Poor internal security procedures and a lack of compliance protocols -- especially for small suppliers -- can introduce cybersecurity threats into global supply chains.
Information security risks in supply chain software are becoming increasingly prevalent, particularly as global companies have become more dependent on third-party vendors.
According to Symantec, more and more attackers are injecting malware into the supply chain to infiltrate organizations. In fact, there was a 200% increase in these attacks in 2017 -- one every month compared to four attacks annually in previous years.
Supply chain software offers a new arena to threat actors intent on penetrating enterprise networks, said Peter Nilsson, vice president of strategic initiatives at MP Objects, a provider of supply chain orchestration software in Boston.
"Previously, people had their ERPs behind their very tight firewalls, and no one from the outside could get in without being monitored by the hawk eyes of the IT department," he said. "Now, enterprises are saying, 'We need to collaborate with our partners and we have to open up our ERP and let them in.'"
But if those third parties don't have adequate security, attackers can infiltrate their systems to attack the enterprise.
Any time an enterprise introduces software into the mix of its supply chain, it runs the risk of cybersecurity issues, said Justin Bateh, supply chain expert and professor of business at Florida State College at Jacksonville. Most risks are caused by not having the proper controls in place for third-party vendors.
"There are many low-tier suppliers that will have weak information security practices, and not having clean and limited guidelines for these providers about security expectations will pose a significant threat," he said.
Jason Rhoades, a principal at Schellman & Co., a provider of attestation and compliance services in Tampa, Fla., agreed that in recent years the enterprise's attack surface has increased along with the tremendous growth in the supply chain.
"Looking at the recent Equifax breach confirms that vendor and supply chain software poses a true security risk that the enterprise cannot ignore," he said.