Chief information officers should begin asking serious questions about the security of their supply chain partners because of the risk of backdoor attacks, according to the International Security Forum (ISF).
ISF vice president of sales and marketing, Steve Durbin, told CIO Australia that companies are faced with a number of challenges — knowing who their suppliers are, how effective they are at managing their supply chain, intellectual property (IP) regulations in different countries and potential security holes in the chain.
In-depth: Information security 2011 Research Report.
“Given that we have digitisation of supply chains going on, we’ve got outsourcing rife across the chain,” he said.
“You’ve got lawyers and accountants involved in the supply chain who are going to be responsible for holding data that is classified as private. You’re also looking at potential theft of intellectual property,” he said.
For companies operating in Australia there were implications for data such as intellectual property or personal data flowing across different jurisdictions as regulations varied from country to country, he said.
Durbin urged CIOs and IT security managers to investigate and audit key suppliers.
“Find out what the supply chain looks like and categorise suppliers into different baskets regarding criticality of the service they provide and the potential for security breach within that service.”
Following the audit, CIOs should than highlight the key suppliers or regions where they needed to focus extra security measures.
“Australian banks have been doing this for some time, they are very good at managing their IT outsourcing providers and how these outsourcers are managing the bank’s data,” he said.
The ISF is not the only international body to voice concerns about the security of supply chain management.
In March this year, US lawmakers called on three US government agencies, including the Department of Energy, to start monitoring their IT purchases for possible malware, counterfeits or other security flaws, after a watchdog agency pointed out potential vulnerabilities in their IT supply-chain procedures.
Government Accountability Office (GOA) director of information security issues, Gregory Wilshusen, told the agencies that when buying hardware pieced together from components made all over the world, they needed to check their purchases for vulnerabilities that could slip in at any point in the manufacturing and shipping process.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia