Are Supply Chains Taking IT Security Seriously Enough?

Nov 2 2015, 9:54 AM5 min read

The IRS, the CIA, Sony Pictures, TalkTalk, Kaspersky – what do all of these organisations have in common?

If you said that they have all been victims of cyber attacks during 2015, you would be right. With each high-profile incident, the profile of IT security and cyber crime is raised further.

For procurement and supply chain, this is something that needs to be considered, but is it being taken seriously enough?

Supply Chain Security

A recent poll carried out at IP Expo Europe by cyber security firm Tripwire, revealed a startling statistic when it came to IT security. Nearly a fifth of respondents to the poll said they would be prepared to use IT suppliers who do not meet their IT security standards.

Additionally, nearly half of the respondents (47 per cent) admitted that they currently do not carry out audits before working with suppliers, although 23 per cent did say they were planning on introducing this in the near future.

This is not a new issue, as this 2013 article highlights. So why, in 2015, are so many organisations not taking this issue seriously? With brand, reputation and share price at risk, not to mention potential regulatory fines, what should organisations be doing?

As simple as it seems?

While these statistics do not exactly paint a rosy picture, the truth is that the reality is not as simple as it might seem. One of the victims of a hack this year was Kaspersky, an Internet security and anti-virus software organisation.

Symantec, a global provider of Cloud, mobile and virtual security, was held to account by Google this month for issuing fake security certification for websites. These certificates could be used to intercept and subvert SSL/TLS protected traffic, which underpins e-commerce, banking, government and other important services.

Following two audits, Symantec has uncovered an incredible 2458 certificates for unregistered domain names, and Google has demanded an explanation and resolution to the issue.

Even the US Senate, taking action to pass a version of the Cybersecurity Information Act (CISA) that allows companies to share any and all information about their user base with the Department of Homeland Security, has come in for criticism.

John McAfee, founder of the IT security and anti-virus software company that bears his name, points out that while this Act helps the cyber security fight within the US, it doesn’t help with attacks from foreign soil, where the majority of the US hacks in 2015 are believed to have originated from.

What’s to be done?

If you weren’t already aware, the UK Government released new training in June this year to help procurement professionals stay safe online. The training is free and can be accessed via CIPS.

The Chartered Management Institute has also offered these tips to business leaders, which can be implemented in every organisation:

Understand the potential threats – review any internal and external vulnerabilities in business web systems, such as any easy entry points for hackers
Integrate cyber security policy within corporate culture – security policies must permeate throughout every process and decision with a company. This includes audits of suppliers.
Practice an incident response plan – have a ‘go-to’ plan of action for responding to a cyber incident

Good IT security comes down to good education, not only employees, but also stakeholders and suppliers, as well as good communication. Equally, one of the best ways to beat the cyber threat is by collaboration – with governments, regulators and even rival companies.

If organisations put their differences to one side and work together, there may be light at the end of the tunnel yet.

We’ll leave the last word to Jeh Johnson, the United States Secretary of Homeland Security – “Cyber security is a shared responsibility and it boils down to this: in cyber security, the more systems we secure, the safer we all are.”

Do you work in IT procurement? Do you have any good tips that you could share with your fellow professionals? Let Procurious know and we can spread the word.

We’ve scoured our sources to come up with the key headlines in procurement and supply chain this week…enjoy!

Boerum Showcases Supply Chain Transparency

Boerum Apparel, a clothing company based in Brooklyn, has released a sweatshirt which shows off its entire supply chain
Each garment’s journey from plant or animal to the finished product is is written on its label, and includes where the raw materials were sourced and where it was turned into a sweater
The organisation is working hard on its “radical transparency” programme, and hopes that it will lead others to follow suit
You can get more information by search for the Twitter hashtag #knowyoursources

More at Treehugger.com

Toyota Breaks with Supply Chain Tradition

Japanese car manufacturer Toyota launched its new Corolla model this year, but departed from their traditional supply chain process of keiretsu
For the first time, Toyota chose to source a key component, a crash prevention system, from German manufacturer, AG Continental, rather than a Japanese-based firm
The decision is regarded as a symbol of Japan’s automotive suppliers falling behind the rest of the world when it comes to cutting-edge technology
Toyota plans to keep its keiretsu, but wants suppliers to be more globally successful and spend more on technological development