Security Risks to IT Supply Chains under Economic Stress

Security Risks to IT Supply Chains under Economic Stress

C. Warren Axelrod (Delta Risk LLC, Arlington, VA, USA) and Sukumar Haldar (Director of Application Development and Risk Management, Anshinsoft Inc., New York, NY, USA)
Copyright: © 2013 |Pages: 16
DOI: 10.4018/ijcwt.2013100107
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Information technology (IT) supply chains are subject to security risks even during the most stable of economic times, However, when economies come under stress due to brisk growth or rapid contraction, IT supply chains become greater targets for nefarious players, be they employees, hackers, terrorists or nation states, for a variety of reasons. Maintaining both cyber and physical security of owned systems and facilities, over which you have direct control, is difficult and expensive enough under normal conditions. However, attempting to preserve adequate levels of security over third parties, be they process outsourcers, product vendors or contractors, is much more challenging and can be extremely costly in time, money and resources. It is also fraught with organizational, social, economic, political, geographical and contractual challenges. In this paper, the authors list a broad range of potential IT-related security risks and suggest how they might become exacerbated during times of economic stress. Mitigation of these risks may call for extreme measures. Some actions are reasonable and straightforward to implement, whereas others require substantial effort and indeed may not be achievable under current legal and regulatory conditions. The authors offer recommendations for overcoming manageable hurdles, and suggest how some reduction in risk might be attained even in situations where ready solutions are not yet available.
Article Preview

Introduction

Supplier arrangements for information technology (IT) products and services have been seen to proliferate under both booms and recessions, as private companies, government agencies, and others continually seek to reduce costs by farming out activities that they consider not to be their core competencies. Meanwhile, the potential for compromise from cyber and physical security exploits increases in step with the growth in IT generally, regardless of economic conditions. However, in stressful economic times the risk of attack and likelihood of success for attackers are greater, as will be discussed in this article.

For the past two decades, the increased use and expansion of supply chains, particularly those including offshore operations, have taken place during times of solid economic growth, save for the recession around 2001 when a number of major IT outsourcers failed with little or no notice (Berinato, 2001), and during the financial meltdown in 2007-2008, when questionable activities by outsourcers were uncovered, such as for Satyam (Bhasin, 2012). Prosperous times tend hide nefarious activity. However, when the economic tide recedes, misdeeds and mismanagement are exposed.

The demand for outsourced products and services usually rises during economic downturns in order to reduce costs, and also rises during prosperous times as additional capacity, lower production costs and specific skills are sought. Both of these behaviors have been observed, particularly with respect to the outsourcing of software development to India and electronics manufacturing to China.

During economic contractions, threats posed by insiders, in particular, are thought to increase considerably as employees are fired and remaining employees become disgruntled and feel threatened economically. The insider threat is difficult to measure since insiders operate using authorized access and procedures. Consequently, while one might expect computer crime generally to increase when individuals are suffering economic hardship, measurement of such increases will be called into question since many exploits by insiders are never detected, and many of those that are detected often go unreported.

In more sanguine economic times, we also see increases in cyber attacks against corporations, government agencies and research institutions that are launched for purposes of industrial espionage (stealing intellectual property), financial gain (capturing personal information to enable identity theft and fraud), and conflict (cyber and kinetic warfare). Rapid expansion of organizations, mergers and acquisitions tend to mask nefarious activities because of turbulence generated by such changes.1

Of particular concern is the lack of ability to recognize and respond to cyber attacks. Typically, compromises can take months to detect, if at all. In the majority of cases, victims are not even aware of the attacks until some collateral activates are noticed by third parties and are brought to the attention of the victim organizations.

While it is difficult to differentiate effects, which are evolutionary and occur more due to advances in technology and increased interconnectivity and complexity, from those effects that arise from economic stress, we shall attempt to draw a line between the two. The purpose is to suggest which additional measures should be taken and which existing measures need to be strengthened as a result of economic rather than purely technical factors.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2013)
Volume 2: 4 Issues (2012)
Volume 1: 4 Issues (2011)
View Complete Journal Contents Listing