There was a ton of research into supply chain security issues this last year, likely due to the number of major attacks that occurred that originated with a supply chain member. Supply chain cyber-attacks come in all shapes and sizes. One of the most prolific and successful, was committed in 2014 by cyber-espionage group, code named, ‘Dragonfly’. This supply chain initiated security breach focused on attacking smaller supply chain members to get at larger pharmaceutical/energy suppliers in Europe and North America. Dragonfly, infected industrial control systems (ICS) with Trojans; they replaced legitimate code with their malicious code. The infected ICS software was then downloaded from the supply chain supplier’s site, infecting their enterprise customers. The software was downloaded around 250 times before being discovered! The costs are still rolling in, but estimates show the financial damage for gas and oil alone will be around $1.8 billion by 2018.
But it’s not just organized gangs of cybercriminals you need to be wary of. Insider threats are also a big issue for supply chain risk and security management. Small firms can’t afford large IT departments to investigate threats that are hard to uncover. PWC in their report on ‘2014 U.S. State of Cybercrime’ found that only 20% of smaller firms actually had any security function to check for insider treats. The rest just didn’t have the staff to handle the situation. We can see that the planets are aligned and supply chain members offer a perfect package for anyone attempting to steal data, intellectual property, financial details, or to even cause material damage to industrial processes. As PWC put it in the aforementioned report:
“Indeed, criminals have found that third-party partners may provide relatively easy access to confidential data. It’s an indirect path to criminal profit that is increasingly successful because most organizations make no effort to assess the cybersecurity practices of their partners and supply chains.”PWC
It is in light of this that we need to reconsider how we process bids from potential supply chain members.
With all of this evidence pointing to the security breach potential within the supply chain, why then do we have so much of an issue working out the supply chain risk when we are evaluating bids? One of the reasons is that evaluating bids takes time and adding any extra variable into the mix would increase this time, not only onto the bid process, but potentially the time to market too. IT projects are already under intense pressure. According to estimates by The Standish Group in the ‘Chaos Report’, only around 16% of projects ever come in on time and on budget. Any additional considerations and security is a big one, will add even more risk to a project.
However, the current cybersecurity chaos has meant that security of supply chain members has become a vital part of the procurement process. A KPMG study in 2015 across multiple sectors found that procurement managers are starting to listen, with 70% of them stating that they now look seriously at how a smaller organization can handle their clients’ data. 94% of the procurement mangers said that cybersecurity was now an ‘important consideration’ in the procurement process.
However, one of the renowned bugbears of anyone handling a bid process is the involvement of outside parties like security audit. Security is an area that is notoriously complicated to assess and takes time. Security departments and procurement are often thought of as being on opposing sides, with security seen as being a hurdle to cross, rather than an important voice in the bid process. The KPMG study demonstrates that this is changing, but the timing issue remains a challenge. The trick is how to square the round, keeping the bid process moving, while completing security due diligence. A balance needs to be struck and simply not performing security assessments, is a false economy that can result in stalled projects and issues such as:
A project that starts but has unknown security problems as no audit has been performed – the new supplier then poses potential security risks to the organization.
The bid process is completed without the security check, the work begins, but then security realizes that checks must be done before the project can begin and so the process goes back to square one, creating all round confusion, time loss and financial impacts.
It is worth considering having some sort of metric to evaluate the security practice and risk profile of a vendor, along with the other standard criteria, such as price and quality. Procurement after all is just a collation of considered risks – security needs to become an embedded consideration.
Placing security into the due diligence mix, in light of the serious nature of the burgeoning supply chain security risks, is plain common sense. Not doing security due diligence could add considerable risk to your organization that could end up costing a hefty amount if your supply chain is breached and your data and processes compromised.