Lackluster cybersecurity can hurt your revenue. In practice, both mean that cybersecurity is prioritized below other revenue-generating features and likely added on later in the product development process as vulnerabilities are uncovered through testing, or worse, by customers when the offerings make it to the marketplace. There are two key miscalculations that are bound up in this outlook: first, that cybersecurity does not directly contribute to revenue and second, that cybersecurity is a feature that can easily be added on later in the project as necessary. That’s because products are usually purchased for the value-added features they provide, not because they are secure. Even so, neither side took adequate steps to achieve this. Cybersecurity Isn’t Given PriorityĮvery manager and developer interviewed said that cybersecurity was important and should be designed into products - customers expected it and suppliers felt they should provide it. The data showed that managers often fall prey to counterproductive and possibly dangerous mindsets that get in the way of securing supply chains and leave their companies exposed - and that they’re often taking cues from the top. We asked how, as a supplier, they come to understand the cybersecurity needs of their customers, and as a customer, how do they manage the risks that come from third-party suppliers. Most recently, we studied three large, well-known global companies, looking at both the cybersecurity culture of their product development teams and the management of the security of their digital supply chain. Our work on building a culture of cybersecurity offers companies a model for how to develop cybersecure products. Understanding how your supply chain might be a target is step one, and building processes and mindset to protect and defend your supply chain is step two. If you think that you’re not at risk for this kind of attack because your company doesn’t have information or connections hackers could exploit, your vendors have assured you that their systems are secure, your customers have validated that your systems are acceptable, or you haven’t discovered vulnerabilities, you are exactly the target hackers seek when they perpetuate the next attack. Often, company culture is a driving force behind vulnerabilities. In both of these instances (and many more) nefarious actors used vulnerabilities in the way suppliers connected to systems and set up back doors that could be used to later steal IP, financial information, or install malware that would propagate throughout customer systems. More recently, in the SolarWinds attack in early 2021, hackers added malware to software after it was certified as ready for customers. The malware then spread to other systems on each company’s network causing their systems to lock up. During the NotPetya cyberattack in 2017, power plants, banks, metro systems, and the world’s largest container shipping company were just some of the victims of malware delivered through the updating process of an accounting software package commonly used by companies in Ukraine. Supply chain vulnerabilities have led to some of the most dramatic cyber attacks in recent years. Leaders need new ways to reduce supply chain cybersecurity risks, whether they’re buying digital products and or producing them. As a result, there have been many headline incidents that not only bring shame to the companies involved, but rachet up the visibility of these threats to top executives who want to know their offerings are secure. Hackers have taken note, and incidents of supply chain cyber-attacks, which exploit weaknesses within the digital supply chain to break into organizations’ internal networks, are on the rise. In most cases, they don’t test for vulnerabilities down the digital supply chain - and don’t even have adequate processes or tools to do so. When companies buy digital products, they expect them to be secure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |