Wednesday, October 2, 2013

SCM and the Cybersecurity


This week we are going to discuss the role of Information Technology in the modern Supply Chain Management. That is why I decided to devote my today's blog post to the topic which is becoming one of the most popular trends in SCM IT discussions - Cyber Security within SCM processes.

With the development of new technologies (such as cloud computing) and Big Data Analysis techniques, SCM becomes more and more powerful and flexible in terms of capabilities: larger networks are possible, better and faster decisions are made, changes are implemented in a timely manner and so on. However, with the increase in usage and complexity of IT systems comes the increase in risks associated with the information flows managed by these systems. Moreover, the common IT risks (risks of breaking confidentiality, integrity, availability, authenticity and non-repudiation of data) are becoming a much bigger concern with the growth of an average supply chain network as the particular organization is providing its data to every member of the network. And those members are all using different technologies to store and process the data! [1]

All in all, we can highlight three factors explaining why the cyber security in SCM is becoming such a popular topic nowadays:
  • Increase in IT usage within SCM processes: higher usage - higher risk;
  • Adaptation of new technologies in SCM: new technologies - new threats;
  • Increase in size of supply chain network (SCN): more entities have access to data - risk from factors above is multiplied by the number of SCN members + the threat of unfair supplier.
And here is the main question - how should companies deal with the cyber security challenges arising within their SCM processes due to the reasons above? Even if a particular company has a strong cyber security technologies and policies, it can barely influence those of its suppliers which get its valuable data. Usually, contracts and non-disclosure agreements are set in order to get some guarantees of data safety. However, these contracts are often just papers and do not affect the real IT security infrastructure of the counterparty. And this is how the leaks of company's data often happen: "... 40 percent of the data-security breaches experienced by organizations arise from attacks on their suppliers. Criminals are increasingly realizing that “this is a channel they can attack."[3]

Of course, it is not possible to fully eliminate the risk of cyber threat in broad SCN, but it is possible to decrease it significantly. The main idea of this risk management process lies in carefull risk assessment of the IT systems used within the company, of data channels and of the counterparties (for example, based on ISO 27001 standard). For example, here what suggests one of the articles I have studied while writing this post:
  • " Uniquely identify supply chain elements, processes and actors. Without knowing who and what are in the supply chain, it is impossible to determine what happened, mitigate the incident, and prevent it from happening again.
  • Limit access and exposure within the supply chain. It is critical to limit access to only what is necessary to perform a job and to monitor that access.
  • Create and maintain the provenance of elements, processes, tools and data. Acquirers, integrators, and suppliers should maintain records of the origin of and changes to elements under their control to understand where they have been and who has access to them.
  • Share information within strict limits. Ensure that information gets to those who need it in to perform their jobs, but that it is controlled according to policy.
  • Perform supply chain risk management awareness and training. A strong risk mitigation strategy cannot be put in place without training personnel on policy, procedures, and applicable management, operational, and technical controls and practices.
  • Use defensive design for systems, elements and processes. Defensive design techniques address contingencies in the technical, behavioral and organizational activities that could result in adverse events.
  • Perform continuous integrator review to ensure that defensive measures have been deployed." [4]
Above are only some of the possible actions. The main idea is to be very careful with new technologies and counterparties and always pay attention to the security issues.

The question I want to leave open in this blog post is whether cloud computing, which is associated with the future of SCM IT, will make the cyber security concerns tougher for the companies or, on the contrary, easier? On the one hand, cloud computing will allow company to store its data in specialized cloud data storage designed to prevent any data loss and to make the access of suppliers to data most secure. On the other hand, the clouds are established by third parties which makes the situation tough in terms of giving all the companies data to another counterparty (with no reliable information on how this counterparty operates).[2] Hope, to have a discussion on this issue during the class.

References:

1. Baldwin H. (2013, April 30). "Supply chain 2013: Stop playing whack-a-mole with security threats". ComputerWorld.
http://www.computerworld.com/s/article/9238686/Supply_chain_2013_Stop_playing_whack_a_mole_with_security_threats?taxonomyId=17&pageNumber=3

2. Bowman R. (2013, August 05). "Are Cloud Applications a Cybersecurity Threat?". SupplyChainBrain.
http://www.supplychainbrain.com/content/blogs/think-tank/blog/article/are-cloud-applications-a-cybersecurity-threat/

3. Bowman R. (2013, May 20). "Why Cybersecurity Is a Supply-Chain Problem". SupplyChainBrain.
http://www.supplychainbrain.com/content/blogs/think-tank/blog/article/why-cybersecurity-is-a-supply-chain-problem/

4. Jackson W. (2012, May 16). "10 recommendations for securing the IT supply chain". GCN.
http://gcn.com/Articles/2012/05/16/NIST-supply-chain-security.aspx?Page=1
 


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.