On Day 1 of the Institute for Supply Management’s 101st annual conference in Indianapolis, Indiana, Timothy Hall, President of AZORCA Cyber Security, LLC, gave an eye-opening presentation on the cyber security risks posed to supply management professionals today and what they must do to mitigate them.
For most supply management leaders, particularly Chief Procurement Officers, cyber/IT security is outside of their traditional job description. Many want to get involved but cannot because they lack the resources. Increasingly, supply management leaders no longer have a choice. According to Tim, approximately 70% of cyber attacks originate within an organization’s supply chain, forcing CPOs and other supply management leaders to take a more active role in avoiding or mitigating supply chain cyber risk [side note: over the past couple of years, Ardent Partners has seen the role of Chief Procurement Officers converging with Chief Information Officers and IT, particularly regarding IT security and risk management, a trend that is likely to continue]. Frankly, managing supply chain cyber risks is no longer someone else’s problem.
Like people, enterprises that suffer cyber attacks were all targets of opportunity, said Tim. They were vulnerable from the start and found themselves targeted by cyber criminals or advanced persistent threats (APTs) from less-than-friendly nations, like China, Russia, or North Korea.
Common Cyber Security Risks to Supply Chains
Cyber security risks to the supply chain come in various forms. Some of the most common include:
- Crypto-locker, or ransomware, which is the most widespread cyber risk there is to enterprises today. These malware not only target computers, they can also spread to networks and create a bigger problem enterprises.
- Stolen personally identifiable information (PII), which can be used to socially engineer users and gain access to accounts and enterprise systems. According to Tim, it is prudent to assume that almost all of our PII has already been stolen, because it has; and to be hyper vigilant.
- Distributed Denial of Service (DDoS) attacks. These could come from competitors, as well as hostile countries like North Korea, which has perpetrated this kind of attack before (e.g., against Sony following the release of The Interview).
How Cyber Threats Infiltrate Organizations
Often, enterprises expose themselves to cyber and IT risk during the sourcing and supplier selection process when they fail to conduct proper due diligence on a prospective supplier and that supplier happens to be compromised. Other times, business units or users will insist that the buyer selects a particular supplier, service, or part – either because they have already designed the product and it is now mission-critical, or the supplier is the sole source of the commodity and there is no other option. One can envision other, more nefarious ways in which malware or a “bugged” component ends up in an enterprise’s supply chain. But, as Tim pointed out, enterprises usually expose themselves to risk simply by being careless and not following standard risk management protocols.
How Chief Procurement Officers Can Better Manage (or Prevent) Cyber Risk
One of the most insightful things that Tim said during his presentation was that organizations can add value when they stop viewing cyber risk management as “avoiding pain” and start viewing it as a competitive differentiator. [To his point, organizations have been doing this in recent years, particularly in the food retail industry, where many brands have seized upon “gluten free,” “GMO-free,” and “Organic” as competitive differentiators rather than financial or operational risks.] Enterprises can shift their perspective on cyber risk management by setting priorities – what they must do versus what they should do.
- They must achieve and maintain contract and regulatory compliance, especially for organizations in the aerospace & defense, healthcare, pharmaceutical, and public sector industries. For these organizations, achieving compliance is a baseline requirement – table stakes for doing business. Being minimally compliant merely means that there is more work to be done.
- They should establish clear cyber security risk management criteria for what the procurement organization needs to consider – for example, when they are asked to sole-source a product or service, when that product or service is rare, or little is known about the supplier. How do they assess risk and proceed? Collaborating with IT departments to understand cyber threats in greater detail is a good first step.
- They should also have a structured and targeted contracting approach to limit such instances and prevent backdoor cyber security risks from materializing. Again, IT can be of service as Chief Procurement Officers and their teams often know not what to look for.
- They should also ensure that their sourcing and procurement behaviors are sustainable and resilient – that they can maintain continuity of operations without sourcing from a risky supplier. Sole-sourcing goods or services, or relying on one supplier without a backup, are risky behaviors, no matter what the need is.
Other steps that Chief Procurement Officers and supply management leaders can take to build out their cyber security risk management programs include:
- Training procurement staff and developing an organizational capability for recognizing, avoiding, and mitigating supply chain cyber security risk issues. This can be done by partnering with IT to develop best practices and to stay current on emerging threats.
- Reporting suspected cyber intrusions and coordinating responses to possible incidents. Procurement departments ought to have contingency plans in place when their supply chains have been compromised; and they cannot be afraid to report even suspected cyber incidents (e.g., intrusions, data losses, DDoS attacks, social engineering), as it is easier to manage incidents in the beginning and to prevent irreparable damage from being done.
- Underwriting supply chain cyber risks within an organization’s insurance policy. They can protect themselves from risky suppliers, as well as civil action from customers in the event of a cyber incident. Of course, the best defense against risk is to avoid it in the first place. But there is also insurance, “just in case.”
Although managing supply risk has been a responsibility of Chief Procurement Officers and their teams for quite some time, supply chain cyber security risk is a new dimension that will only get deeper and more complex. Every day, new cyber criminals and threats emerge and converge on the public and private-sector, alike. With as much as 70% of these threats entering the typical organization through its supply chain, procurement and supply chain are as much responsible for preventing and mitigating these risks as IT. Together, they can partner to stem the tide of intrusions that seem to occur every week.