How to build secure supply chains: 3 key steps
Supply chains must adopt an approach that addresses the challenge holistically, and is agile enough to respond to an ever-changing threat landscape, says Godfrey Kutumela, Head: Security Division, IndigoCube.
In 2013, US retailer Target's systems were breached, and data relating to 110 million customers and 40 million payment cards was stolen. Investigators established that the hackers used the systems of a vendor to make the initial breach. Similarly, Home Depot claimed that the theft of credit card details from its systems in 2014 was facilitated through credentials stolen from a third-party vendor.
The adage that a chain is only as strong as its weakest link has never been truer in these days of long, complex and collaborative supply chains, says Godfrey Kutumela, Head: Security Division, IndigoCube. IT has become integral to every aspect of the supply chain, providing great opportunities for collaboration and enhancing efficiencies, but also creating new vulnerabilities.
The emergence of the Internet of things, which will see more and more objects becoming smart, and will increase the industry's dependence on IT and telecommunications networks.
However, digital, connected supply chains are now the target of the hackers who are disrupting business across the world. The incidence of cyber crime is rising dramatically. A recent survey by Cisco found that companies globally feel increasingly vulnerable to cyber attacks, and less confident in the security measures they have in place. Another important finding: small to medium-sized businesses have emerged as a potential weak link, spending less on Web security than in previous years.
The solution is not to build stronger firewalls, as one might think. Even the Great Wall of China was breached - and, besides, firewalls inhibit the kind of seamless interaction on which collaborative supply chains depend. The better approach is for supply chains to adopt an approach that addresses the challenge holistically, and is agile enough to respond to an ever-changing threat landscape. The key here is to address security in terms not just of technology but also in terms of people and processes.
This approach is critical because it allows supply chain companies to look at their risks properly. For example, how well are your truck drivers or warehouse clerks trained in security not that they are connected to your systems?
But, as noted above, because supply chains are connected, it's not enough to firm up your own security processes. The solution lies in adopting an industry-wide approach, rather like the payment industry has done with the stringent PCI (payment card industry) data security standard, which sets standards for everybody involved in that particular value chain.
Such an initiative in the supply chain industry would have to include the following three steps:
1. Define the ecosystem. Companies need to define who their partners are in the supply chain, and categorise them by importance. Companies with many small partners - think how many companies supply a big retail chain, for example - are particularly vulnerable to third-party breaches.
2. Identify the primary contacts within each partner company as well as their location - and make sure everybody in your company has this information. In this way, an enquiry from Hong Kong on behalf of a genuine partner who is actually located in Buenos Aires can be easily identified as a fake.
3. Establish controls and guidelines for each business partner/category of business partner. In this document, spell out the nature of the engagement between the two companies. This would include, for example, how payments are made, what information is exchanged and so on.
Greater collaboration and thus greater openness are facts of business - and supply chain - life. Solve the challenges in order to realise the opportunities.
 The Cisco 2016 Annual Security Report is available at http://www.cisco.com/c/m/en_us/offers/sc04/2016-annual-security-report/index.html.