How to build secure supply chains: 3 key steps

Supply chains must adopt an approach that addresses the challenge holistically, and is agile enough to respond to an ever-changing threat landscape, says Godfrey Kutumela, Head: Security Division, IndigoCube.

Godfrey Kutumela, Head: Security Division, IndigoCube.
Godfrey Kutumela, Head: Security Division, IndigoCube.

In 2013, US retailer Target's systems were breached, and data relating to 110 million customers and 40 million payment cards was stolen. Investigators established that the hackers used the systems of a vendor to make the initial breach. Similarly, Home Depot claimed that the theft of credit card details from its systems in 2014 was facilitated through credentials stolen from a third-party vendor.

The adage that a chain is only as strong as its weakest link has never been truer in these days of long, complex and collaborative supply chains, says Godfrey Kutumela, Head: Security Division, IndigoCube. IT has become integral to every aspect of the supply chain, providing great opportunities for collaboration and enhancing efficiencies, but also creating new vulnerabilities.

The emergence of the Internet of things, which will see more and more objects becoming smart, and will increase the industry's dependence on IT and telecommunications networks.

However, digital, connected supply chains are now the target of the hackers who are disrupting business across the world. The incidence of cyber crime is rising dramatically. A recent survey by Cisco found that companies globally feel increasingly vulnerable to cyber attacks, and less confident in the security measures they have in place. Another important finding: small to medium-sized businesses have emerged as a potential weak link, spending less on Web security than in previous years.[1]

The solution is not to build stronger firewalls, as one might think. Even the Great Wall of China was breached - and, besides, firewalls inhibit the kind of seamless interaction on which collaborative supply chains depend. The better approach is for supply chains to adopt an approach that addresses the challenge holistically, and is agile enough to respond to an ever-changing threat landscape. The key here is to address security in terms not just of technology but also in terms of people and processes.

This approach is critical because it allows supply chain companies to look at their risks properly. For example, how well are your truck drivers or warehouse clerks trained in security not that they are connected to your systems?

But, as noted above, because supply chains are connected, it's not enough to firm up your own security processes. The solution lies in adopting an industry-wide approach, rather like the payment industry has done with the stringent PCI (payment card industry) data security standard, which sets standards for everybody involved in that particular value chain.

Such an initiative in the supply chain industry would have to include the following three steps:

1. Define the ecosystem. Companies need to define who their partners are in the supply chain, and categorise them by importance. Companies with many small partners - think how many companies supply a big retail chain, for example - are particularly vulnerable to third-party breaches.
2. Identify the primary contacts within each partner company as well as their location - and make sure everybody in your company has this information. In this way, an enquiry from Hong Kong on behalf of a genuine partner who is actually located in Buenos Aires can be easily identified as a fake.
3. Establish controls and guidelines for each business partner/category of business partner. In this document, spell out the nature of the engagement between the two companies. This would include, for example, how payments are made, what information is exchanged and so on.

Greater collaboration and thus greater openness are facts of business - and supply chain - life. Solve the challenges in order to realise the opportunities.

[1] The Cisco 2016 Annual Security Report is available at

Read time 3min 20sec


IndigoCube helps organisations to improve the quality of their software. It does this by enabling and improving the agility, productivity and security of the application life cycle. It specialises in agile transformations, business analysis, software testing and application security. The application of best practices and the development of requisite skills is core to all its solutions and it partners with some of the world's leading vendors. IndigoCube is ideally positioned to boost productivity and long-term return on investment in its focus areas.

Editorial contacts
CommunikayKaren Heydenrych(+27) 83 302
IndigoCubeGodfrey Kutumela(011) 759
Godfrey Kutumela
leader of the cyber crime and security division at IndigoCube.

Godfrey Kutumela has over 16 years’ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBM’s application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.

Have your say
a few seconds ago
Be the first to comment