By JO TIMBUONG
bytz@thestar.com.my
PETALING JAYA: Protecting important business data from outside threats is a norm for many companies but a security expert says that businesses should also watch out for threats that come from within its supply chain.
No company can say that it is not vulnerable to this type of business risk, even if it has supply chain risk management at its core, said Nick Ellsmore, head of business development at BAE Systems Stratsec.
"The whole supply chain is vulnerable and even a breach in the smallest part can have a significant impact on the whole organisation," he said.
One of the biggest cases of supply chain breaches was the one experienced by network security company RSA, which produces security authentication tokens. The breach last year allowed its perpetrators to get hold of the seed data that is used to generate the value on the tokens.
The stolen data was then used in an attack on US defense and aerospace company Lockheed Martin, and also used to gain access to some sensitive defense-related information.
"Lockheed Martin's security depended heavily on the security of the RSA tokens. The breach in RSA compromised Lockheed's security," Ellsmore said.
He said this risk exists because of the change in the way businesses today operate. "Many organisations are trying to get leaner, so many of their non-core functions or those that are not specific to their business, are being outsourced to a third party.
"As a result, more and more companies are involved in ensuring the security of one company's data," he explained.
And if the companies are not extra careful, initiatives that are initially taken to smoothen the business process and reduce costs, could potentially cause harm, he warned.
The ones most likely to cause a breach in the supply chain are the employees of the company who fall for social engineering tactics used by attackers to again access to the company network.
"The technical part of a breach can vary but it always starts with someone opening a suspicious e-mail message," Ellsmore said.
He said there is no cure-all solution for such breaches and the best a company can do is to treat every piece of data as important.
"The value of data can rise and fall depending on the situation, so organisations cannot afford to overlook any of them," he said.
Businesses and other organisations need to look at ways to ensure the security of the different components in the supply chain, so that the whole system is secure.
Ellsmore advised companies which outsource business functions, to ensure that a service level agreement is drawn up between them and their outsourcing service provider. "Find someone who puts the same amount of security on your data as you would," he said.