In the evolving supply chain, technology has allowed for more rapid and productive dissemination of critical information between organizational partners upstream and downstream. While this increased flexibility, scalability and efficiency of operations provides economies of scale and scope on the revenue and expense side for businesses, the tradeoff becomes a burgeoning access terminal for cybercriminals to poach critical intelligence flows.
Production and distribution in the supply chain now encompasses a firm’s value chain proposition as well. Inbound and outbound logistics, along with operations and marketing/sales and service, drive competitive advantage across stages and functions inherent to an effective supply chain – one that is now open-ended. But regardless of how many stages of a supply chain a firm may use, the connectivity to the firm’s value competencies is readily identifiable.
In this new system, the supply chain has access to pricing data, metrics, point-of-sale information, inventory control flows and enterprise system activity. As such, the supply chain becomes an organic network of connected parties exchanging proprietary intellectual property.
The result: the supply chain is at risk for cyberattacks at several points of contact, including manufacturers, suppliers, transporters, retailers, distributors and even customers.
A case in point is the Home Depot breach that exposed 56 million debit and credit card accounts last September and which also compromised 53 million customer email addresses. The most recent attack occurred as a result of hackers accessing the retailer’s systems via a third-party vendor’s username and password. Such breaches are becoming increasingly common as third- and fourth- party transactions provide entry points for accessing raw data, as well as intellectual property and proprietary content.
The takeaway: supply chain companies are only as strong as their weakest link.
Take a seemingly innocuous situation where an organization uses multiple distribution partners. A firm in one layer may use a pull ordering system while a second may use a push ordering system. These firms are connected through the logistics function, but may have completely different security protocols.
Cyberattackers will use these discrepancies to target data and exploit weakness over a deeper medium and for a longer period of time, resulting in data leakage, compromised credentials, malware and viruses, distributed denials of service and SQL injection.
Even more distressing is the fact that as more companies rely on supply chain management, hackers are imbedding malicious technology, which can take months or years for firms to recognize. While 91 percent of compromises were completed by hackers in hours or less, nearly two-thirds (62 percent) took months or years to discover, and more than half took months or more to contain, according to the 2013 Verizon Data Breach Report.
Reducing risk by identifying the supply chain’s pieces
Because risk exposure may already be ingrained in an organization’s infrastructure, a logical starting point for executive management should be to identify the exact composition of the supply chain. Understanding how a firm operates will help identify potential security issues.
Trends indicate that formal due diligence in vetting supply chain partners is considerably lacking. Only 44 percent have a process for evaluating third- party vendors, falling from 54 percent in 2013. Similarly, just 41 percent of companies have a process for assessing the cybersecurity of third-party industries with which they share data or networks before launching business operations, according to a 2014 cybercrime survey by PricewaterhouseCoopers.
Pro-active monitoring and auditing
Identification points the way; however, proactive risk management is critical.
Supply chain firms should begin with a gap assessment across the organizational chain ecosystem and identify ways to remediate potential threats. Security auditing and real-time monitoring are requisite steps for companies with several key measures. But such steps are lacking, with just 27 percent of firms conducting incident-response planning with supply chain partners.
Firms also should enlist a third-party expert to conduct the audit, or even better, a company that will perform an evaluation of the supply chain’s posture with ongoing monitoring. Additionally, a company should have a security framework (for example ISO 27001), along with an individual such as a CSO, CTO, CEO or data steward who is responsible for management, strategy and responsive action.
Examining vendor standards
Another area to examine is the standards of the vendors associated with the organization. Less than a third of respondents to the PricewaterhouseCoopers survey said they include security considerations in their contractual agreements. This is an issue, particularly when considering that an organization’s best efforts to protect their intellectual property may be thwarted by lax standards across the supply chain.
This brings up another issue: how to allocate resources. This is important, because the capacity to prevent, monitor and safeguard firms against cyber threats comes down to the economics of scarcity of resources.
A Pareto valuation model to identify threats
So how should firms use security dollars against ongoing cyber-externalities? Many options exist, including Key Performance Indicators. But here is an option, this time from an inventory angle: Many firms use an ABC Inventory Control System designed to partition data into manageable sets to monitor based on value or flow usage. An interesting concept is to develop a similar Pareto division model from a threat perspective, where resources are allocated based on valuation to the firm. This could be price, inventory, in-process manufacturing, flow, inventory carrying cost and other variables. In doing so, companies can categorize the relative importance of vendors in the chain as a function of overall benefit assessment.
As the supply chain expands globally and encompasses more data, the risk of cyberattacks will continue to grow. The fact that firms’ supply chains are now imbedded in their value chain necessitates the need for continued vigilance.
Supply chains are networks that move critical information, a benefit for adding value to customers, but also exposing organizations to substantive risk. Finding innovative ways to ensure consumer and corporate privacy through fraud detection and intellectual property protection is critical amidst increasingly complex supply chain designs.
View the original publication of this article online at SupplyChainBrain.