Supply Chain Risks Exist In The Cyber World Too
Late last week, internet service provider Cloudflare disclosed that a software bug allowed its system to embed bits of sensitive customer data in as many as 120,000 web pages it served per day for the past five months.
Even though the resulting damage likely will be minimal, the story serves as a reminder about the breadth of risks companies must manage.
You’re Accountable For Your Cyber Supply Chain
A company’s cyber supply chain can harbor just as much brand risk as supply chains in the brick and mortar world. In the 1990s, apparel firms learned that consumers held them accountable for their global supply chains, which were very complex and in some cases involved some unsavory subcontractors several levels down in the chain. Among other things, the melamine crises of the last decade proved the same is true in the consumer products industry.
In the constant battle to maintain security of information and cyber systems, companies will be held accountable for the integrity and security of their suppliers’ systems. Cloudflare is getting the news coverage now, but if anything really bad happened as a result of this situation, it would be the company’s clients – such as Uber, Cisco, Nasdaq, OkCupid, and Salesforce – whose brands could sustain the damage.
Teams responsible for cyber security and brand protection at major companies need to include this in their risk identification and mitigation calculus, as well as their crisis preparedness plans.
Putting It All In Context
Cloudflare handles about 10 percent of all internet traffic – billions of page requests every day. According to the company, the bug affected only one in every 3.3 million page requests. And when it did happen, the embedded private information would most likely have gone unnoticed or been unintelligible to the recipient.
Furthermore, the company responded immediately, issuing a preliminary fix within an hour and providing a permanent patch within seven hours, according to Wired.
Still, a number of Cloudflare’s corporate clients will have to make determinations about whether to notify their customers.
No comments