A few weeks back, I sat in on a fascinating (and downright scary) presentation at ProcureCon by MacDonnell Ulsch (Don), President & Chief Risk Analyst, ZeroPoint Risk Research, LLC. Don is one of the world's top experts on intellectual property and cyber security. In the spirit of hopefully encouraging Spend Matters readers to pay more attention to the supply risk and intellectual property (IP) theft we face through weaknesses in our IT and supply chain systems, I'll share some of my notes from his discussion.
Don began by talking through his research and practice around the suprising range of sources the cyber security threat comes from (and not all of which we might be considering in terms of supply risk). These include terrorists, drug cartels, organized crime, protest groups and nation state espionage (e.g., China). From these sources and others, one of the biggest risks in our global supply chain comes from the ability of criminals to plant malicious software in our networks. This has the potential to result in:
- Installation of counterfeit hardware, software and malicious logic
- Failure or disruption in the production or distribution of a critical product or service
- Reliance on a malicious or unqualified service provider for the performance of technical services
- Installation of unintentional vulnerabilities on hardware and software
We might look at this from a procurement and supply chain angle and believe our systems are secure. But are they, especially when our suppliers have access to information ranging from emails to design drawings to site audit documents? If your company allows employees (and suppliers) to:
- Bring Your Own Device (BYOD, iPhone over a corporate Blackberry for example)
- Use social media for anything work related
- Have inefficient usage policies
- Have systems without strong security
- Have deficient third party controls (if your company is going to sustain a breach, there is a two-thirds chance that it will be with one of your third parties (originate) including suppliers according to Don)
- Have weak FCPA management
- Not know foreign country transparency ratings of suppliers
... then it is potentially at serious supply chain risk.
Stay tuned as our analysis continues.