There are many facets to supply chain risk and major disruptions, and an ever-growing facet is that of a cyberattack disrupting supply chain operations, compromising data and risking harm to the business. There have been acute reminders already this year, the latest coming last week, when a new version ransomware attack spread from Europe across multiple countries, and disrupted the globe’s largest ocean container shipping operator.
Many analysts and bloggers have reminded their respective functional readers of their responsibilities in either protecting the business from the threat of cyberattacks and in insuring their teams know what to do when such an attack occurs. Supply Chain Matters adds its voice as-well.
The obvious takeaway for readers is that the frequency and sheer scale of cyberattacks are on the increase, and with that is a realization that there will be many more to come. Cybersecurity has become a multi-billion-dollar problem and concern that spans from the boardroom and C-Suite across many lines-of-businesses.
The skill levels of the attackers continue to be more sophisticated, taking advantage or all system vulnerabilities. Experts now believe that last week’s attack was yet another test of a new method, that being a piggyback of an automatic software updater for a specific business application.
Last week served yet another sobering reminder that some companies were not prepared, either in keeping systems and software updated with the latest patches or had not practiced various risk mitigation scenarios in terms of keeping business operations operational with protected back-up systems or in advising customers with timely updates as to what to expect.
Actions to Consider
Here are four specific actions that we at the Ferrari Consulting and Research Group advise supply chain leaders and practitioners to consider regarding cybersecurity:
Scope and Continually Understand Your Company’s Supply Chain Risks
Depending on the size of your company, there may well been many external systems risks prevalent in your company, or within your specific operational location. The reality is the supply chain teams have the most direct or intimate knowledge as to the many external information system touch points, which have increased with the expanded scope of globally-based operations. That includes outsourced product designers, externally based suppliers connected via EDI and B2B electronic business networks, contract manufacturing partners, services vendors, third-party logistics and customer fulfillment partners. Previous attacks have exploited such vulnerabilities, for example, hacking a services vendor web site to capture the system login credentials of a large and prominent customer. That was the profile of the massive credit-card hack that involved retailer Target several year’s back.
In last week’s incident, A.P. Moeller Maersk discovered that the attack spread across many of its linked operational systems, including its business subsidiary, APM Terminals, disrupting a reported 17 individual port operations including those of Rotterdam, New York- New Jersey, Los-Angeles-Oakland, and Mumbai. The virus spread so quickly that the company’s IT teams were forced to immediately shutdown all systems. Backup systems were not activated for fear that the virus would impact them as-well. Exporters and importers could not tender any loads, phones could not be answered, massive cranes and supporting tugboats had to be operated manually without systems support. Mobile-based phone calls, text messages and social-media were the back-up plan.
If industry supply chain management teams have not done so, it is an imperative that they actively collaborate with internal IT systems and business continuity teams to scope, understand and take actions related to the most vulnerable systems related risks and to identify various scenarios for responding to and mitigating a cyberattack or system vulnerability.
Factor the Age of Legacy Systems
A reality of many legacy operational systems is that of age, in some cases systems and applications that have existed for over ten years. This author once heard a stat that the average age of some manufacturing and logistics focused systems is something in the order of 15 years. That statistic implies many vulnerabilities- operating systems that long-ago, stopped being supported by automatic system updates and patches. Further, as we all know, lots of change and customization can occur in such time periods, making it rather challenging to debug or trace a virus attack. Global hackers are well aware of the vulnerabilities of such on-the-ground systems, some with login credentials that have never been updated. The adage that: “if it ain’t broke, don’t mess with it” no longer has credence and can be putting the entire business at-risk.
At the same time, ripping-out and replacing many of such legacy systems can often be very disruptive and costly. Now is the time to consider investing in more security aware Cloud based systems or infrastructure platforms that touch critical business process areas such as manufacturing and customer order processing and fulfillment. That bring up another point, insure that your Cloud services and infrastructure provider is certified in the latest data security standards including the encryption of critical data.
Determine Specific Roles and Responsibilities in Business Continuity Management
Firms most able to effectively respond to a cyberattack, or for that matter, any major business disruption, are those that have well-defined, multi-functional and multi-line-of-business continuity responsibilities and action plans. responsibility for risk response to those closest to the actual process being disrupted. Cyber security is not the sole responsibility of corporate security and IT teams, instead it involves broader involvement and accountability. Who has responsibility for actively working with suppliers, trading partners and/or key customers on cybersecurity awareness and action plans? Who are the primary contacts for IT teams to know when considering the shutdown of a specific supply chain related mission critical system.
Such plans should include at a minimum, executives with specific responsibilities, designated response teams, emergency communications procedures including back-up processes when email, corporate phone or other prime communication systems are disrupted. One of the more important tenets of such plans is prioritization of tasks based on the assessment or perceived severity of the disruption, and of the protection of people, processes, and mission critical systems during the disruption.
A further consideration is assigning responsibilities to teams closest to the penetration to take to protect data and information from further compromise.
A business continuity plan that has too much dependence on corporate hierarchy decision-making can at-times risk the ability to have a timely response. The good news is that many businesses that have developed effective business continuity plans have been willing to share important watch-outs and learning.
Active Training, Questioning and Inquisitiveness
Partner with business continuity, internal and external supply chain teams to offer timely training and/or webinars on responding to cyberattacks as well as information security and awareness. Encourage questioning and inquisitiveness as to prior history of cyberattacks, which systems seem to be the most involved, what to look out for in unusual or suspicious activity, and who to call if something indeed looks suspicious.
Rather than a response of: “I’m too busy”, encourage a climate where information security is everyone’s concern, and better to make aware than to ignore.
Information and data security is an especially critical consideration for industry supply chain teams, one that demands added attention and actions in the weeks and months ahead.
© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.