Did you know that in the post-COVID world, there is an accelerated and necessary adoption of digital technologies throughout the industrial world in the quest of operational advantage and excellence?

The Hackett Group reports that adoption of supply chain network design and optimization tools, are expected to grow from 63% to 81% in the next two years.

This means that in Supply Change management and execution, there will be:

  • increased reliance on automated systems,
  • reduced available staff with expertise on board,
  • digital transactions between suppliers, manufacturers, shippers, and customers; and,
  • significant risks to the viability of the enterprise in the event of cyber-attack.

There is a reasonable assumption that leadership is aware that there is conventional cyber-risk as portrayed in the media resulting in harm through ransomware and data theft. They may already be taking steps to manage this risk within their own I.T. organization using firewalls and virus detection. This awareness may not extend to their own business viability when there is total reliance on technology that is essential to business conduct.

Picture, if you will, when a supplier has been compromised by a cyber-threat event such that they are unable to either deliver promised goods to meet critical customer demand or may have even failed completely and another source needs to be engaged. Conversely, a key customer capital project has been halted by similar upset and there is a significant inventory of either material or work in stages of assembly that does not have a destination.

Let’s look at the practices currently employed to manage risk in Supply Chain.

  • Safety Stock
  • Demand Forecasting
  • Multiple Sourcing
  • Consignment
  • Contracting
  • Outsourcing
  • B2B
  • Account Management
  • Market Intelligence

With the practices understood by anyone in Supply Chain, let’s look at layering the risks of a data compromise event or ransomware over these processes. It’s important to understand that a firewall, or virus protection only mitigate the most basic risk. The real weakness is human behavior in the performance of others and the potential negligence of business partners.

Let’s look at the two basic scenarios. Assuming that your organization is NOT the one who has been hacked. Yet.

Case 1 – Supplier Failure

One of your premiere suppliers has been hacked. Access to their system is denied to them and they are totally unable to generate a shipping document, let alone see that they have an order from you to fulfill. And even if they do, they may not even be able to locate the goods in their own warehouse.

  • For existing suppliers, determine their stance on cybersecurity and take steps to mitigate risk.
    • If there is no credible evidence of a policy, protect your own availability of secure supply of vital goods.
    • If potential damage is to vital supply and even if there is evidence of policy, recommend to the supplier they obtain expert review at their cost, or even at shared cost.
    • Failing this, seek an alternate emergency source.
  • For potential new suppliers, take steps to vet their security posture.
    • If an RFP process is used, ensure the presence of a cybersecurity readiness and preparedness evaluation criteria on the qualification checklist.
    • Ensure the presence of appropriate liability protection clauses in the contract.
    • Add an annual or at renewal cybersecurity review clause to the contract.

If you are linked B2B in any manner, you may want to check your own fort to ensure contagion hasn’t spread.

Case 2 – Customer Failure

One of your star customers has been hacked. Due to the system outage, they have no idea about what is scheduled to be received. You will not be paid by them any time soon, and if catastrophic, ever. Any in-flight capital and construction projects, including plant maintenance is on hold. For an unknown duration. There will be no new orders for some time.

There are still some actions a company can take to mitigate the consequence of customer failure.

  • As part of the role of Account Management, seek to be informed of the customer’s care and attention to cybersecurity policies and practices
  • Carefully monitor the quantity of high-value goods on hand, especially if they are specific to this one client.
  • Manage the efficient rotation of goods with limited shelf-life.
  • Maintain a good communication line with goods destined for construction and capital projects to ensure that a change in project progress matches order lead times.
    • Manage payable collection time and magnitude of outstanding, especially for customers at potential risk.
    • Monitor any change in customer credit rating.

If you are linked B2B in any manner, you may want to check your own fort to ensure contagion hasn’t spread.

What is evident is that the obligation to action cyber-security is not solely an I.T. matter. I.T. is tasked with providing computer cycles, data storage, connectivity. Even if technical cyber-security is 100% addressed by I.T., the business processes just described and the action that needs to be taken to protect the organization and its stakeholders far exceed the mandate and yes, the capability of the average CIO or CTO.

Assessing the cybersecurity practices of both suppliers and customers is now mission critical. There is no liability insurance adequate to cover the upset, even if the underwriter or insurer would pay out.

Also, for most Supply Chain leaders, getting the lowest price and managing inventory at the lowest carrying cost is business as usual. When one adds mitigating risk of business impact from outside the organization is now an issue of TCO, or Total Cost of Ownership. And when one considers the cost and consequence of inaction, cheap is decidedly not the least expensive.

Your I.T. and your Supply Chain staff can neither define nor execute a multi-disciplinary program that will mitigate your exposure to such a vital and fundamental function in your company.

George Rafael

COO

SecuSolutions Ltd