February 12, 2015

A Cybersecurity Formula for Your Supply Chain

SMITH BRAIN TRUST -- The newly announced Cyber Threat Intelligence Integration Center “is a welcome development,” but for businesses, the critical action and players are in supply chains, Ground Zero for cyber breaches, says Sandor Boyson, research professor and codirector of the Supply Chain Management Center at the the University of Maryland’s Robert H. Smith School of Business.

The agency will rapidly pool and disseminate data on cyberbreaches to other U.S. agencies. Boyson says the move signals that the federal government recognizes the need to sense and respond to cyber threats on “all fronts.” But it’s “crucial for private industry leaders -- in addition to state legislators -- to pursue a similar real-time response capability.”

“The problem will remain unabated until the states and private sector are forced by federal legislation, legal liabilities or brand destruction to build out not only collective and individual threat response but also sensible proactive preventative measures,” he says. “Such measures include keeping valuable intellectual property or system command-and-control mechanisms only on hardened networks or offline entirely to avoid ‘wiperware.’”

This point, he says, echoes that made by Lisa Monaco, assistant to the president for Homeland Security and Counterterrorism. In introducing the agency, she said “’the vast majority of critical IT infrastructure remains in the hands of the states and private sector."  These actors, Boyson emphasizes, must pursue a similar real-time response capability both at the industry and individual organizational levels.

Monaco also noted that data breaches have increased five-fold since 2009 and are growing in their frequency, scale, sophistication and impact.

But the supply chain “is Ground Zero for several recent cyber breaches. Hackers prey on vendors that have remote access to a larger company's global IT systems, software and networks. In the 2013 Target breach, the attacker infiltrated a vulnerable link: A refrigeration system supplier connected to the retailer's IT system," says Boyson, who has concurrently co-developed a three-part formula –- via a Cyber Risk Management Portal drawn from ongoing NIST-funded research.

Among findings: “The cyber supply chain is as fragmented and stovepiped today as the physical product supply chain was in the early to mid-1990s. On the strategic side of risk management, just half of the 200 companies we surveyed use a risk board or other executive mechanisms to govern IT systems’ risks,” says Boyson, who’s collaborating on the study and portal design with faculty-colleague/center codirector Thomas Corsi, research fellow Hart Rossman, and Smith School Chief Information Officer Holly Mann. “Most of these companies also do not use automated business rules and sensor-driven responses to dynamic IT threats.”

Boyson also is an appointee to the U.S. Secretary of Commerce's Advisory Committee on Supply Chain Competitiveness. Read more about the portal in his Washington Post guest column: A cybersecurity formula’ for your supply chain.

  • Tags

Media Contact

Greg Muraski
Media Relations Manager
301-405-5283  
301-892-0973 Mobile
gmuraski@umd.edu 

About the University of Maryland's Robert H. Smith School of Business

The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and flex MBA, executive MBA, online MBA, business master’s, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.

Back to Top