In Securing Your Supply Chain, Don’t Forget To Lock The Back Door

By Tim Garcia, 11/22/2013

Over time, business has gotten a lot smarter when it comes to protecting enterprise technology from the hackers and viruses that are constantly fighting to get in.

At the same time, though, we sometimes forget to account for a key vulnerability in the security perimeter — the many data links maintained with suppliers and service providers. The oversight is potentially serious.

After all, your company might take all the security precautions possible with your own network. However, you can never account for the practices of the dozens or hundreds of other companies your enterprise interacts with on a daily basis through digital backdoors such as your e-procurement software.

And, don’t forget that all those vendors also do business with dozens or hundreds of other businesses as well. It’s like that old shampoo commercial: You tell two people, and they tell two people, and so on, and so on. The point being that, in the digital world, you’re vulnerable to the poor security habits of those around you.

Don’t Forget to Lock the Back Door

Up to half of all reported company data breaches slip in through unguarded digital back doors. And as the number of third-party vendors you deal with via procurement software goes up, your risk rises exponentially.

Lax procedures that fail to protect critical data leave businesses vulnerable to attacks that threaten customers and damage brands. The threat also can compromise operational processes, including your supply chain.

There are some obvious steps to guard against security threats coming through the supply side of the operation. Most obvious, and basic, is the use of up-to-date anti-virus software and monitoring systems on all data connections and pathways between the business and its vendors, suppliers and service providers.

But businesses can build another solid layer of protection by restricting all digital communications and transactions between the business and its third-party vendors to a secure, easy-to-monitor digital channel.

Here are some other steps companies can follow to avoid common pitfalls:

Analyze every nook and cranny in your supply chain for vulnerability. Conduct a comprehensive analysis in which each node and component of the supply chain is thoroughly examined. Most companies are well aware of this already, but your supply chain management system should be part of your overall cyber security assessment.
Communicate throughout your organization. Surveys have shown that fragmented or one-off communication between your IT staff and supply chain team can lead to trouble. Take steps to be sure your chief information officer, chief risk officer and procurement officer are in tight contact.
Tap the government as a resource. While one company’s supply chain might not be the government’s top priority, its focus on infrastructure from a cyber risk perspective certainly dovetails with corporate interests. One useful resource a program between the Department of Homeland Security’s Office of Cyber Security & Communications and the National Institute of Standards and Technology. They’re developing a voluntary set of cyber security standards and best practices for critical infrastructure.
Ensure You Have the Visibility to Recover: In a recent study, 68 percent of companies said they understood their cyber risks. Most of them said they had programs in place to protect them. However, nearly two-thirds of companies had a security incident in the past year. The lesson here: Try though you might to avoid an attack, you could get hit anyway. The only effective insurance is to maintain total organizational visibility and a plan you can enact in a worst-case scenario. Make sure your supply chain management solution gives you that visibility.
Today’s cloud-based solutions for digital vendor communications provide total data management and communication transparency to both the business buying the wholesale products or services and the vendors of those goods and services.

They also dramatically reduce errors when compared with conventional phone- or internet-based order/fulfillment channels, and they dramatically speed up the invoicing and payment process.