Proposal

Mhaliek Ferguson

WLC Entrepreneurship

October 12, 2023

The problem we are aiming to address are supply-chain cyber-attacks against businesses/corporations. A supply chain attack has hackers insert malicious code into software or find ways to compromise network protocols or components. These attacks are usually aimed at third party vendors.

A successful breach could mean the potential compromise in many people’s private data. The number of people impacted from a supply-chain attack from 2021-2022 increased by 41.5%, with 422.1 million people being affected (1). Sources have shown that just over 1 in every 10 businesses review the potential risks with immediate suppliers. Reviews showed that companies do not go over the risks due to a lack of time and money, unable to get the proper information required from suppliers, unsure what to check for, is not considered a priority, do not have the proper skillset top inform their suppliers, and unsure what suppliers to check ((3)).

Our approach to the problem is that we would do audits, cyber protection implementation (CPI), and cyber risk seminars. One portion of the team, the auditors, would be people doing end-to-end checks for both the supplier and the buyer. By doing so, it will eliminate the chances of the systems integrity being compromised during their transactions. And since the supplier will be harder to target, malicious hackers will be less likely to go after a company with very little vulnerabilities. After doing checks for both the buyer and supplier, those in charge of CPI would discuss with the auditors to see where potential vulnerabilities in the supply chain could lie and would be tasks with working with their technician team in making sure there are protections properly added to their systems. And finally, we will hold a cyber risk seminar with both the supplier and buyer. This will make is so both parties are aware of the potential risks that come with their transactions and are aware on how to do checks to their systems to reduce the risk of being targeted.

There are a few barriers that we expect to come up before, during, and after our intervention. What we expect to happen before deals with either the buyer or supplier being potentially uncooperative when it comes to performing system audits. Since there are many penalties that comes with failing an audit, companies may be apprehensive to show their systems to an outside team. Our response would be to inform them that the cost of not knowing where their potential vulnerabilities in the supply chain lie lie could far outweigh the costs of us knowing their system, since one vulnerability could lead to the compromise and loss of private data, information, and their system integrity. Another barrier during this process is a very large flaw in their supply chain. If the vulnerability is great enough, it could mean that their supply chain is or had already been compromised and a complete rework may be necessary. The third barrier we expect is the same businesses are unable to understand what needs to be worked on. If there are very few people in the business that know what to and not to do, it could very well lead to the same business requiring our services very soon after it had been completed.

Our measure of success is dependent on how well the company does after our intervention and whether other companies will hire us. If there are no (further) supply-chain attacks on the company post-services provided, that means that we were successful at completing all the necessary work. The success will garner reviews and reputation, leading to more companies more willing to provide a contract to our team.

Sources: