Orginally published in The Globe and Mail on May 8, 2015.


It has been almost 18 months since hackers broke into the networks of U.S. retail giant Target, through one of its third-party vendors, and compromised the personal information of more than 70 million of its customers.
Target’s breach should have been a wake-up call to companies throughout North America’s supply chains, but experts say that many continue to treat security breaches like a game of Whac-A-Mole – reacting to individual attacks instead of looking for collaborative ways to detect and respond to future attacks.
Smaller Canadian companies, in particular, need to beef up cybersecurity measures or risk getting left out, experts say.
“It’s still an easy in,” says Gary Gagnon, senior vice-president and chief security officer at Mitre Corp., a U.S.-based not-for-profit organization that runs federally funded research and development centres and whose work includes research into cybersecurity.
He is blunt about the current situation and says companies need to stop thinking there is such a thing as a fully secured network.
“Regarding supply-chain protection and supply-chain risk management, I think it’s a fool’s errand,” Mr. Gagnon says. “I think that with the globalization of information technology … it’s absolutely impossible to understand and protect your supply chain.”
His message: No one in North America’s supply chain is immune. All companies should think of themselves as targets and instead of denying an inevitable breach, Mr. Gagnon advocates for mitigation and resilience.
“We’ve been huge proponents of cyberthreat sharing,” says Mr. Gagnon, as a way to use the open nature of the Internet to help plug the network holes.
In April, the U.S. House of Representatives approved a cyberthreat-sharing bill designed to encourage companies to share specific details of network breaches to help other companies detect and prevent similar attacks.
The objective is that this shared info will help everyone in the company – from the C-suites to the IT department – with early detection, best practices and faster response times.
“If you’re spending time protecting and sharing what you’re learning about … you can basically build a neighbourhood watch program that’s going to try to help each other defend their networks,” Mr. Gagnon says. “It’s all about trying to encourage U.S. industry to work together to share cyberthreat indicator information to try and raise the bar across all our sectors.”
Today it takes more than 200 days for a company to detect a cyberbreach, according to U.S. cybersecurity firm FireEye Inc. It also means many of last year’s hacks have yet to be detected.
“That’s intolerable,” says Ray Boisvert, senior associate at public relations firm Hill+Knowlton and former assistant director of intelligence at the Canadian Security Intelligence Service. “The longer they are in your network the more they could have done.”
Mr. Boisvert says he has seen evidence that larger companies are putting more resources into beefing up online security measures after the major breaches experienced in 2014. “But I’m just not sure that grand awakening on cyber has permeated all those lower levels [of the supply chain] just yet.”
So how to bridge that gap?
Mr. Boisvert believes the mentality of all supply-chain vendors has to change.
“The issue is that companies today have to understand that first and foremost they are IT companies,” he says. “IT is the foundation of everything that they do. Supply chains, contractors, consultants, they are a part of their network.”
He says that no matter the impact a business may have on the supply chain, it is worth putting time, money and human resources into cybersecurity because companies that are outed as the weakest link will not get a second chance to do business.
“Those companies within that supply chain have to do their part because if someone within that supply chain was ever the source of any attack, the chances of getting future business, not only with that company but with others, could go down to zero.”
Canadian companies, in particular, need to put more effort into cybersecurity measures or get left behind by their U.S. counterparts, says Tony Bailetti, a professor at Carleton University’s Sprott School of Business and the department of systems and computer engineering.
“If you take a look at the Americans, they have hyped up their standards,” Dr. Bailetti says. “For a small company in Canada to be part of a supply chain that is United States-centric, they have to beef up a whole bunch; they have to upgrade their security clearance and their security readiness, for example. Crossing the border is not what it used to be.”
Employees who understand proper “cyberhygiene” and understand their role in the supply chain can also ease the risk of a compromised network, Dr. Bailetti says.
“The problem is not that we need more technology, the problem is that people don’t adopt things,” he says, explaining that all the security measures in the world won’t help if the people using the technology don’t exercise caution.
“Clearly, every employee is a vulnerability in that sense,” Dr. Bailetti says. “All you have to do is pick up a USB, put it in your computer, and you can bring down your entire system.”
To manage the online habits of every employee, at every vendor, along all the points in the supply chain is impossible. But these companies should at least try, for their sake and those they supply with goods and services, Dr. Bailetti says.
“I think that this is something that is going to be with us as long as we use the Internet,” he says. “This is going to be with us forever.”

Includes commentary from: Ray Boisvert