Is your supply chain safe from cyberattacks?

Technology has fundamentally transformed the way businesses transact commerce. Because of the Internet, mobile devices, applications, and cloud computing, companies and their suppliers can now share a large amount of data at the click of a button. Today, information about everything from order volumes and capacity status to activity-based management protocols and transportation metrics—to name just a few possibilities—is electronically transmitted between business partners.

These information flows and symbiotic connectivity in an organization's supply chain have become critical components of reducing costs and developing integrated profit centers. In fact, today's global supply chains rely upon the rapid and robust dissemination of data among supply chain partners.

But this exchange of information brings with it a certain degree of risk. The flexibility, scalability, and efficiency of the technology that enables information sharing has created additional points of access to an organization's proprietary information, increasing the risk that the corporate knowledge that drives profitability may fall into the wrong hands. Particularly vulnerable are those processes and activities that involve the sharing of information between external supply chain partners.

That is why supply chain managers must play a larger role in cybersecurity—the measures taken to protect a computer, computer network, or data from unauthorized access or attack. They need to be aware of what the risks are and of which areas of their supply chain may be vulnerable to cyberattacks. And they must make sure that not only their own company but also their suppliers are following best practices in cybersecurity.

A growing threat
The danger to businesses and their customers from hacking and cyberattacks has become pervasive. Indeed, the list of cyberattacks and data breaches seems to grow by the week. In the United States, such large companies as Home Depot, Sony, Target, and the managed health care company Anthem, among others, have been victims of well-publicized cyberattacks.

The number of U.S. data breaches tracked in 2014 hit a record high of 783, according to a report released earlier this year by the Identity Theft Resource Center (ITRC).¹ That represents an increase of 27.5 percent over the number of breaches reported in 2013 and an increase of 18.3 percent over the previous high of 662 breaches recorded in 2010. Moreover, more than 5,000 data-breach incidents involving more than an estimated 675 million records have been reported and tracked in the United States since 2005, according to ITRC. Cyberattacks are not solely a U.S. phenomenon, however. According to Verizon's 2015 Data Breach Investigations Report, there were 2,122 confirmed data breaches in the previous year at organizations in 61 countries.² And these are just the incidents that are reported; hundreds and perhaps thousands more, predominantly at small and medium-size businesses, go unreported.

The research indicates not only that the threat of cyberattacks is rising but also how insidious they can be. According to Verizon's 2013 Data Breach Investigations Report, although 91 percent of data breaches were carried out in a matter of minutes or hours, it took months or years to detect 62 percent of those compromises, and it took took several months or longer to contain more than half of the breaches after they were discovered.

The most immediate concern, of course, is the possible consequences for individuals of identity theft and privacy intrusions. But the damage does not end there. The large-scale breaches at Home Depot, Sony, and Target cited above damaged those companies' information technology (IT) mechanisms and the enterprise management systems that disseminate corporate information across their operations. More specifically, the exchange of data that normally would flow seamlessly had to be considered potentially vulnerable to ongoing cyberattacks or further data degradation. That, together with the resulting financial cost and brand-reputation issues, meant that once highly integrated and effective supply and value chain technology ecosystems had to be reconfigured to address current and future security threats.

These examples show that the impact of a compromised IT infrastructure extends far beyond an organization's internal mechanisms and functions. Data breaches and security incidents increasingly put not just individual companies but also entire supply chains at risk. Everyone in the supply chain is vulnerable, from original equipment manufacturers (OEMs) and contract manufacturers to distributors and resellers.

