… if you forget to lock the digital back door!
As Tim Garcia pointed out in a recent article over on Manufacturing Business Technology, “In Securing Your Supply Chain, Don’t Forget To Lock The Back Door”, because up to half of all reported company data breaches slip in through unguarded digital back doors. Just because you take all of the security precautions that are possible with your own network, this doesn’t mean that you can account for the practices of other companies your enterprise interacts with on a daily basis though digital backdoors that could be contained in every piece of enterprise technology that you use.
So what should you do? For starters, follow the advice in Tim’s article.
- Use up-to-date anti-virus and monitoring systems on all inbound and outbound connections.
Whether it is between business systems at different locations, your SaaS and cloud providers, or third parties — protect all data links. - Restrict all sensitive digital communications and transactions to secure, monitored, channels.
Don’t allow sensitive data or monetary transactions to flow over unapproved, unsecured channels for any reason. - Analyze every nook and cranny in your digital supply chain for vulnerability.
Thieves and competitors will find the one digital pathway you miss or ignore in your vulnerability assessment. - Communicate the Security Procedures and Protocols
Make sure the entire C-Suite is aware, approves, and communicates them downward. - Have a Recovery Plan
Despite you best efforts, it only takes one newly discovered zero-day exploit or one employee who forgets to encrypt some critical data for thieves and spies to break into your network, steal your data (and your customers’ data), and put you in a bind. Have a plan to deal with the worst-case scenario as soon as it happens to minimize the losses to your bank account and your corporate reputation.
In addition, SI recommends
- Have harsh penalties for (repeat) offenders who do not follow the procedures.
Just like some employees will continue to buy off-contract unless you have harsh penalties in place to curb this behaviour (such as no reimbursement without an approved PO signed by their supervisor and a Procurement executive, write-ups that negatively impact their performance review and maximum bonus, etc.), some employees will take shortcuts if they think its easier or quicker to do so or the security procedures are overkill. - Look for systems where you can control the distribution of data seen by your suppliers.
If the only way to restrict the data that is viewable by a user logged into one of your systems is to export it to Excel or PDF, and this is the primary mechanism used to share data with your suppliers, even if it’s sent encrypted, once the supplier decrypts it – you have no control. If, on the other hand, the system implements fine-grained security and you can create customized supplier views and restrict data exports, this limits what the supplier sees and its options for sharing that data. It’s even better if the supplier can create customized sub-views for the data it needs to share with one of its suppliers working on a part of the component it is building for you. Even though the military often goes crazy with its security measures (as anything on the public internet is not “protected” just because you print it off and put it in a binder), they have the right idea — sensitive data that is sent outside the four walls of the organization should be restricted to what is need to know.