Beware: Cyberwolves on the prowl

Last spring's earthquake and tsunami in Japan served as a powerful reminder of the fragility of today's far-flung global supply chains. So it's no surprise that logistics and supply chain managers are focusing renewed attention on plans to keep distribution and supply networks up and running in the event of a disaster. While most will be concentrating on things like the supply base and physical infrastructure, there's something else these managers should keep in mind as they draft their risk mitigation strategies: their information technology network.

That's the view of Dennis Omanoff, a senior vice president and chief supply officer at McAfee Inc., a firm that provides Internet security and antivirus services. Omanoff thinks logistics and supply chain managers should be paying more attention to what they can do to keep products flowing in the event of a cyberattack on the IT network that binds their supply chain together.

Internet security threats are on the rise, according to Omanoff. So far this year, McAfee has identified 14 million different kinds of malware, malicious software intended to disarm or disable computers. (Think viruses, worms, and Trojan horses.) As for how malware infiltrates corporate computer servers, McAfee said e-mail is the most common mode of transmission.

In the past, most cyberattacks were the work of lonewolf hackers, but that's no longer the case, Omanoff says. Criminal gangs seeking access to confidential data are going after corporate information systems. There's also been a rise in state-sponsored cyberattacks such as "Operation Aurora" in December 2009 that struck information systems at a number of U.S. companies. (Although never proven, many experts believe the Chinese government was behind Operation Aurora.) "Now you have nation states trying to use cyber terrorism to gain access," says Omanoff.

Although nation states are more likely to target government or military computers, or even commmercial transportation or power grids, Omanoff says they're also taking aim at corporate and global commercial networks. Supply chain information networks might well be on their list of targets, he says, adding that the attackers would be looking to steal intellectual property or confidential data.

What can a company do to protect its information networks? Omanoff recommends starting with a security audit to ensure the corporate supply chain information network hasn't been breached. He also advises companies to require suppliers to have a data loss protection plan in place that includes regular monitoring of the possible loss of any confidential data.

As a further safeguard against data theft, Omanoff recommends that American companies "buy American"—that is, purchase only computer hardware assembled in the United States. He believes companies should be "nervous" about computers built in countries with totalitarian regimes that might intentionally embed malware code in the hardware. "I worry about the deliberate intrusion onto my hardware of a piece of malware that might give someone access to critical infrastructure," says Omanoff.

Omanoff warns that in the future, companies will have to start becoming become more selective and cautious about where they buy their computer gear. For instance, that might mean using only vendors who are able to "obfuscate" the end user's identity when they go to buy parts and components from their own suppliers. In any case, he says, companies should only buy computer hardware from sellers in which they have complete confidence. "You have to buy from a trusted source," he says.