Mitigating Risk with Supply Chain Sensitive Data

April 30, 2019

There is a mounting surplus of data that must be shared to streamline processes, boost efficiency and reduce costs. In this era of the digital supply chain ecosystem, it is essential to plan for data protection and potential cyber attacks.

The traditional supply chain model has evolved over the past several years, but perhaps no industry has experienced this more than the rapidly changing automotive sector. Just a few years ago, automotive companies only had to grapple with the demands of the supplier, the manufacturer and the distributor before handing a product over to the retailer. While this scenario relied on interconnected relationships, it was fairly straightforward: Tier-1 suppliers (makers of modules and systems for various vehicle platforms) and Tier-2 suppliers (suppliers of essentials like motors, metals and electronics) helped supply parts to original equipment manufacturers (OEM), where components were integrated into vehicles, then shipped to dealer networks.

Now, technology is more intertwined with the automotive industry. Many of those Tier-1 and Tier-2 suppliers have been forced to innovate and develop new technologies to keep pace with competitors. Today’s vehicles are computers on wheels, equipped with sensors that monitor airflow, oxygen, engine speed and fuel temperature. Vehicles are equipped with robust computer systems and technologies that specialize in navigation, engine efficiency and driver safety. That is to say nothing of the mechanics of autonomous vehicles and connected cars, which are complex, data-rich systems that come with their own set of supplier-OEM relationships and are a far cry from the once traditional supply chains.

All of this is driven by—and would be impossible without—the ability to securely share sensitive data, including valuable trade secrets, among supply chain partners.

One of the biggest catalysts behind the rise of the digital supply chain, the cloud, has changed the risk profile of organizations. By moving data to the cloud, companies have created more ways data can be compromised, which translates into more risk.

Data is the lifeblood of business—if a company does not have knowledge about where that information is going throughout the supply chain, it could jeopardize the company’s future, profits and brand.

Over the past several years, policymakers, researchers and IT experts have emphasized the importance of ensuring these relationships remain secure in the face of growing threats. The National Institute of Standards and Technology (NIST) stressed organizations must better understand cyber supply chain risk management (SCRM) due to the complex and interconnected relationships.

A 2017 survey conducted by Kaspersky Lab polled organizations on their IT security spending and found that targeted attacks cost them $1.11 million; incidents affecting IT infrastructure hosted by a third-party cost $1.09 million; incidents involving non-computing connected devices cost $993,000; incidents impacting third-party cloud services cost $942,000; and data leaks from internal systems cost $909,000.

IT administrators can restrict what a user can do and what files they can access through control policies or through Group Policy Object (GPO) management, but those solutions can leave gaps.

Ultimately, one of the best ways to mitigate risk in supply chains is by ensuring data is properly controlled and monitored when organizations work with third parties. When a manufacturing company needs to have a product assembled, it will outsource the task and send data like drawings, intellectual property or a BOM (bill of materials) to the manufacturer. As is to be expected, the data is highly technical, potentially pertaining to anything from circuit boards to turbines to energy storage technology. More often than not, the manufacturer assembles products for several vendors, and the company will not want to run the risk of their proprietary data getting into the hands of competitors.

When an organization has to outsource the manufacturing of products abroad, it is legally required to ensure none of that data is ex-filtrated in the process. To do so, companies must comply with the International Traffic in Arms Regulations (ITAR), a set of U.S. regulations on the export of military technology meant to ensure defense-related technology does not get into the wrong hands. Complying with the labyrinthine regulation can be confusing and violations can be costly and damaging for companies, but solutions exist that can help organizations classify data, control what data can be accessed, and who can access it.

While the supply chain can complicate how data is shared, it does not have to make it impossible. In order to control its data, a company needs to have visibility before it can mitigate risk. An organization must understand where its data is going in a supply chain scenario, both from a top-down perspective, by looking at data egress across the company (such as how much is going to web-mail, file shares or removable devices) and from a bottom-up perspective, by looking at activity over the course of a given period of time.

After an organization has visualized its data, it can classify the data to identify what is important, what is going where, and get a better idea of how to manage its risk. The first step is identifying what is valuable to an organization. At that point, a company can begin to overcome sensitive data challenges throughout their supply chain.

Stevens, Mark. (2018). “Mitigating Third Party Risk in Supply Chains”. Retrieved from