Spend Matters welcomes guest writer Ryder Daniels to our site. Ryder is CEO of Capsaicin LLC, and has significant experience in delivering truly state-of-the-art solutions across the spend analytics, supplier management, supply risk, e-sourcing, and performance management sectors. - Jason
Most of you have probably heard about the recent cyber attacks on Google and ~30 other companies exposed through the "zero day" vulnerability in Microsoft Internet Explorer. The attack, one of the most involved and sophisticated in recent years, prompted the German and French governments to recommend that its citizens to simply stop using Microsoft's browser. McAfee posted some useful information on the attack, which it dubbed "Operation Aurora."
Cyber attacks and computer viruses are certainly nothing new in the last 25 years, and are often sensationalized in both online and offline media. We're made to believe that, as Internet users, we're as vulnerable to the latest virus as a lone parent at a 3-year-old's birthday party who's run out of tissues. That is, of course, unless we've paid for the latest $29 "Virus-Avenger: 2010 Edition."
In recent years, "security breaches" have extended to the all-too-common issue of laptop theft in a mobile society. Even more sophisticated hacking has emerged, targeting consumers beyond the traditional software methods. Fake ATMs, for example, can steal your card number and PIN. In 2003, the Secret Service arrested a man who had installed 55 fake machines and collected 21,000 cards. Last year, a savvy customer found a fake ATM and took pictures -- in an actual Chase branch in Manhattan.
Like many publicized computer-virus threats, the basics of this latest attack are that to become infected you need to navigate to a specific website. You end up at the wrong end of town from an email link, or sometimes even an Internet search, or a Facebook post. Some viruses only require that you open the email message itself, or attachment. At home, most of our PCs come with a trial for one package or another. If you aren't using one today, Microsoft is shaking up the market a bit with a free tool for Windows called Microsoft Security Essentials, which has received some good reviews. Avast has also been another good no-cost option for years.
The recent "Operation Aurora" cyber attacks are no joke. It's a sobering reminder that even leading technology companies like Google, and thus our data, are quite vulnerable. In the Spend Management community, antivirus and malware threats at work are managed by our internal IT departments. But what about our vendors? Traditionally, vendor security questionnaires, audits, and risk assessments are handled by IT. Sourcing and Finance departments often help play a role in identifying "high risk" suppliers, and in some cases annual onsite visits, ethical hacking, and other preventative tools are used. These onsite solutions, sometimes involving third-party vendors, are expensive, which necessitates restricting them to just a few top suppliers. Like all areas of supplier risk, organizations tend to do the best job when they vet a supplier through a selection process. But what happens in year two? Year three?
Some basic questions begin to emerge with data security, and the list gets pretty long in a hurry: "Are my supplier's networks secure, and how do I know? How and where is my data stored? Do I even know all the data that's stored? Would my supply chain be interrupted if a network security breach occurred at one of my supplier's facilities? What brand and reputation risk would occur if one of our suppliers had to acknowledge a breach that impacted our data? Do I have strict, auditable network security guidelines in my agreements? Do my vendors allow their employees to have my data on a laptop that could be stolen? Do my vendors use third parties who store my data? Have any of our vendors reported a breach? What if a vendor just has PO details and pricing – does that need to be secure?"
Regulatory and legal changes are now requiring disclosure of potential data compromises that in the past were treated as more private matters. Organizations like Visa and MasterCard have had to do more exhaustive audits and use technology to address these issues, but from the merchant side, especially for online merchants who want to accept credit cards. Outsourcing vendors, who often manage quite sensitive data, are usually held to the highest standards. But what about the others? Supplier managers in the future may need to play a stronger role in helping manage not only financial risk, but data-security risk as well. This will require stronger partnerships with IT, using today's technologies to manage data security risk not as an ad-hoc "special" process, but at scale in the global economy.
I'll leave you with some questions to consider:
- What is your organization doing to help manage and understand your vendor's data security? Are there physical as well as technological controls?
- What percentage of vendors are you able to audit quarterly?
- How involved is your IT organization in the process?
- Are you using third parties to assist with vendor data-security assessments?
- Ryder Daniels