firmed data breaches in the previous year at organizations in 61 countries. 2 And these are just the incidents
that are reported; hundreds and perhaps thousands
more, predominantly at small and medium-size businesses, go unreported.
The research indicates not only that the threat of
cyberattacks is rising but also how insidious they
can be. According to Verizon’s 2013 Data Breach
Investigations Report, although 91 percent of data
breaches were carried out in a matter of minutes or
hours, it took months or
years to detect 62 percent of those compromises, and it took took
several months or longer to contain more than
half of the breaches after
they were discovered.
The most immediate
concern, of course, is the
possible consequences
for individuals of identity theft and privacy
intrusions. But the damage does not end there.
The large-scale breaches
at Home Depot, Sony,
and Target cited above
damaged those companies’ information technology (IT) mechanisms and the enterprise management systems that disseminate corporate information across their operations. More specifically, the
exchange of data that normally would flow seamlessly had to be considered potentially vulnerable to
ongoing cyberattacks or further data degradation.
That, together with the resulting financial cost and
brand-reputation issues, meant that once highly
integrated and effective supply and value chain technology ecosystems had to be reconfigured to address
current and future security threats.
These examples show that the impact of a com-
promised IT infrastructure extends far beyond an
organization’s internal mechanisms and functions.
Data breaches and security incidents increasingly
put not just individual companies but also entire
supply chains at risk. Everyone in the supply chain is
vulnerable, from original equipment manufacturers
(OEMs) and contract manufacturers to distributors
and resellers.
For this reason, supply chain managers need to
understand how cybersecurity problems at their
suppliers could affect them, and take steps to mitigate those risks. For
example, the security
breaches at Target and
Home Depot occurred
because criminals got
hold of and compromised a third-party vendor’s credentials, which
typically include logins,
passwords, badges, and
security access. In the
case of Home Depot,
once the hackers got the
basic credentials, they
then acquired elevated
rights that allowed them
to navigate portions of
Home Depot’s network
and deploy malicious
software, or “malware,”
on its self-checkout systems in the United States and
Canada. 3 As for Target, according to a U.S. Senate
report, the retailer gave network access to one of its
third-party vendors, a heating, ventilation, and air
conditioning (HVAC) company. The vendor apparently did not follow widely accepted information-se-curity practices, and its weak security allowed the
attackers to gain entrance to Target’s network.
It is important to remember that in both of these
examples, the access points for the breaches occurred
through third-party vendors deep within both companies’ supply chains. This is not just a concern for
retailers. The 2013 Data Breach Investigation Report
