When we hire consultants, we expect them to have a driver’s license or know how to use public transportation. We may ask for credentials on education, previous employment and perhaps specific skills like inventory management or cloud computing. Yet, when it comes to dealing with vast amounts of data or roaming the “highway” of the internet, companies usually do not ask for a license of any sort.
Red alert! In December of 2020 FireEye (now called Mandiant) published a report about a so-called supply chain attack but it’s not what some of you might think.
Back in “the old days” a supply chain was merely associated with storage and transportation of physical materials. So, in those days a supply chain attack would be interpreted as cargo theft or a truck robbery. Of course, at Gordian we also get all warm and fuzzy when we think of supply chains. Especially when it comes to service logistics or spare parts inventory planning.
As the potential of information and communication systems grew, so did the world’s dependence on those systems. The 2020 attack was carried out via a periodic update of information security software. It meant that not only a security management company was compromised, but potentially all systems that depended on this software “downstream” at the sites of customers. We call this a “supply chain attack” because the “software supply chain” was used and effects were able to propagate throughout the supply chain.
The above example clearly shows we need to expand our line of thinking about risks beyond just physical aspects such as stock availability and management of supply of parts from a supplier. But where to start? Here are three ideas to get the blood flowing.
1: Assume you’ve been hacked already
Traditionally, IT protection is focused on keeping hackers out. But an increase in systems complexity and higher rewards for successful hacks make it increasingly difficult to sustain this approach. Instead, when setting up your security systems, assume the intruder already is there, roaming your network. This is easier said than done, and it requires opening your mind to the possibility that your system is not properly protected. However, admitting to the possibility also creates the opportunity to take measures now that would normally only see the light of day after things go wrong.
2: Stay alert, stay aware
Make sure you keep everyone in your company aware of information security risks and what you can do to prevent data leaks or what to do in case of incidents. We would never cross a road blindfolded just because “usually there is no car”. Yet, we click on links in an email or reply to them without looking carefully at who sent the mail. So, accidents are bound to happen.
3: Identify weak links in your (software supply) chain
Software supply chain attacks go through suppliers, and a chain is as strong as its weakest link. This makes the security of your company dependent on the security of your main suppliers. You may be dealing with a wide variety of service suppliers such as an IT management organization, an external marketing firm or (wink wink) a spare parts planning partner. By looking at partners or suppliers with whom you share your valuable information, you reduce risks that are not directly associated with your internal operation, but you reduce nevertheless risks. It makes no sense to put big locks on your front door and forget about the kitchen door in the process.
At Gordian and Lanza, we analyze large amounts of customer data. This information is usually relevant for service logistics operations such as spare parts planning. It is important that we take care of that data as if it were our own. As a supplier, we are regularly asked by customers how we deal with information security and, we in turn, do the same with our suppliers “upstream”. All of this is implemented as part of our ISO27001 information security certification. It means continuously thinking about what new or existing risks there are and what we can do to manage them. How do you deal with your risks?