Vendor relationships are critical to an organization's supply chain both upstream and downstream, but how can an astute executive management team understand how their partners are equipped to protect their proprietary economic knowledge?
A fundamental tenet of the new supply chain is that information is as highly valued as raw materials or finished goods across an organization's network. At each vendor's junction point to a company, its affiliates, subsidiaries and team of business connections, there are considerable openings for critical data flows to be accessed by cyber criminals.
Because of the increasingly complex and fluid nature of supply chain dynamics, there is an ever-greater emphasis on pinpointing how information is transmitted, who is handling it, and to what extent this dissemination can affect a company's cybersecurity protection protocols. As recently as the Home Depot breach, the access point for the 56 million debit and credit card accounts and 53 million customer email addresses harvested by cyber thieves came as a result of a third-party vendor's user name and password usage.
The idea of labeling suppliers in logistics, operations, marketing and sales as “villainous” may at first glance be hyperbole, to the extent that vendors are usually trusted partners who are fundamental pieces of a company's organic growth proposition. The characterization of these suppliers as “villainous” indicates that they may be adversely impacting a firm through actions that expose the commodity of information through clumsy, inefficient, or obsolete safeguards.
Here are five key statements and questions to ask and consider of your vendors and supply chain, which may serve as red flags.
- As an executive management team, can you identify how many distinct and moving parts make up the supply chain? If there are gaps and inconsistencies in identifying who the cogs of the supply chain are; there is reason to be concerned and immediately identify the missing components.
- Are self-reported audits from suppliers ingrained in an organization's process? This could be obscuring critical security lapses that put a company's knowledge infrastructure at risk. Move quickly to incorporate outside auditors in evaluating supply chain vendors.
- Have corporate partners been directly (or indirectly) impacted by data breaches in the past? If so, there is substantive reason to look into their security actions and the efforts undertaken to strengthen their measures. Continued reliance on a supplier that has been victimized in a cyber-event may expose an organization to greater risk.
- While supply chains vary in their scope and diversity, any component of a supply chain which relies heavily on digital applications or technology integration are even more susceptible to breaches, malware and cyber corruptibility. The key learning here is to pay particular attention to sensitive technology avenues of information transmission.
- If an organization has no standardized security protocols or agreements in place within their vendor channels, there may be concern that lax safety protocols are putting the company at undue risk. Interestingly, in 2014 only 44% of respondents utilized a process for evaluating third-party vendors, down from 54% in 2013; while only 41% of companies have a system for determining the cyber security awareness of the firms they choose to do business with, according to the 2014 U.S. State of Cybercrime Survey by PricewaterhouseCoopers. Every organization should equip and protect their business with a standard vendor assessment and contract system.
While the vendors of a supply chain are critical to a company's success and add value, they also can potentially open up a firm to intellectual property theft and widespread damage to brand reputation, financial success and long-term organizational growth. Firms that conduct these five straightforward steps can better navigate the evolving maze of information and supply chain security methodologies, while strengthening their protection against cyber-attacks.