There is good news from the latest survey on data breaches. In 2016, 19 percent of US retailers experienced a significant breach, down from 22 percent in 2015. The 19 percent figure is also well below the global average for retailers, according to the “2017 Thales Data Threat Report” by 451 Research released last June.
Additionally, while 88 percent of retailers still think they’re vulnerable to data breach, only 19 percent think they are “extremely” or “very” vulnerable, according to the new study. That’s much better than counterparts in financial services (27 percent) and healthcare (29 percent).
Retailers are feeling more confident these days—but danger still lurks. One significant area of concern is contractor / supply-chain security issues. US retailers think partners present a greater insider threat than ordinary retail employees, according to the survey.
For a major retailer to conduct its business, it will probably need to rely on numerous business partners around the world. This reliance comes with risk, however, because outsourcing operations requires extending valuable information, including business secrets, beyond a retailer’s immediate control.
The cost is high if a supply chain partner goes rogue with shared data. Including investigation expenses, forensic consulting, fines, and legal fees—but not even accounting for labor or productivity costs—the average cost incurred by companies per incident in which a partner improperly exploits data access is nearly $400,000, according to Forrester Consulting.
And the threat goes beyond intentional misappropriation. “Even in situations when the third-party business partner is acting in good faith, the mere fact that a third party has access to a company’s trade secrets increases the risk that they will be compromised,” according to a report by the Center for Responsible Enterprise and Trade (CREATe), “Trade Secret Theft—Managing The Growing Threat in Supply Chains.”
The report makes it clear just how difficult it is to escape the risk of supply-chain security issues. Sourcing from third-party logistics providers or contracting with unaffiliated offshore suppliers “requires companies to relinquish control, including some degree of control over the intellectual property involved in the transaction.”
Captive sourcing—building or acquiring a company’s own operations offshore—helps a global company retain control over operations and intellectual property. “However, even captive sourcing is not without risk,” according to the report. There are numerous cases currently winding their way through the international legal system in which a manager at a company’s offshore subsidiary was lured away by a competitor and used the trade secrets with which he or she had been entrusted to the new company’s advantage.
“Companies whose supply chains extend to countries with weak or no trade secret protection must take proactive measures to safeguard their most valuable secrets,” concludes CREATe.
Safeguarding against Supply-Chain Security Issues
There is plenty of work to go around for a retail organization to meet that goal. Loss prevention/asset protection departments may need to contribute by investigating suppliers before contracts are signed to ensure partners are able to adequately protect the company’s critical data.
A due diligence investigation of outsourcing partners is critical, according to CREATe. It’s vital to assess whether they have the security controls in place to live up to a contract’s provisions for physical and technical security, cargo security policies, confidentiality, record retention, and inadvertent disclosure.
Reputations should also come under scrutiny. “Determine if the supplier has a reputation for intellectual property rights violations, trade complaints, or export-control issues; has links to other firms with these issues; or has ties to foreign governments that have a history of disregarding intellectual property rights,” according to the report. “These are red flags meriting further investigation.”
It’s also important to ensure that appropriate physical security measures are in place at contractors and business partners. The report suggests that it might be smart to:
- Mark all trade secret documents and storage media as Classified, Restricted, Confidential, Do Not Disclose, or another label particular to the company’s business.
- Ensure that documents are shredded before disposal.
- Identify appropriate additional security controls if the contractor also does work for a competitor.
“Ideally, companies and their suppliers should be working as partners to protect valuable corporate secrets,” according to the report. “More open communication and more active involvement can foster greater trust and a better working relationship between companies and their suppliers.”
LP may have a limited role in many aspects of ensuring security of critical data in suppliers’ hands, such as technical safeguards like encryption. But LP executives, along with others in risk mitigation, play an important role in assuring intellectual property as a whole, and so they should help to identify potential supply-chain security issues and gaps.
Importantly, LP needs to help identify those security requirements to insist upon in outsourcing contracts and to assess existing supplier relationships for possible weak links. For example, by asking:
- Do we hold a brief orientation for the supplier on what information is considered classified and how they are expected to protect it?
- Do we document specific threat scenarios—what data is at risk and from whom, and the likeliest threat vectors that might be exploited?
- Do managers who possess the authority to hire contractors, consultants, and temporary workers have security checklists to manage those relationships with protection of critical data and company secrets in mind?
This post was originally published in 2017 and was updated August 27, 2018.