Thomas Industrial Marketing & Manufacturing Blog

Cybersecurity In Today's Interconnected Supply Chain: Don't Build An Apartment. Build A House.

Written by Michael Ebbing | August 25, 2017

Take a moment to consider all of the components of your organization’s supply chain. Commonly, quite a few capital assets come to mind: raw materials, machinery, warehousing, logistics, distribution centers, brick and mortar sites, office locations, point of sales, and so much more.

Whether it’s keeping employees connected to one another, interacting with customers, or generally exchanging data from one system to another, interconnectivity is a crucial, but risky, component of supply chain management.

And, in a world where millions of cyberattacks happen each day, companies can no longer afford to approach cybersecurity with an “if this happens” mindset, rather establish the proper structure and protocol for when it does. 

So, what exactly is cybersecurity? According to Techtarget.com, “Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage, or unauthorized access.”

While some security is better than none at all, many companies make the mistake of only protecting the perimeter. Picture an apartment, with the kitchen, bathroom, bedroom, closet, etc. all in one room, all of which only secure with a lock on the front door. When an intruder breaks through the sole lock on the door, they gain access to it all.

When it comes to effectively securing your organization from cybersecurity threats, don’t be the architect of an apartment; build a multi-layered house. Meaning, have separate rooms each equipped with their own locks, create stairs to slow an intruder’s pace, install windows (no pun intended) and other doors so they can be quickly tossed out. You get the idea.

Building this house, however, requires a solid foundation, which in the case of cybersecurity, is a blend of vendor and risk management protocol. Local area networks are a thing of the far past and wide area networks connect all the pieces of the supply chain.

Take into consideration the infamous cloud. As defined by Gartner, cloud security addresses the processes and mechanisms used to control access and usage of cloud-based systems. The key areas are in:With that, companies are moving away from on premise data warehousing to the cloud. Software Designed Wide Area Networking (SD-WAN) is now overlaying typical legacy and Multi-Protocol Label Switching (MPLS) services and it’s easy to forget about security. But, with new software vulnerabilities popping up each day, keeping both your immediate infrastructure secure but also understanding the security measures of your vendors, and even their fourth parties is key.

  • Provider control (multitenancy risk)
  • Workload protection (virtualization security)
  • Data protection (SaaS Control)

You should take a risk-oriented approach to cloud control: cloud exposure = volume * sensitivity, emphasizing highly sensitive information: email, CRM, ERP, Data rooms, & Board Portals.

In addition to internal practices, understand what your third party providers are doing in the way of security. For example, do they have network segmentation practices? Do they have fourth party providers contributing to their services? How are they addressing cybersecurity? All things considered public clouds are secure but it is wise to develop a corporate cloud strategy with policies on cloud usage and control.

As for data, governance in the form of quality control and security must also be a top concern. Does your company have a well-structured data governance strategy – one that clearly defines what data is most critical/confidential and who is responsible for owning and maintaining your company’s data assets? In addition, is your company aware of and planning for governmental data regulation changes?

For example, The Global Data Protection Regulation (GDPR) will be enforced beginning May 25, 2018. Policies and regulations in cybersecurity, particularly between the EU and USA, differ greatly. This is an attempt at a harmonized platform for various nations to build on. Through it, privacy and security will become board level issues and the largest American companies will be forced to make them a priority. Companies that do not follow GDPR will be penalized in the way of significant fines.

Last but not least, take ownership of your cybersecurity risks. According to SecurityScoreboard, an organization which provides companies risk awareness to businesses so they and their partners can predict and mitigate data security issues, the most common cause of data breaches against Fortune 500 enterprises have been through successful attacks upon third party service providers and partners.

It’s important to vet your potential threats through risk management and understand their risks as well as your own. Companies should all have IT security risk assessments available. Work with your vendors collaboratively to develop prevention plans but also establish a strategy for addressing an attack should it happen.

An argument can certainly be made that supply chain is evolving almost as rapidly as business itself. As consumer expectations elevate, corporations must respond. Flexible and lean supply chains are the catalysts that make it possible.

Although they can differ greatly across industries, companies and regions, they are the oil that keeps the engine running. It is the sole responsibility of each business to make cybersecurity a top priority.

End-user training and education make all the difference in the world when protecting your data and your employees. Along with it, procuring and managing your vendor base is equally, if not, more important when considering cybersecurity. Regulators for the GDPR will include the Federal Trade Commission in the United States and national level bodies for countries in the EU.

Going forward, cybersecurity will be a global issue. Don’t make it easy for hackers to access your systems. Establish both the preventative protocol and procedures for addressing a hack when it happens. AKA: build that house.