Global supply chains are constantly exposed to risk, ranging from disruptions of continuity to various levels of operational destruction. Risks can include weather, significant cost variances, resource availability, legislative/tax changes, logistical disruption, power outages and health epidemics, and usually occur without warning. Most supply chain management functions, even in the most advanced companies, are ill-equipped to address the wide range of risks they’re exposed to. Whether company is a manufacturer of raw materials, finished goods or a supplier of services, every aspect of an organization’s supply chain is exposed to increasing types and levels of risk.
One of the most serious supply chain risks – the “Cyber Attack” – can come from anywhere at any time, can be more destructive than some forms of natural disasters, and can lead to operational, financial and reputational damages that cannot be recovered or repaired. With every element of a company’s business processes – design requirements, orders, production schedules, invoicing, payment, intellectual property, etc. – traversing global electronic networks and residing within multiple data bases both internally and with third-party providers, the level of risk has increased dramatically. The migration of these processes to the internet is required in order to compete in today’s world economy. Commerce today, (whether business-to-business or business-to-individual consumer) requires instant product/service search capabilities, ordering, tracking, invoicing and payment via the internet. While advancing commerce to a new level and opening global markets to everyone, easy global access to information also adds a new type of risk that did not exist just a decade ago.
Some cyber attacks are meant simply to annoy and disturb normal flows in business activity, by overwhelming a company’s servers and networks to limit or impede customer access to web sites. Other attacks are more destructive and either copy, rearrange or destroy vital data.
Either type of attack is a risk that no company can afford. While most companies focus on their own internal cyber risks, few have any real-time assessment of the vulnerability of their supply chains.
All companies have a minimum of two levels (tiers) of suppliers – Tier One (directly contracted suppliers) or Tier Two (suppliers to the Tier One suppliers). Large companies do a fairly good job of assessing their risk exposure to Tier One suppliers during the initial assessment and contracting process. Usually, little if any review of Tier Two suppliers occurs at this stage. As a result of this front-end loaded review process, the risk of a cyber attack can increase dramatically after the first few months of a contract term and can continue to increase over the life of the contract.
A number of additional factors also contribute to increased supply chain risk, including:
- The growing volume and severity of cyber attacks originating from individuals, organizations and government agencies
- Complacency and/or inability of both the purchasing company and the supplier(s) in monitoring and assessing real time/current cyber risk
- Increasing sophistication of cyber attackers – some of whom are working on behalf of foreign governments
- Increasing boldness of cyber attackers due to inability to identify and prosecute
- Change in a company’s level of risk tolerance
While the risk of cyber attacks on your supply chain cannot be eliminated, you can significantly mitigate the risk by educating your suppliers and conducting stringent and frequent audits of suppliers at all levels. This oversight is essential as companies continue to outsource critical internal and customer-facing processes to third-party providers.
Specific steps that characterize this oversight include the following:
- Know what suppliers have what data
- Know where your data is physically stored
- Know the number and identities of system administrators at your suppliers that manage systems that contain your data
- Encrypt your data when transmitting
- Assure that all software patches from relevant software providers is installed on your suppliers’ computers in a timely manner
- Verify that supplier’s policies regarding systems access for both active and terminated employees (including user name and password changes/cancellations) are addressed/reviewed frequently with all employees
- Verify supplier policies regarding handheld devices and laptop security
- Verify supplier wireless network security procedures and monitoring capabilities
- Back up all critical data frequently
- Assure that suppliers are maintaining all firewalls and anti- virus software to their latest releases
- Routinely review all access/permissions to “mission critical” files (semi-annually review business requirements for authorizations)
- Make sure you have a documented and tested disaster recovery and risk communications plan
If a cyber attack does occur within your supply chain, make sure your suppliers perform, at a minimum, the following:
- Take immediate steps to identify and isolate the source of the attack
- Immediately limit access to all data
- Notify you immediately of the nature and severity of the attack
- When appropriate, notify other potentially affected suppliers
- Make sure that the disaster recovery and risk communication plan is followed and actions implemented
- If appropriate, and with your prior written approval, notify the F.B.I. Cyber Crime Division
- Immediately validate that all firewall and anti-virus software is updated to the latest release
While you can’t guarantee that a cyber attack will not occur within your supply chain, a well-managed supply chain can make it more difficult for an attack to succeed. The actions outlined here can assist you in preparing to respond to such a risk when and if it occurs.