The Cyber Security of Supply Chains: Who’s the real risk, Man or Machine?
The digital transformation of the global supply chain has brought us mind-boggling innovations: complex big data storage, artificially intelligent beings, a connection of the physical and cloud, an emergence of predictive analytics, e-purchasing, e-sourcing, a transcendence of logistical efficiency and much more.
While we marvel at the technology that has been implemented into the day-to-day operations of supply chain professionals globally, we quickly lose sight of the potential supply chain risks tech adds to the equation.
In order to address tech-related supply chain risks, organizations must have strategies in place to actively and preemptively address cyber security in-and along the entire value chain.
Due to the complexity of globally functioning supply chains, pinpointing and avoiding cyber-related supply chain risks is nearly impossible. Furthermore, the cyber security of an organizations’ supply chain isn’t solely dependent on the prevention of machine-based system breaches, crashes or cyber attacks.
Equally volatile to infrastructure security is the potential for human error.
You and I; the bozos with their fingers on the trigger are typically to blame for unforeseen backfire.
And, as supply chains grow in complexity, so does the amount of hands in proximity to the technology that drives supply chain activities.
More technology, more data, more transactions, more users, more risk…
This post serves to highlight the risks associated with the digital transformation of supply chains globally. Addressing potential cyber security risks can serve as a first step to accepting the potential for risk and beginning to formulate a course of action for cyber risk-prevention.
Too many cooks in the kitchen
As stated in the, Best Practices in Cyber Supply Chain Risk Management Conference Materials, published by the National Institute of Standards and Technology (NIST),
“Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem.”
The more individuals involved in the process of digitally enhanced supply chain activities, the more that cyber-based system has opened itself up to potential for cyber security risks.
And, it’s not just the individuals in your internal supply chain management teams. It’s vendors, suppliers, manufacturers, delivery specialists, retailers, traders, and the list goes on. From c-suite executives to on-the-floor cashiers, the interconnectivity of supply chain technology involves many individuals from all over the world; bearing different backgrounds, different levels of technological ability, different competencies, and different aspirations.
The digital transformation of supply chain management has created a platform where silos are diminished, work flows are reciprocal, user trust is crucial, data is fragile, and the risks are greater than ever before.
Best put by the Information Security Forum, “Sharing information with suppliers is essential, yet increases the risk of that information being compromised” (Bowman 2013).
The evolution of information and the sharing of that information is the double edged-sword of technological implementations into the workflow of supply chain optimization.
What are the key risks?
Most of the key risks of supply chain cyber security stem from the concept discussed above. To loosely paraphrase the late Christopher Wallace: ‘Mo’ [people], mo’ problems’.
Because of the sensitivity of the data associated with the majority of supply chain operations, there is a heavy reliance on top-to-bottom collaboration/education of cyber secure practices. This is where many organizations fall flat; allowing third-party actors to drag down their organizational management of cyber security risks.
The Key Cyber Supply Chain Risks, as determined by NIST are:
· Third party service providers or vendors — from janitorial services to software engineering — with physical or virtual access to information systems, software code, or IP.
· Poor information security practices by lower-tier suppliers.
· Compromised software or hardware purchased from suppliers.
· Software security vulnerabilities in supply chain management or supplier systems.
· Counterfeit hardware or hardware with embedded malware.
· Third party data storage or data aggregators (NIST).
Again, these ‘key risks’ display, addressing cyber supply chain risks are equally dependent on addressing who is using the technological platforms as to the security of the technology itself.
How can we stay safe?
In a recent article by Digtial Guardian, interviews of 23 information security experts were compiled to provide their tips and suggestions for avoiding cyber supply chain risks across business, suppliers and third parties.
3 themes quickly emerged from the professional’s tips:
· Compliance and Governance of suppliers, vendors, third-party actors, partners, traders, manufacturers and contractors. Christopher Roach, the managing Director and National IT Practice Leader at CBIZ suggests to continuously assess risks of actors involved in the sharing of cyber-based information, hold all parties to a clear standard level and prepare incident response plans accordingly (digitalgaurdian 2017). Developing security levels is highly dependent on building foundations of trust and transparency. This is developed by collaboration, training and the acceptance of the compliance hierarchy- involving actions such as, supplier auditing and supplier evaluation.
· Presence of Robust IT security solutions internally is a method of “establishing clear and limited access guidelines for supply chain vendors are a company’s greatest defense against cyber attack. Ensuring these defense mechanisms are in place and continually monitored is critical to the protection of both business and vendor data and continued productivity.” As best put by Daniel Cohn (digitalgaurdian 2017).
· Certification of International Standards is probably one of the often-overlooked elements of ensuring cyber security in business operations. Achieving and bearing certifications of ISO standards such as ISO 27001 represents a level of competency, and provides a point-of-reference for the proper handling of information security. ISO certifications and standards are, however, guidelines for conducting management systems. Adoption of ISO standards must be treated with a level of relevancy, flexibility and agility.
The cyber security of supply chains is a discussion we’re just beginning to scratch the surface of here at Kodiak Community, and it’s something our SaaS focuses on optimizing in our software and education of clients. Tech continues to infiltrate the daily actions of supply chain management teams globally, and the complexities of production networks continue to grow larger.
If there’s anything you take from this weeks discussion, is that I implore you to ask yourself this question when addressing the cyber security risks of your organization’s supply chain is: Where do you need to address cyber security risk; the man or the machine?
Until next week.
This publication is brought to you by author Sam Jenks, but also on part by Kodiak Rating — A Supplier Relationship Management SaaS functioning out of Stockholm, Sweden. Kodiak Community intends to challenge traditional business practices with innovative thinking and creation.
