• Advertise
  • Contact Us
  • About Us
  • Supplier Directory
  • SCB YouTube
  • Login
  • Subscribe
  • Logout
  • My Profile
  • LOGISTICS
    • Air Cargo
    • All Logistics
    • Express/Small Shipments
    • Facility Location Planning
    • Freight Forwarding/Customs Brokerage
    • Global Gateways
    • Global Logistics
    • Last Mile Delivery
    • Logistics Outsourcing
    • LTL/Truckload Services
    • Ocean Transportation
    • Rail & Intermodal
    • Reverse Logistics
    • Service Parts Management
    • Transportation & Distribution
  • TECHNOLOGY
    • All Technology
    • Artificial Intelligence
    • Cloud & On-Demand Systems
    • Data Management (Big Data/IoT/Blockchain)
    • ERP & Enterprise Systems
    • Forecasting & Demand Planning
    • Global Trade Management
    • Inventory Planning/ Optimization
    • Product Lifecycle Management
    • Sales & Operations Planning
    • SC Finance & Revenue Management
    • SC Planning & Optimization
    • Sourcing/Procurement/SRM
    • Supply Chain Visibility
    • Transportation Management
  • GENERAL SCM
    • Business Strategy Alignment
    • Education & Professional Development
    • Global Supply Chain Management
    • Global Trade & Economics
    • HR & Labor Management
    • Quality & Metrics
    • Regulation & Compliance
    • SC Security & Risk Mgmt
    • Supply Chains in Crisis
    • Sustainability & Corporate Social Responsibility
  • WAREHOUSING
    • All Warehouse Services
    • Conveyors & Sortation
    • Lift Trucks & AGVs
    • Order Fulfillment
    • Packaging
    • RFID, Barcode, Mobility & Voice
    • Robotics
    • Warehouse Management Systems
  • INDUSTRIES
    • Aerospace & Defense
    • Apparel
    • Automotive
    • Chemicals & Energy
    • Consumer Packaged Goods
    • E-Commerce/Omni-Channel
    • Food & Beverage
    • Healthcare
    • High-Tech/Electronics
    • Industrial Manufacturing
    • Pharmaceutical/Biotech
    • Retail
  • THINK TANK
  • WEBINARS
    • On-Demand Webinars
    • Upcoming Webinars
    • Webinar Library
  • PODCASTS
  • VIDEOS
  • WHITEPAPERS
Home » Blogs » Think Tank » Why Cybersecurity Is a Supply-Chain Problem

Think Tank
Think Tank RSS FeedRSS

Why Cybersecurity Is a Supply-Chain Problem

May 20, 2013
Robert J. Bowman, SupplyChainBrain

The very nature of global supply chains demands that companies exchange sensitive information with multiple partners, some of them several tiers removed from the manufacturer. Their ability to protect data can be highly variable. Internet thieves and predators are looking to take advantage of the slightest weakness.

The Information Security Forum puts it best. "Sharing information with suppliers is essential," it says in a new report on "Securing the Supply Chain," "yet increases the risk of that information being compromised." It wouldn't be inaccurate to say that in the world of business, cybersecurity is first and foremost a supply-chain problem.

Many companies aren't fully aware of the scope and seriousness of the issue. They suffer from a "black hole" of undefined information risk, especially when it comes to the extended supply chain, says ISF chief executive officer Michael de Crespigny. "They understand and manage this risk internally," he adds, "but have difficulty identifying and managing [it] across their hundreds of thousands of suppliers."

In fact, some of the biggest and most complex supply chains have so many external partners that they are unable to assess the risk of doing business with each one.

They are paying a steep price for their ignorance. According to de Crespigny, 40 percent of the data-security breaches experienced by organizations arise from attacks on their suppliers. Criminals are increasingly realizing that "this is a channel they can attack."

Intellectual property - the very heart of many manufacturing operations - is a highly vulnerable area. The threat comes from both private offenders and governments, the latter of which might be seeking to protect domestic industries by undermining competition from outside their borders. Or they could be looking to establish dominance in global markets by stealing technology from foreign companies.

Sensitive data can take many forms. The most obvious is personal information about consumers, in the form of credit card numbers that can be easily converted to cash in "dark markets."

Other sources of potential leaks include the legal advisers called upon to help companies engaged in confidential negotiations about acquiring businesses or new customers. A criminal can quash a deal just by making it public, or alert competitors when a company is preparing to expand into new markets. Confidential customer lists can be lucrative sources of illicit income. Logistics details can clue a thief as to the future location of a valuable shipment. Leaked financial details can have a serious impact on one's stock price. (Banks, says de Crespigny, "are a huge target.") And information related to a company's dealings with government regulators or public entities can be highly destructive when disclosed.

What to do? The trick, says de Crespigny, lies in identifying which suppliers pose the greatest risk for data theft. Many companies focus only on the most obvious contracts, instead of the ones that are the most vulnerable.

A process and auditing standard such as ISO 270001 can help. It takes companies from basic risk assessment through policies for managing information, communications, human resources, physical sites, business continuity and compliance.

To de Crespigny, however, ISO 27001 is merely "a baseline requirement." He says companies need to define individualized controls for ensuring that information is being protected in the most sensitive areas, such as supplier relations.

ISF has developed a Supply Chain Information Risk Assurance Process (SCIRAP), designed to help companies assess tens of thousands of suppliers, with an eye toward identifying the riskiest contracts. Like any good internal review, it involves asking the right questions: Which products, components or raw materials are we outsourcing? To whom? What is the significance or sensitivity of those relationships? What's the potential fallout from a data-security breach? What's the track record with particular suppliers? What kind of processes and controls are in place? Are inspections being carried out on a regular basis? How frequently do we want to receive confirmation that our information is being protected?

