As
a Board Director with your organization a "Duty of Care" discussion
could be a regular roundtable dialogue. The question is, how often does
your Board of Directors dive head first into the analysis and
architecture of your "Digital Supply Chain?"
The Enterprise Architecture of your Information Technology networks is a vast set of Third Party Suppliers.
They
provide you a set of Critical Infrastructure domains, such as the Power
and Water Sectors to start, that seems obvious at the high level.
Yet
when you begin to really understand the true suppliers to your entire
IT supply chain, it is not just a simple equation. As you analyze the
Cloud Provider(s), Internet Service Providers (ISP) and the total number
of Third Party Software companies that make up your spectrum of
InfoTech (IT) assets, the complexity rises.
The
threat rises as you add the "Human Factors" of behavior and now the
Operational Risks begin to soar. The potential for simple errors, or
mistakes and unintentional events becomes exponential, at each interface
of the "Digital Supply Chain," in each major process of the enterprise:
- Management
- Human Resources
- Legal Counsel
- Physical Security
- Information Technology
- Information Assurance
- Data Owners
- Software Engineers
In
every company, every day, employees are hired, promoted, terminated, or
resigned. Each employee transition event can create legal risks if the
related systems, applications and electronic data accessible to an
employee, are not properly managed to protect the company’s interests.
So what?
"A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US and is being detained pending trial.The "Operational Risk Attack Surface" internally, externally and with trusted partners, has a vast set of insider ties and trusted relationships. This is why an organization this complex, must begin the implementation of an Insider Threat Program (InTP), especially focused in the "Digital Supply Chain...
An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars—paying one co-conspirator $428,500 over the five-year scheme."
In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T."