Digital supply chains can leave sensitive data vulnerable to hackers
The digitization of the supply chain is creating new risks to intellectual property and national security.
Separate data breaches involving the U.S. Air Force’s MQ-9 Reaper drone, the U.S. Navy’s Sea Dragon submarine project, and corporate documents from automakers, Tesla, Toyota, and Volkswagen all have one thing in common: Each of these breaches was the result of a successful cyberattack against a third party (subcontractors or suppliers), rather than the intellectual property owner.
It is the nature of large enterprises like the U.S. Navy or Toyota to use small businesses to provide a variety of services ranging from public relations to designs of highly sophisticated electronics. While the sensitivity of confidential information is a constant, the ability for different businesses to maintain the confidentiality of information varies dramatically based on the security controls, expertise and budget these businesses have in place.
The New Age of Supply Chain
The increasing productivity of collaborative technology has resulted in new business strategies and systems to supply chain management functions. This changing environment has created vast opportunities for logistics professionals and businesses to cut operational costs, improve integration techniques, streamline communications with suppliers/ employees, and create more customer-oriented processes.
Many businesses are now switching from traditional supply chain to cloud-based, online systems to conduct their logistical operations with their subcontractors and partners, bringing in a new age of digital supply chain. This switch from traditional to digital brings many positive prospects, however, it also brings about a new set of risks relating to the handling of business and military intellectual property in the hands of subcontractors and other suppliers.
Questions that Need Confident Answers
Businesses must know where all of their data is located, whether it is in their possession or in that of their suppliers, what would happen if it was stolen, lost, or destroyed, and what the suppliers who hold the data are doing to prevent a breach from happening.
This is a daunting task, especially considering that the United States government mandated a regulation for businesses that handle federal data to be compliant with all 110 requirements of the NIST 800-171 security standard. However, the damage that comes from lost or stolen government data due to a lack of proper security is much more concerning.
Businesses need to ask themselves, “Are our data security implementations enough? How at risk is our company data?” As more businesses are moving to digital supply chain techniques, these questions become even more important to answer, and answer confidently. Further, this is a global issue that impacts business and governments everywhere.
Increasing Regulatory Pressures
The U.S. Federal Government has mandated compliance with the NIST 800-171 security standard in an effort to enforce consistency amongst all their sub-contractors who conduct business with the civilian government or Department of Defense (DoD) and have access to any Controlled Unclassified Information (CUI). However, agencies often only use this security standard as a checklist for compliance rather than as an opportunity for continuous, risk-based improvement in their data security capability.
These fluctuations in security capability create opportunities for hackers to easily infiltrate and extract highly sensitive data at any point in the digital supply chain. While big name companies have strong prevention measures and teams of highly trained data security personnel consistently monitoring for signs of data theft and misuse, their subcontractors and suppliers who have access to that same data, may not. This weakens the security of their supply chain, which they are ultimately responsible for, and in turn drastically increases their risk in a breach of sensitive data.
These recurring examples of cyber security attacks should serve as a wakeup call to both big name companies and subcontractors in the defense and commercial industries to re-evaluate their data security capabilities. Regulations like ITAR, which governs how defense data must be stored, require that businesses involved with the design, manufacture or sale of these technologies put in place controls that manage access rights to technical data, even when data is shared with a different company.
Native permissions management capabilities in consumer-based collaboration and file sharing systems such as Dropbox and Office 365 are insufficient for ensuring that technical data cannot be accessed by those without approval. Rather, by assuring that strict access management can be deployed to protect each piece of data uniquely, throughout a digital supply chain, businesses can take an important step in reducing the risk of a damaging breach.