a risk to your organization. When mapping the supply chain, keep in mind that you want to map the actual manufacturing locations for the components, and, in some cases, this may mean that you need to identify the contract manufacturer. Also, some items may be produced in multiple locations.
Once you have the supply chain mapped, you can identify the areas where there is a risk of counterfeit or compromised items entering the supply chain. To identify risk areas, look for
- locations in geographic areas known for counterfeit production or hacking activity;
- locations or transportation routes with inadequate physical, information, or personnel security;
- locations with inadequate procurement processes or known purchases from gray market suppliers; and
- products that use insufficiently tested software or outdated code.
Step 2: Focus your supplier pool by prequalifying suppliers that meet your risk management criteria
By focusing your suppliers, you can eliminate higher risk suppliers from the procurement and also maintain a cadre of suppliers that is a manageable size for collaboration. This will not only reduce the potential of having to work with a high risk supplier, but also increase the probability of success for other corrective actions. In cases that require high assurance, focusing the supply base can mean working exclusively with trusted suppliers who meet exacting criteria for quality and cybersecurity. Keep in mind that there is a tradeoff to focusing the supply base in the form of reduced competition and, as a result, potentially higher prices.
Step 3: Demand an adherence to operating standards
Standards bodies, such as the Open Group (Open Trusted Technology Provider Standard [O-TTPS]), International Organization for Standardization (ISO/IEC 27036—Information Technology—Security Techniques–Information Security for Supplier Relationships), and Software Assurance Forum for Excellence in Code (SAFECode) (Software Integrity Framework and Software Integrity Best Practices), provide standards that represent best practices for managing a secure supply chain. You should note that standards are a low-impact way of reducing risk because the practices are pre-defined. However, standards are designed to be general, and you may need to go beyond the standards practices to get the level of risk management you need.
At LMI, our supply chain experts comprehensively evaluate your supply chain to determine the drivers and requirements needed to ensure optimal functionality. We have the tools and unique methods to assess performance and devise strategies for delivering tangible, fast value.
“What drew me to LMI and has kept me here is the mission and the people. I was drawn to the company knowing the legacy that had been built in performing high-level analysis and delivering results. I was impressed (and continue to be) by the dedication and acumen that the LMI team can bring to virtually any problem in the government space.”