For this reason, supply chain managers need to understand how cybersecurity problems at their suppliers could affect them, and take steps to mitigate those risks. For example, the security breaches at Target and Home Depot occurred because criminals got hold of and compromised a third-party vendor's credentials, which typically include logins, passwords, badges, and security access. In the case of Home Depot, once the hackers got the basic credentials, they then acquired elevated rights that allowed them to navigate portions of Home Depot's network and deploy malicious software, or "malware," on its self-checkout systems in the United States and Canada.³ As for Target, according to a U.S. Senate report, the retailer gave network access to one of its third-party vendors, a heating, ventilation, and air conditioning (HVAC) company. The vendor apparently did not follow widely accepted information-security practices, and its weak security allowed the attackers to gain entrance to Target's network.⁴

It is important to remember that in both of these examples, the access points for the breaches occurred through third-party vendors deep within both companies' supply chains. This is not just a concern for retailers. The 2013 Data Breach Investigation Report from Verizon reported that approximately one in five network intrusions involves manufacturing, transportation, or utility organizations.⁵

Another relevant point is that the Fortune 500 companies and their supply chains are not the only organizations being targeted by cybercriminals. Studies show that more than half of data breaches occur at small businesses. It is important to remember that any vendor with credentialed access can expose your information network to an attack.

Types of attacks
There are many ways cybercriminals can gain access to proprietary information. Here are some of the most common ones (see the sidebar for a more detailed list):

• Malware—Short for "malicious software," malware is simply software that is embedded on computers, devices, or networks that can cause damage to protected or unprotected files. Examples include spyware, worms, viruses, and Trojan horses.
• Compromised credentials—Thieves use exposed usernames and passwords to access a company's network. This personal information is typically bought and sold on the "deep" or "underground" Internet, where illegal activity occurs.
• Distributed denial of service (DDoS)—A hacker or bad actor disrupts a company's systems or networks to deny service to clients or vendors. Typically, this form of attack is not a theft or loss issue, but rather can tie up company resources and the capacity needed to restart a system or programs that have been adversely impacted.
• SQL injections—The hacker or bad actor inserts malicious code into Structured Query Language (a programming language designed for managing information in databases) with the goal of accessing proprietary data. In this instance, hackers can access corporate databases by use of the SQL injection, bypassing firewalls and other security measures.

As a supply chain manager, you probably are not directly involved in addressing these threats, but you should be aware of first, how your company's IT department is handling them, and second, what measures your suppliers have taken to prevent such attacks from happening.

Protecting your supply and value chains
Information sharing is not limited to supply chain functions like transportation, distribution, logistics, warehousing, inventory management, sourcing, procurement, and order and production planning. Companies share proprietary data across their value chain—the whole series of activities that create and build value for a company, including marketing, sales, and customer service in addition to the many functional areas of the supply chain.

Harvard Business School's Michael E. Porter describes the value chain in these terms:

Competitive advantage cannot be understood by looking at a firm as a whole. It stems from the many discrete activities a firm performs in designing, producing, marketing, delivering, and supporting its product. Each of these activities can contribute to a firm's relative cost position and create a basis for differentiation.⁶

From this perspective, a company's supply chain—both upstream and downstream—can be seen not only as a mechanism that develops and delivers products and services from source to customer, but equally importantly, as Porter suggests, as part of a value system in which interdependence is the fundamental tenet behind gaining competitive advantage.

In such an integrated system, the supply chain has access to pricing data, metrics, point-of-sale information, inventory flows, and enterprise system activity. By incorporating these and other components into an integrated value chain, companies expand economic efficiencies and create competitive advantage, thereby improving their profit margins. In other words, competitive advantage is predicated on engaging in partnerships within and across the supply and value chain.

This type of integrated system, however, creates a number of potential entry points for cybersecurity risks. Examples include:

• Vendor relationships and global information transmission
• Open access to data rather than "need to know" access
• Frequent changes in suppliers and products
• Lack of standardization of security protocols across vendors and other partners
• Infected devices on a corporate network
• Obsolete security infrastructure or outdated hardware/software

The negative impact of supply chain partners that have experienced a data breach can continue for years. Companies should, therefore, take steps to identify and defend against such threats.

