Last week, a pretty significant red flag development occurred in the area of information and data security as a cybersecurity researcher came across thousands of automotive trade secret documents exposed on an unprotected server. If there was ever data that any corporation did not want comprised, this incident had the potential to do so.
Many cybersecurity specialists had predicted that 2018 would present ever more challenges in data and information breaches that had the potential to do major harm to corporate operations and to specific brands. That is what prompted our organization to declare in our 2018 Predictions for Industry and Global Supply Chains that cyber risk and information security safeguarding would consume supply chain wide risk as well as technology investment considerations.
Last week’s incident, originally reported by the New York Times (Metered free views) indicated the sensitive material involving more than 100 companies that had interacted or performed business with a small Canadian based company, Level One Robotics and Controls, were found unprotected on the open Internet. According to the report, the information which included at least 157 gigabytes and upwards of 47,000 files included factory records and diagrams from automotive companies including Fiat Chrysler, Ford, General Motors, Tesla, Toyota, and Volkswagen. For Tesla, the incident would be the second of concern in just a few weeks, after the late-June data loss and suspected IP theft alleged to have occurred from a disgruntled employee.
The alleged Level One compromised information was discovered on an exposed backup server requiring no password or special access permissions., according to the Times report. In addition, some personal information relative to Level One employees may have been exposed as-well, and it was unclear whether any other party had seen or downloaded this unprotected data. Once alerted, the exposed information was taken  offline within a day.
As is the case in many of these incidents, all relative parties involved in this reported incident declined to comment to the New York Times.
The Times cites a security research firm as indicating:
It’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk.”
Our 2018 prediction that published before the start of the year foretold that: “Cyber-related risk and information security safeguarding will consume business, IT and industry supply chains, not so much by choice, but from compelling needs dictated by stockholders, boards and C-Suite executives.” Thus, this latest development of the potential of the most sensitive business data should be yet another stark reminder to supply chain and leadership.
We therefore reiterate our recommendations and call to action noted in our 2018 prediction:
Cyber security is not the sole responsibility of corporate security and IT teams, instead it involves broader involvement and accountability.
Rather than a response of: “I’m too busy”, encourage a climate where information security is everyone’s concern. It is better to make aware than to ignore. Insure that system logins are changed on a regular basis to make it more difficult for hackers to penetrate systems. Likewise, collaborate with IT support teams to ensure that application and systems patches are always up-to-date, even if that implies some brief downtime. We would add that respective sourcing and procurement leaders need to ensure that information security and safeguarding is an integral part of supplier agreements and that supplier assessments include requiring evidence of active data and information security action plans.
Partner with business continuity, internal and external supply chain teams to offer timely training and/or webinars on responding to cyberattacks as well as information security and awareness. Encourage questioning and inquisitiveness as to prior history of cyberattacks, which systems seem to be the most involved, what to look out for in unusual or suspicious activity, and who to call if something indeed looks suspicious.
Supply Chain Matters strongly suspects that many of the above activities are likely occurring among automotive manufacturers and their key suppliers given last week’s public revelation and validation.
© Copyright 2018. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.