Recent statistics focusing on supply chains illustrate the growing importance of cybersecurity risk management.
In a presentation given by Jon Boyens, from the National Institute for Standards and Technology, at the RSA Conference in March 2016 entitled, “Integrating Cybersecurity into Supply Chain Risk Management,” the selected following data was provided:
- 80% of all info breaches originate in the supply chain
- 45% of all cyber breaches were attributed to past partners
- 72% of companies do NOT have full visibility into their supply chains
- 59% of companies do NOT have a process for assessing cybersecurity of third party providers with which they share data or networks
- 98% of manufacturers will experience a supply chain disruption in the next 2 years (80% for all firms)
In a February 2016 study by secure access solutions provider, Bomgar, survey results shed an interesting light on vendor vulnerability. Results from 608 IT professionals ranging from various key decision maker roles and representing multiple industries show:
- on average, 89 vendors are accessing a company’s network every single week
- 69% of respondents say they definitely or possibly suffered a security breach resulting from vendor access within the last year
- 74% believe that third-party vendor selection overlooks key risks, with 64% saying that their organization focuses more on cost than security when outsourcing
- 77% believe their company will experience a serious information breach within the next two years as a result of vendor activity on their network
In addition to statistics there is the sheer complexity associated with cybersecurity and procurement/supply chain. An American Scientist April 2016 article, “Cybersecurity Is Harder Than Building Bridges,” reveals why protecting the Internet and online computers from attack is a “difficult, messy problem.” One aspect is code complexity. “Each line of code in an operating system potentially contains errors that could be exploited to compromise security…even if software products are shipped with no known security flaws, backdoors and malicious code can be inserted somewhere along the supply chain.”
Where can a supply chain/procurement professional, or non-IT business professional who wants to learn and read about cybersecurity go for sources? Here is a list of selected resources to help start the education process.
CIPS – ELearning – Cyber Security for Procurement Professionals
This free, two-hour course is offered by UK’s GCHQ (Government Communications Headquarters) and BIS (Department for Business Innovation and Skills) with input from CIPS (Chartered Institute of Procurement & Supply). It will teach you how employees and organizations can mitigate against cyber threats and also the relevance of cybersecurity in the procurement and supply chain function and why it is so important to take this matter very seriously.
Computer Security Fundamentals, by Chuck Easttom, 3rd edition, June 21, 2016
This introduction to computer security covers all basic concepts, terminology, issues, and core topics, such as vulnerability assessment, virus attacks, hacking, spyware, network defense, passwords, firewalls, VPNs, and intrusion detection.
Cybersecurity for Executives: A Practical Guide 1st Edition, by Gregory J. Touhill and C. Joseph Touhill, 2014
The authors of this book contend that cybersecurity is not just about computer technology, but about risk management. “It is about protecting shareholders and their business, maintaining a competitive advantage, and protecting assets.” It will not make you a cybersecurity expert but “it will make you Cyber-Aware and able to manage the risks inherit in the Cyber Age.”
Cyber Security: An Introduction for Non-Technical Managers, by Jeremy Swinfen Green, September 2015.
The author states: “This book is not a ‘how to do’ book. Instead it tries to explain cyber security and the nature of cyber threats, including technical ones that tend to be scary because they are full of jargon (such as SQL injection, DDoS attacks, and zero day threats) in a way that board directors and non-technical managers, such as accountants, should be able to appreciate.”
Even though this publication is for security executives and enterprise security buyers, the articles are informative for all business professionals and are easy to read and digest. Navigation topics include News, Management, Physical (i.e. video surveillance), Cyber, Services, Sectors, Events, and Resources. Sectors of special interest include Ports (sea, land, and air), and Transportation/Supply Chain/Warehouse. Searching “supply chain” produces 440 articles.
Ten year-old Infosecurity Magazine provides news, feature articles, webinars and white papers for the information security industry. Topics covered that are interest: Data Protection, Big Data, Cybercrime, Data Protection, Human Factor, The Internet of Things, Internet Security, Managed Services, Network Security, Privacy, and Risk Management.
US-CERT responds to major incidents, analyzes threats, and exchanges critical cybersecurity information with trusted foreign governments. A computer security incident is defined by US-CERT and NIST as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Secure web forms for users to report incidents and submit malware artifacts for analysis are offered. After US-CERT analyzes incident information, specialists publish reports and bulletins via subscriptions that can be sent directly to your email inbox:
- Weekly Vulnerability Bulletins – contains a summary of new vulnerabilities documented in the U.S. National Vulnerability Database (NVD) the week prior, as well as patch information when available
- Technical Alerts – provides users with information about vulnerabilities, incidents, and trends that pose a significant risk, as well as mitigations to minimize loss of information and disruption of services
- Current Activity entries – contains a concise description of an issue and associated actions that a user can take to diminish exposure
- Tips – details issues with broad appeal to US-CERT’s constituents
Computer Security Resource Center
The Computer Security Resource Center (CSRC) provides access to information security tools and practices, is a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. One resource of interest: The Framework for Improving Critical Infrastructure Cybersecurity helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
ISO is an independent, non-governmental international organization that develops voluntary, consensus-based, International Standards. ISO/IEC 27032:2012 (Guidelines for cybersecurity) provides guidance for improving the state of Cybersecurity, and covers baseline security practices and provides a framework to enable stakeholders to collaborate on resolving Cybersecurity issues.
Brian Krebs is a former reporter for The Washington Post who covered the Internet and computer security space. KrebsOnSecurity is a highly respected source that reports on cybercrime and Internet security. Readers include financial services industry executives, as well as experts in technology and security.
Zero Day is ZDNet’s blog which stays on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Dark Reading is InformationWeek’s offering and encompasses ten communities: Attacks & Breaches, Application Security, Cloud Security, Data Leaks & Insider Threats, Endpoint Security & Privacy, Mobile Security, Network & Perimeter Security, Risk Management & Compliance, Security Management & Analytics, and Vulnerabilities and Threats.