Although 68 percent of companies surveyed by DeloitteConsulting indicated they understood their cyber risks, and 62 percent said they had programs in place to address cyber security threats, 59 percent of those companies still experienced a security incident in the past year. This finding was reported in the consultants’ sixth annual Global Technology, Media and Telecommunications Security study, and Tim Garcia, CEO of Apptricity, an enterprise software provider, used this information as an illustration in one of four simple steps he devised to help companies integrate web security into their existing risk management strategies.
He calls the lesson from this particular finding “Don’t say ‘If,’ Say ‘When.’ “Companies need total organizational visibility and a plan to enact in case of cyber threats in order to recover,” Garcia said. “Check to make your supply chain management software gives you that.”
The three other suggestions he offers are:
- Analyze the supply chain for vulnerabilities. Conduct a comprehensive analysis in which each node and component of the supply chain is thoroughly examined. “Most industry experts are well aware of this important step, but companies just need to be certain that checking for cyber risk is part of the overall security assessment,” said Garcia.
- Communicate. An extra step needs to be taken to ensure the IT department and supply chain team are part of that discussion. “The chief information officer, chief supply chain or procurement officer, and the chief risk officer all need to have tight communication,” Garcia said.
- Tap the government as a resource. While one company’s supply chain might not be the government’s top priority, its focus on infrastructure from a cyber risk perspective certainly dovetails with corporate interests. “One resource to watch is a program between the Department of Homeland Security’s Office of Cyber Security & Communications and the National Institute of Standards and Technology,” said Garcia. “They are developing a voluntary set of cyber security standards and best practices for critical infrastructure.”