Protecting Data in a Digital Supply Chain

Editor’s note: This is Part 5 of a five-part series exploring the critical role of data in a digital supply chain transformation.

You can read Part 1 by clicking on this link
You can read Part 2 by clicking on this link.
You can read Part 3 by clicking on this link.
You can read Part 4 by clicking on this link.
You can read Part 5 by clicking on this link.

In this five-part series we’ve shared ideas on the central role of data in the digital supply chain. However, along with the tremendous opportunities it provides, the digital supply chain creates new risks. Data protection and cybersecurity must now be essential parts of any supply chain risk management program.

As companies make the digital transformation – internally and throughout their supply chain - more critical data is being shared in far-reaching global supply chains. Competitive advantage is increasingly coming from confidential business data - trade secrets, process know-how, and proprietary algorithms. There is more collaboration and data integration between companies which makes data protection more complicated.

In addition, the explosion in consumer data and its utilization has driven a wave of regulations concerning how personally identifiable information (PII) is stored, processed, transferred, and used. From Europe’s General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) and China’s new Personal Information Protection Law, regulations are sweeping the globe. Companies have responded by establishing data privacy programs for how they handle PII internally and with their supply chain partners.

Today, companies need to be concerned with protecting confidential business information and trade secrets and in meeting data privacy regulations. Cybersecurity attacks can be devastating to business continuity, as well as to data loss.

Every effective program needs to start with assessing the risks and prioritizing what data and systems are most critical to protect. In the case of data protection and cybersecurity, it is important to assess the risk through two lenses: data loss or compromise and business continuity. Evaluate the negative impact of trade secrets going public, or critical inventory and shipping data being altered. But also evaluate the negative impact of being unable to send or receive payments or purchase orders.

It’s hard enough to manage the data loss and business continuity risks internally. Now add thousands of suppliers, distributors, and customers to the data flow in a digital supply chain. You should never think about cybersecurity without considering third-party risk. And conversely, the companies in your supply chain, even small ones, should never think they’re safe because you “don’t have anything hackers would want.”

In today’s inter-connected digital world every organization of any size is a potential target. Hackers will try to go through you to get to another company and they will try to go through your customers or suppliers to get to you. The whole situation is made much more complicated because of the new hybrid (remote/office) workplace. Your employees may be rotating from home to office, using different devices and connections. Although you may feel you have the situation under control, what about your supply chain partners?

In the past 18 months, partially in direct response to the pandemic, hackers have systematically focused on supply chain cyber-attacks, often in the form of ransomware. There are several reasons to target companies in the supply chain of a major multi-national company. Many of the suppliers are small and medium-size companies with much less sophisticated cybersecurity controls. The supplier can be a gateway to the main target through their connected enterprise resource planning systems. Plus crippling the supplier can directly impact the business continuity of the multinational company.

The SolarWinds hack is a reminder that cybersecurity is a supply chain issue. SolarWinds was a gateway, not the ultimate target. But it’s not a new supply chain issue. The Target breach in 2014 was a widely publicized example of hackers using one company (an HVAC vendor) to get at their real target (Target).

These are both perfect examples of why supply chain cybersecurity is so critical. Hackers are systematically using supply chain companies as a gateway to access high-value targets.

Cross-functional coordination between supply chain, IT, cybersecurity, legal and compliance is critical to building a practical, sustainable program to protect data and reduce cyber risk. Two important points to keep in mind:

• One, you can’t build impenetrable walls around your company, because data needs to flow to the other companies in your supply chain.
• Two, human behavior is critical to data protection and cybersecurity.

For large companies, there are some basic steps you should immediately take with your supply chain partners to help them protect themselves and ultimately protect you. Most important, every company in your supply chain should have a designated, trained Cyber Leader. A person that is responsible for building a culture of cybersecurity by focusing on human behavior. They don’t need to be technology experts. They need to be able to communicate how important it is for the everyone to develop good cyber habits. They need to make sure that the company puts some simple policies in place around four core issues:

• Passphrases: use 15-character passphrases. It has been reported that some employees at SolarWinds were using “solarwinds123” as their password. Don’t make it easy for hackers to crack your passwords. Any 8-character password can be hacked in 3 minutes, but a 13-character password takes 5.2 million years using the same computing power.
• Multi-factor authentication: Use it any time it is offered. If it is not offered, consider switching to a software or service that does offer it.
• Phishing: Conduct re-fresher training for employees on how to spot a phishing email or text. The email may even look like it is coming from another person in their company or from your company. Reinforce the message to never open an attachment or link if at all suspicious. Tell employees to contact the sender through alternative channels to verify it is real.
• Devices: Encourage third parties to review what devices their employees are using to connect to their network or to your network. If they are using personal devices, make sure they follow the rules about passphrases and multi-factor authentication. Avoid the use of USBs and removable media to transfer documents.

It is urgent for all companies to extend their culture of cybersecurity to their supply chain partners. Push the companies in your supply chain to develop good cyber habits. It is critical to your company and every company you touch.

About the author: Craig Moss is Director of Data and Change Management for The Center for Global Enterprise’s Digital Supply Chain Institute (DSCI). To learn more, visit DSCI.