Security Threats to Supply Chains: 5 Forces which can change the Game
As any Chief Supply Officer would know; that taking care of one’s own business is not enough. There is a chain of suppliers which keep your supply replenished therefore the links need to remain in place – one a virtual or physical plane.
As any Chief Supply Officer would know; that taking care of one’s own business is not enough. There is a chain of suppliers which keep your supply replenished therefore the links need to remain in place – one a virtual or physical plane. This is doubly applicable as this is an era of quick change and high stress.
According to Ryan Brewer, CISO of the Medicaid Services and Centers for Medicare, there is a constant threat in the environment which changes like quicksilver, and the situations are as unpredictable.
Three years ago the piracy on the supply chain was minor or unheard of and no one guessed it would become such a big thing. Sometimes it was natural disasters, the others terrorism, presently it is malware. This article discusses the five threats perceived by the CSOs which may spell disaster for the supply chains.
Threat 1: The Events dubbed as ‘Black Swan’
As defined in the Nassim Nicholas Taleb book written in 2007 by the same name ‘Black Swan’, these events can be hard hitting and similarly unpredictable. Black Swan events are not necessarily unfavourable but offer huge opportunities, yet the CSOs are only pragmatic in feeling concerned about these events.
From the Supply chain perspective the black swan events can cover anything from a terrorist attack to natural disaster to a pandemic. The problem is that when you prepare for the day, other fronts to deal with may crop up. For example: unexpected the Avian Flu. As the CSO were warned of the pandemic of Avian Flu they braced for the worst as it would bring the world supply chain at risk. If there would be an outbreak in China then it would bring the global trade to a grinding halt. The focus of their plans was the storage and transport of materials in various locations across the globe.
The beginning of this year saw the outbreak of the H1N1 flu in Mexico which spread to Australia across the expanse of South Pacific. Adam Sager the Senior Manager of Business Continuity Consulting at the Control Risks of Washington D.C. realized that the companies required redesigning their plans as they were based on the compromised plans. This was the warning bell for many businesses. The companies realized that they needed contingency plans and study now conduct risk studies on how these events would affect their companies. If there is an event which could affect the global market then the action needs to be taken before the tide reaches their shores, said Sager.
He further adds that, whenever and wherever the situation strikes you need to be able to assess the situation by studying and assimilating the country’s first hand information. There has to be a to and fro communication between the locations and the managers where these events happen. It is noted that the companies are discovering the communication gaps, and the strengths and weaknesses of their crisis management systems and operations.
Most companies had the crisis management and security protocols in place but the plan to implement them into the daily operations was missing, which would help the people in the management positions to understand important factors like resolving the issue, uptime and the responsibility of the situation. This information was lacking in advance with in the market, shining it as a glaring mistake. The management of the company also needs to give powers to the local managers to be able to take appropriate decisions quickly to nullify the damages it any.
This plan should have the supply chains, the specific scenarios and other vulnerabilities covered in the contingency plans. This reflects a modified mindset to deal with the plan; which means that the security department has to work in tandem with the financial and operational aspects of the company. Thereby covering all bases of the supply chain business, this would include the location of different resources and alternative supply sources. Sager offers a situation simulation where all decision makers and their executives go over the step by step simulation of a possible disaster situation and develop strategies to deal with the possible situations in a given scenario.
Mark Siegel is the Commissioner of the ASIS International Global Standards Initiative which leads the designing of ISO standards for supply chain pliancy. The institution is set to publish the SPC.1, which portrays the resilience or pliancy standards, to be available by the end of the year. According to Siegel these standards are the answer of dealing with the black swans. He said further that the companies have to develop good plans in their limited resources. Developing these plans will also give the companies a comprehensive idea of any other possible risks and a complete picture of the possible scenario. The sample situation may be taken as the plan to prevent terrorism may help not only against terrorism but also earthquake and other such disasters.
According to Siegel, Companies should build a holistic approach to the supply chain problems and not lose the larger perspective while dealing with the day to day problems of the same, which tend to be different for different organizations, due to this there is a lack of attention to detail while studying the risks involved. Summarizing the situation, one can miss the point of the entire exercise.
Threat 2: Malware Abound
The mater of protecting information from the malware is top most on the CSO’s mind even though a seemingly mundane task it is important and related to the supply chain works. The company can be brought to its knees by the by an invasion of its information setup as completely as an attack on its cargo line. Most CSOs confess of being worried about the spam/phishing on its employees besides the botnets, there is also a possibility if rebounding attacks at denial of service, the first of which appeared about a decade ago.
According to Ed Amoroso, the CISO of AT&T the rapid and uninhibited advancement in technology is the reason of the increase in the number of malware too. The root word is complexity even while dealing with the customers in the commercial market. The communication networks and the computers all have become sophisticated. No one really knows where the beginning is and where the end lies the troublemakers can take advantage of these loopholes. Amoroso referred to his reading and informed that more than 95% of the spam on the internet is botnet generated. And no one knows how to stop it at any level be it personal or organizational level and what security level to apply.
Joonho Lee, the Vice President of the Federal Reserve Bank of New York and an officer serving at the National Incident Response Team, too worries about the DoS invasions, just like Amoroso. DoS were initially about handling high volumes of traffic on any network. There are so many different kinds of traffic that not only floods the systems but one is unaware how to block it, too.
Joonho Lee says that they have all the protection from DoS money can buy but if the barrage hits 40-gigabites per second then your network or that of the service provider is completely knocked off. The Hackers are influencing myriad machines. The DoS threat does loom dark and tall.
