According to Don, knowing what countries you operate in and their relative cyber and supply chain security is key. New Zealand is safest country. The US is only 24. Knowing where risk is located can form the basis of a strategy. Beyond this, Don suggests there are a number of emerging influences in disrupting the supply chain. These include: social media, security gaps (physical security vs. electronic security, mobile devices (a huge risk), third-parties (especially suppliers), organized crime (targeting our operations as well as supplier operations), nation-states (read: China) and a lack of general awareness among employees and suppliers.
A lack of awareness around issues is negligence, at least by insurance standards. Even if you have cyber security insurance policies those companies who do not enforce basic controls and standards may still be on the hook. The proliferation of mobile devices (estimated to be 25 billion in 2015 and 50 billion in 2020) is a key issue. Don suggests that every device represents risk when an employee uses it to conduct work – and this goes for our suppliers use of devices as well anytime it involves accessing information relevant to our operations. Consider that:
- 25% of Americans use their mobile devices (for work)
- 120,000 devices were left in chicago taxis last year
- 800,000 mobile devices were stolen in 2010
- 12,000 laptops are stolen every week at US airports
- 850,000 mobile devices were found in toilets in the UK (this citation was reported by an insurance company)
Add to this that 87% of SMBs (quite often our suppliers!) have no policies regarding use of personal devices and that 80% of professionals (sometimes) work remotely. Moreover, our employees (and our suppliers' employees) are able to download applications without corporate IT permission on these devices. Yet few companies vet app developers questioning who they are, whether or not they've been vetted/verified, etc. Some are cyber criminals and represent a real threat to our operations and our suppliers. Yet not enough BYOD corporate policies address apps on mobile devices. And the smaller you get in the corporate food chain with suppliers the more likely this supply chain risk black hole is to present itself.
Stay tuned as our analysis continues.