With the riskiest relationships, additional information or tighter controls are often called for. A supplier might be asked to appoint an independent accounting firm to ensure that the controls specified by a given contract are firmly in place. Reports might be required annually or with even greater frequency. In cases where cloud computing is involved, companies might want more frequent assurances from suppliers, given the relative immaturity of that technology.

How a company deploys the SCIRAP depends on where it falls on the maturity scale, with respect to maintaining an effective risk-management program for data protection.

Beginners need to create a basic action plan which lays out the business case, while securing senior-management backing. According to ISF, they should be focusing on building "a coalition of support" across the organization, embracing vendors and other business partners. From there, they can proceed to secure the necessary resources and craft strong information-security policies.

For companies that are well aware of the problem, yet have too many suppliers to assess individually, the model can help to target contracts that pose the greatest risk, while grading relevant suppliers on their security arrangements.

Finally, organizations that know which contracts require the greatest level of care need to embed their data-security processes into the procurement and vendor-management lifecycle. In this way, information protection becomes a key issue at the outset of any acquisition or contract.

"The integration of existing processes is fundamental," says de Crespigny. "You need to work with existing procurement teams, not lay something on top from a distance."

Some of these actions will impose additional costs on suppliers, not to mention the original equipment manufacturer. But the alternative - failing to have in place a good security program - is far more expensive and damaging in the long run.

Perhaps the best outcome of a rigorous supplier-management program is that it places responsibility for data protection where it belongs - at critical points within the supply chain. "It's a big issue, but not just for security people," says de Crespigny. "Procurement people realize they need to get their act together."

Comment on This Article


Keywords: supply chain, supply chain management, supply chain security, cybersecurity, supply chain risk management, supply chain visibility, supply chain planning, international trade, sourcing solutions

Logistics Outsourcing Global Trade Management Sourcing/Procurement/SRM Supply Chain Planning & Optimization Supply Chain Visibility Global Supply Chain Management Regulation & Compliance Supply Chain Security & Risk Mgmt

RELATED CONTENT

RELATED VIDEOS

Subscribe to our Daily Newsletter!

Timely, incisive articles delivered directly to your inbox.

Popular Stories

  • DOCUMENTS BEARING THE INSIGNIA OF US CUSTOMS AND BORDER PROTECTION LIE ON A TABLE

    New CBP Regs Call for Greater Diligence by Brokers in Reporting Security Breaches

    Freight Forwarding/Customs Brokerage
  • The blank stare of a child's eye who is standing behind what appears to be a wooden frame

    The Alarming Continued Rise of Modern Slavery in Supply Chains: How Procurement Can Help Reverse the Trend

    Sourcing/Procurement/SRM
  • A WORKER IN A WAREHOUSE, SUPERIMPOSED WITH GRAPHICS SHOWING SUPPLY NETWORK

    Enabling Intelligent Visibility With Supply Chain Analytics

    Data Management (Big Data/IoT/Blockchain)
  • A GROUP OF WORKERS RANGED IN AN OFFICE, OF DIVERSE RACE, GENDER, AGE AND PHYSICAL ABILITY

    Podcast | The Supply Chain Workforce of the Future Is Already Here

    HR & Labor Management
  • A YELLOW AND BLACK TRAFFIC SIGN THAT READS "VOLATILITY AHEAD"

    Four Strategies for Addressing Supply Chain Disruption

    Sourcing/Procurement/SRM

Digital Edition

Scb nov 2022 sm

2022 Supply Chain Innovator of the Year

VIEW THE LATEST ISSUE

Case Studies

  • New Revenue for Cloud-Based TMS that Embeds Orderful’s Modern EDI Platform

  • Convenience Store Client Maximizes Profit and Improves Customer Service

  • A Digitally Native Footwear Brand Finds Rapid Fulfillment

  • Expanding Apparel Brand Scales Seamlessly with E-Commerce Technology

  • How a Global LSP Scaled its Security Program and Won More Business

Visit Our Sponsors

Orderful Yang Ming Alithya
Barcoding Blue Yonder BNSF Logistics
CoEnterprise Data Capture Deposco
E2open GAINSystems Generix
Geodis GEP GreyOrange
Here Honeywell Intelligrated IFM
Infor Inmar Keelvar
Kinaxis Korber Lean Solutions Group 2H
Liberty SBF Locus Robotics Logility
LogistiVIEW Lucas Systems MCA Connect
MPO Nvidia Old Dominion
OpenText ORTEC Overhaul
Parsyl PMMI QIMA
Redwood Logistics Ryder E-commerce by Whiplash Saddle Creek Logistics
Schneider Dedicated Setlog Holding AG Ship4WD
Shipwell Tecsys TGW Systems
Thomson Reuters Tive Trailer Bridge
Vecna Robotics Verity
Verusen
  • More From SCB
    • Featured Content
    • Video Library
    • Think Tank Blog
    • SupplyChainBrain Podcast
    • Whitepapers
    • On-Demand Webinars
    • Upcoming Webinars
  • Digital Offerings
    • Digital Issue
    • Subscribe
    • Manage Your Subscription
    • Newsletters
  • Resources
    • Events Calendar
    • SCB's Great Supply Chain Partners
    • Supplier Directory
    • Case Study Showcase
    • Supply Chain Innovation Awards
    • 100 Great Partners Form
  • SCB Corporate
    • Advertise on SCB.COM
    • About Us
    • Privacy Policy
    • Contact Us
    • Data Sharing Opt-Out

All content copyright ©2023 Keller International Publishing Corp All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Keller International Publishing Corp

Design, CMS, Hosting & Web Development :: ePublishing