As businesses continue to grow more geographically dispersed and are required to collaborate on an international scale with a multitude of value chain members in varied specialties, supply chain risk also grows. Despite the importance of managing risk, and despite the high stakes of flowing information and goods between supply chain members and systems throughout the world, the PwC and MIT Forum reports that 60 percent of companies pay only marginal attention to risk reduction processes in the supply chain.
But you know that in order to maintain efficient business processes, protect your company's assets, and provide an uninterrupted and enjoyable customer experience, you need to ensure your supply chain doesn't cause disruption. How can you reduce vulnerability and ensure service continuity — without hiring a risk manager?
The Fundamentals of Supply Chain Risk Management
Imagine you emailed an important product spec document to one of your manufacturers in another country. The recipient's network wasn't secure, and the plan was accessed and altered without the recipient's knowledge. Not only might your resulting product not be up to spec, causing significant financial loss, but, depending on the product, there is a risk of detriment to your consumer's health or safety. Avoiding such a disaster is a matter of treating everyone along your supply chain like an inside employee, which brings us to our first tip:
1. Be picky
"Much of the risk in your supply chain has to do with the security awareness or security strengths of its members' environments," says Twinstate's Chief Executive Officer Devi Momot. "The third party aspect is so important. You need to understand that people along the supply chain are insiders. Even if they're a subcomponent of the main assembly, they might have access to your product information. So you need to know how secure they are," Momot explains.
When it comes to your supply chain, it's understandable that you need to make decisions based on efficiency, spend and reliability. But part of reliability needs to include trust in your supply chain members' security. Momot encourages "nervous or vigilant protection of your intellectual property," because there are so many aspects of information sharing that represent risks to your business. So select your value network member's carefully.
You might want to vet members through a document that inquires about security practices and assessments. You'll need to set parameters to determine when a provider isn't adequate for your business needs (which include minimized risk). You may also want to provide your own audit of the member's security, a practice becoming more and more commonplace.
2. Know your points of entry and exit
In the same vein, you'll want to know all of your points of entry and exit for data. Remember that compromised email example? An email sent to that particular network is an exit point you should be aware of. Be comprehensive and thorough in your evaluation of each point of entry and exit, including everything from the front entrance to your building to that production line across the globe.
Ask how each member of your supply chain is protecting your interests or their own info that has your interests included in it, and evaluate how many points of entry or exit their presence in your supply chain represents. In addition, discuss how they will handle data or materials protecting when in possession of it (custodian protection).
3. Test and plan
To mitigate risk along your supply chain, you need to plan. And you can't plan unless you have a keen awareness of your assets. Do you have an itemized list of all of the machines on your network? Do you know where each of your assets is located? Have you done a penetration test? A vulnerability assessment?
You need to determine who you're dependent on (including within your business) to keep everything moving forward. If there are members of your supply chain who have never had a PT, it might be time to draw the line and ask them to establish their security hygiene. Finding the weak link now can help you prevent vulnerability later -- and it will help you plan. What’s the continuity of operation if you have an interruption in your business? Develop a plan for incident response and set your Recovery Time Objective (RTO) so you can measure your success. A quick response is critical to reducing impact.
4. Awareness Training
Nervous and vigilant protection extends to what you teach your own employees. Not only do you need to provide continual awareness training, but you'll also want to develop a list of questions to assess where your employees' knowledge of intellectual property protection stands. Every insider should be aware of your policies and of how to spot possible threats. Getting that mindset to take effect in your business can be a challenge, but regular education is a good path to instilling healthy fear and encouraging your employees to be aware.
5. Introspective evaluation
One of the more important aspects of mitigating supply chain risk is looking at your own business with great scrutiny. You need to dig deep to uncover all of the possible attack vectors that could represent risk, and in this case, we're not talking about using a penetration test to get there.
Thinking about the deeper aspects of what puts your business at risk, you may find that a culture of negativity or blame has formed without your awareness. You may find the opposite: that your culture of positivity and ethical behavior is thriving. But whatever you find, it's important to look, carefully and closely, at what's going on within your business.
6. Consider Expert as a Service model
Finally, your involvement in keeping your supply chain secure is vital. You'll need to lead from within, but you can't do everything. That's why it's important to consider using EaaS to address your business and process management concerns. A partner can provide information, ideas and direction, and often, do some of the heavy lifting of performing tests and helping you plan.
Your Supply Chain: Protected
With the right balance of detailed visibility and attention to the holistic view of your supply chain, you'll be better able to understand and begin to mitigate your risk. Consider the value of finding a partner, the long-term benefits of continued awareness training, and how important it is to be picky as you select manufacturers and providers, (even if that means it takes longer to kick off a process).
Not only will these tips help you reduce your risks, but also to develop better business processes, improve your customer's experience and of course, increase your security posture.
Originally published on 06/07/2016
Topic: Risk Management, Vulnerability, Business Continuity & Disaster Recovery