Internally, the company must monitor domains as well as credentials—the passwords, log-ins, and other IT security protocols that employees and vendors use to legitimately access company systems. This involves setting consistent standards and methodologies for obtaining, using, and updating credentials, so that hackers cannot utilize gaps or lapses in usage to infiltrate company systems. Companies also must be aware of any risks associated with external partners. From a supply chain perspective, effective vendor management can set the foundation for a more nimble and proactive cybersecurity approach.

Vendor security begins with two fundamental pieces of knowledge. The first is which firms comprise your company's supply chain. Identifying all partners, affiliates, and network participants is critical, as a firm is only as strong as its weakest link. The second is the degree to which your company is reliant on each of its product and service partners. Your company's security is dependent on identifying the extent of that reliance, particularly relative to the size and scope of the business operations. A security breach at a supplier that plays an integral role in, for example, product design would be a much greater threat than a security breach at a supplier with which a company has a simple, transactional relationship.

Different types of supply chains will have different levels of risk of cyberattack. A vertically integrated company with operations both upstream and down will have a greater risk profile, because of the multiple stages of production and distribution across its supply chain. However, horizontally integrated businesses with a focus on only one aspect of the supply chain are not immune from risk. An operation that is solely manufacturing-based, for instance, may be at risk through multiple points within that specific ecosystem. For example, we are now seeing cases where malware is being uploaded and installed at original equipment manufacturers (OEMs) at multiple points in their production processes. These threats usually are discovered long after the product has left the facility and has entered another firm's supply and value chain. In this way a seemingly siloed manufacturer may open its operation and consequentially other organizations to security risks.

It follows logically, then, that the greater the complexity and value of a firm's supply chain, the more extensive and proactive its risk management efforts should be. These efforts should include various layers of security, including, but not limited to: redundant backup systems, multiple-stage access thresholds for credentials, and ongoing threat monitoring to fend off the expanding list of malware and attacks that can cause service disruption and brand erosion.

After all of its supply chain partners have been identified, a company should audit and vet all of its existing vendors' cybersecurity abilities. This can be achieved by surveying vendors' security practices across a supply chain network and applying security research, developing the IT capabilities needed to better examine and predict potential threats. Another important tool is threat intelligence, which involves the utilization of security data to more actively assess and detect potential risks to a company's information infrastructure.

One of the most important and effective steps you can take is to include cybersecurity protocols, conditions, and capabilities in the procurement function's approval criteria for all potential new vendors.

In many ways, this sort of vendor assessment is a strategic sourcing exercise that allows management to base its selection of vendors on a combination of factors that include not just price and quality but also security metrics. These measurements may include the vendor's ability to integrate its tactical security measures into a larger company's infrastructure; how well the vendor protects its own data; and the overall importance of that vendor in the supply chain.

While this may seem like common sense, this kind of assessment is not widely practiced. According to a 2014 cybercrime survey by the consulting firm PricewaterhouseCoopers, only 44 percent of firms have a process for evaluating third-party vendors, down from 54 percent in 2013. Just 41 percent of companies have a process for assessing the cybersecurity of third-party providers with which they share data or networks before launching business operations, and just 27 percent conduct incident-response planning with supply chain partners.⁷

Once a company has assessed its vendors' cybersecurity measures, it must also ensure that there is a standard level of security across the supply chain. It is rare to find much consistency. Consider this common situation: An organization uses multiple partners to manage and perform its inbound and outbound logistics activities. These vendors are connected through the logistics function, with access to information that is sensitive to both as well as to the overall value system. Yet in many cases they will have substantively different security protocols, and neither may have a stringent set of standards, thereby exposing all members of the system to cyberattacks.

Executive management must set security protocols that are standardized across the supply chain network and require their vendors to comply. For example, credentials should be uniform for logins, passwords, and badges. The breaches that we have seen unfold have often evolved from credentialing that either was not standardized across vendors or had not been sufficiently updated from a technology perspective. Additionally, a company should have a security framework (for example, ISO 27001), along with an individual such as a chief security officer, chief technology officer, or data steward who is responsible for data security management, strategy, and responsive action.