The Security Service partner for Deloitte and Touche, Rena Mears deemed the supply chain of malware is ripening. Mears said that some years ago some people with a notoriously restless mind would create such software but nowadays they are bent upon making money off phishing scams. The next step to these scams would be a jackpot which would be equal to looting a bank. The picture becomes insidiously clear and we know now that the felons and their activities are gaining sophisticated.
Mears said that unlike the initial hit and run kind of malware today it lies low like its counterparts in nature sustain itself. This is their constant income strategy. The malware entity exploits the organization just below the level of detection and then siphons off the credit information, intellectual property rights and other such information.
But according to Lee the network providers are well equipped to protect their clients against such new and hybrid malware. Also Amoroso of AT&T has acknowledged that even though it is a dire situation their clients and self are protected against these DoS aggression. If there are thin clients used the aggression will be more distributed and fewer parts will be attacked.
Threat 3: the Recession
It is well known that crime and economic growth are inversely proportional. One is not only physically threatened but also ones information can be used wrongly, which is the most pressing concern since a year. The CSOs are concerned that this threat is only going to grow. The good news is that the recession is expected to recede but it may not be so for all. They only hope that people do not take desperate yet illegal actions.
As the economy dips the people lose their jobs, losing their health insurance too. The CSO of the Health Care Services, which runs the Blue Cross Shield plan for Illinois, Ray Biondo is afraid that that more and more layoffs are going to occur due to economic downfall, but as of now the company has managed to avoid this. The next health care plan too is a cause of worry for the Biondo besides there is a threat from the inside about leakage of information and other physical wellbeing unlike a few years ago.
Biondo worries about the physical threats from the inside the organization. As the people become more and more desperate about their economic situation leakage of data becomes an issue. Even so he believes he has taken all the precautions against any such eventuality, nevertheless it is a threat. According to Chris Falkenberg, the personal security of the executives too is an issue as the number of kidnappings increase and also the attacks on the executives living abroad especially the individuals who may hold some worth on the internet. Falkenberg is the president of the security service called Insite Security. He also predicts an increase in the number of kidnappings in the United States even though there isn’t much corruption in the government allowing the festering of such corruption. He advises the CSOs to hire expert help to deal with such internal threats.
Federal Bank’s Lee believes that there is a malware threat and aggressions from within the organization which require a clear and quick communication between the informational security and physical security areas including the legal groups of an organization. Lee says that besides training teamwork is required. Even when these groups talk to each other the idea is to pass the buck and responsibility to the next group. All the parties involved need to know their responsibilities and the steps involved in dealing with these threats. After all they are jointly responsible for the company and the problems.
Renaissance 4: Explosive Growth in Data
Data is omnipresent nowadays therefore it is difficult to keep track of it. Everyone is in the web including the manufacturers who are dealing in data, are data themselves and are the makers and users of the data. The interwoven fabric of the companies, their processes and their business allies has been blended could not have been imagined 5 years ago. According to Mears the norm of sharing data beyond the organization itself is nothing short of a risk.
The barter of data between the companies and their partners is massive. The data is dynamic; it is constantly updated and passed to and fro. This is a bi-way conveyor where the data is built and replicated and the norm of defending the perimeter is a history in today’s time where no boundaries exist, said Mears.
Information and data is there but the executives are not aware what they hold and who is supposed to protect it. Mears says it is very difficult to protect the data if the people in the company are not aware who are they sharing it with, who are supposed to handle it and who will be held responsible in case of a leak. This is a real situation which requires safeguarding the data. Data cannot be protected any more as there are different price tags to different pieces of data, you need make sure you earn a dividend off the information you store after all its an asset just like any other. There should be an adequate value attached to the data stored as the asset called information.
Deloitte’s advice to its clients is to be focused on keeping its information secure. The globe has replicated itself on the internet and all the information can be accessed from anywhere on the globe and the core intellectual property of any company can be compromised but the daily communication and other jetsam cannot be protected or controlled. The security question is becoming a topic of discussion in the Senior Executive Lounges and Board meetings, in a bid to improve the security and make the fortress impregnable again, as explained by Mears.
Renaissance 5: Rules, Regulations and Restrictions
Since September 11th 2001 and the setting up of the Sarbanes-Oxley Act in 2002, initiated the application of the regulation in all the industries. This is mainly true for the agro based industry food and beverages industry which is required to be free of contaminations and adulteration. The H.R. 2749 Food Safety Enhancement Act of 2009 was just passed too. Companies like Wall mart made news by upholding the act and the interest of the customers above all else by asking the supplier to comply with the Global Food Safety Initiative Standards. And these standards are held above all and are traceable through the supply chain.
Shanks, the National Managing Director of Aon Risk Services, the risk advisory division of Aon Corp; says most companies that process food are not up traceability levels as prescribed by the regulations. The norm of traceability requires a clearly visible supply chain which is not always possible. There have been food contamination incidents with listeria in deli slicers and salmonella in peanut butter. The visibility allows one to trace the food event to its origin. Aon has offered a service for visibility to the producers and food processors to make the Act a success.
The consumers are becoming demanding and want visibility of the origins of their food this is changing the supply chains and the beverage and food industry. There have been labels of origin on the seafood and other produce for quite a few years now. The present trend of eating locally grown food is gaining momentum due to the belief in the consumers that locally grown food is less contaminated. The supply chains are working towards soothing the fear among the consumers by shedding chains and going local.