No company is an Island
John Suffolk describes the challenge of combating supply chain risk in a globalised marketplace
John Suffolk, global cyber-security and privacy officer, Huawei Technologies
“No man is an island entire of itself; every man is a piece of the continent, a part of the main” – 17th Century English poet, John Donne.
Great poetry is timeless. And the words of John Donne are as relevant to us today as they have ever been. In today's technology industry, no successful company stands alone. Instead, every company, large or small, has an extensive – often complex – supply chain supporting it. And, in today's globalised and outsourced world, where geographical borders are less consequential in business, these value chains with hundreds of partners can span several continents. This collaboration brings new ideas, greater expertise and knowledge-sharing; it's often at the heart of a company's success – however, as we all know it also brings risks, which only increase as a business grows.
This month Huawei's fourth Cyber-Security White paper looking at supply chain risk identifies the two most prominent risks as counterfeit products and cyber-breach vulnerabilities and products tainted by maliciously installed malware.
Supply chain risk management is not just about ensuring that products and services will be there when needed. It is also about a product lifecycle approach that minimises the risk that products will be tainted by the behaviour of malicious actors, or that the products may contain counterfeit components that can be exploited for illicit purposes.
Each additional supplier in the delivery of a service or product is another opportunity for an illegitimate supplier to provide inadequate goods and regardless of the processes in place, an element of control is undoubtedly removed. The complexity of managing this risk increases when the supply chain spans multiple countries, each adopting different laws and standards. Products deemed “suitable” and “safe” in one market may not be in another; or may not be evaluated at all in another.
This equates to thousands of potential areas where an element of the end product could be sub-standard, putting the company selling the final product – or using it -- unknowingly at risk from financial and reputational harm.
Managing exposure to a cyber-breach has never been easy. But now the introduction of the General Data Protection Regulation (GDPR) adds to the C-Suite's concern. It states that a company will be subject to a fine of four percent of its global revenue or £15 million, whichever is greater, if it suffers a personal data breach and doesn't disclose all the details within 48 hours.
In this instance, it doesn't matter whether the breach is a result of a direct attack on a company, or a vulnerability, which has been passed through a supplier, the consequences are the same – devastating financial and reputational damage. And although it's not due to be enforced until May 2018, smart businesses recognise the media is already holding businesses accountable to these standards, measuring breached businesses by their response times and communications approach.
So, the stakes are higher than ever before – and the supply chains more complex. With that backdrop, how do organisations ensure they are selling secure and trustworthy goods and services to customers?
The global cyber-security challenge
Analysing a technology company's entire supply chain can be a daunting prospect, so Huawei's Cyber-Security White Paper recommends it is broken down in to three steps.
Step one, understand what your supply chain risks are; step two, decide collaboratively how to address them; and step three, take action towards mitigating those risks.
Although there's no silver bullet for moving businesses from relative ignorance of the risks through to awareness and understanding how to address them, one thing is clear – trying to do this alone is not the answer.
Being open, collaborative and working collectively towards the same standards of supply chain management is vital. This is particularly important between organisations that vary drastically in size; if you can rely on a relatively small supplier to have the same standard set of documentation as an enterprise then many barriers to trade are removed.
An element of accountability should also be in place so individuals and teams have an incentive to follow best practice. These teams should have specific roles, whether they are focused on cyber-security, risk or product authenticity, for example.
But most critically – as the National Institute of Standards and Technology (NIST) Cyber-security Framework lays out – cyber-security must not just be an afterthought. It should be firmly built in to the risk management process, not simply bolted on afterwards.
The UK Government has led by example when it comes to imposing a standard. Initially put in place by the Cabinet Office and Home Office, SID4GIV – which is coordinated by NQC – provides up-to-date information about crucial suppliers. This is particularly important because of the sensitive information it holds, making it a ripe target for attackers.
To drive progress in this area, we need to look to examples like that and learn from them – being open-minded to working together across the private sector, public bodies, academia and Government organisations to raise awareness of this issue, and most importantly, improve it.
So John Donne is as right today as he was when he wrote in the 17th century, to paraphrase: no company is an island entire of itself; every company is a piece of the continent, a part of the main. And we all need to ensure this is central to how we manage our supply chains, as we strive towards delivering a better connected world.
Contributed by John Suffolk, global cyber-security and privacy officer, Huawei Technologies