Once these protocols have been set, companies must proactively monitor and audit every vendor in their network. In many cases, annual audits or self-reporting incidents will not fully shield a firm's infrastructure from ongoing threats, as these methods often are incomplete, inefficient, quickly outdated, or a combination of those elements. A company can often benefit from having a neutral third party conduct a one-time evaluation of its supply chain's security, and then monitor its vendors and supply chain on an ongoing basis.

In spite of its growing importance, getting the funding needed to identify and target possible cybersecurity threats can be difficult, as success does not show up in net profit or increased revenues. A company's security spend, in fact, is often treated as a stand-alone cost of doing business. This approach can be problematic because the true costs of responding to and recovering from a cyberattack, as well as the ongoing expenses from a breach and loss of proprietary information, customer data, and brand reputation, are not factored into a strategic assessment of revenue generation.

A more reasoned approach may be to incorporate IT and cybersecurity spending into the cost methodology for supply chain management, through an accounting approach that is differentiated as an absorption costing model. This method would quantify the security spend as a function of all total direct costs, including overhead costs associated with logistics, sales/marketing, and manufacturing. We believe this is the most transparent method of determining cybersecurity's return on investment, and one that gives a full picture of its organic importance to the supply and value chain.

How do you evaluate success?
An important but often missing element of supply chain security is a company's method for evaluating its level of success. While the absence of a documented breach is a notable accomplishment, it is not necessarily a good indicator of a successful cybersecurity program. Recall that hackers are now trying to exploit data at deeper levels over longer periods of time. For example, malware could be embedded in your manufacturing organization years before it is detected.

It is important, therefore, to integrate security metrics into your company's key performance indicators (KPIs), balanced scorecards, and/or executive dashboards. One possible metric is audit efficiency; that is, how effective and accurate are the audits of third-party vendors and company systems relative to supply chain threats. A second possible metric would be the degree of uniformity in security policy throughout an organization and its supply chain. Another is supplier concentration in the company's overall operations—in other words, how important any one supplier or group of suppliers is to the supply and value chain. Correlating that information with the suppliers' level of security strength or weakness can reveal the potential degree of impact of a breach at a particular supplier. Using this methodology would ensure that KPIs were tailored toward limiting cyberattack exposure, as opposed to the simple measure of whether or not a breach had occurred.

Whichever metrics a company decides to use, it is clear that information has becomes the critical asset in a firm's supply chain, and that the need to protect the organization's overall infrastructure from cyberattacks has grown in importance. The technological integration between supply chain partners provides ever-increasing efficiencies, but with that comes increased risk of security problems for customers.

The threat is real, and companies will be challenged in the next decade to shield their proprietary knowledge from cyberattacks. While this is a daunting prospect, the reality is that there are concrete steps that executive management teams can engage in to best protect their strategic competencies. Supply and value chains are now the drivers of profitability and brand awareness, and investments to protect them from a cybersecurity perspective are even more critical as the threats become more acute.

Notes:
1. Identity Theft Resource Center, "Identity Theft Resource Center Breach Report Hits Record High in 2014," January 12, 2015.
2. Verizon, 2015 Data Breach Investigations Report, April 2015.
3. The Home Depot (via PR Newswire), "The Home Depot Reports Findings in Payment Data Breach Investigation," November 6, 2014.
4. United States Senate Committee on Commerce, Science, and Transportation, "A "Kill Chain" Analysis of the 2013 Target Data Breach," March 2014.
5. Verizon, 2013 Data Breach Investigations Report, April 2013.
6. Michael Porter, Competitive Advantage: Creating and Sustaining Superior Performance (New York: Free Press, 1985).
7. PricewaterhouseCoopers, U.S. Cybercrime: Rising risks, reduced readiness,