The following article was prepared by Mike Taylor, C.P.M., for distribution to ISM affiliate newsletters

 Supply Chain Security

Great article December 2011, Inside Supply Management 

This article discusses some of the issues and concerns businesses face relative to cyber security. It's well worth the read. Pay particular attention to the inserted text box talking about defensive strategies.

The supply chain accounts for a large percentage of operating budget and business continuity risk. Sensitive information, and weak spots in the supply chain may not be obvious to many employees and even to some senior managers.  In addition to our own employees, businesses in our supply chain, and their personnel, may also have access to information which could be sensitive. IT departments can only do so much to provide system and hardware protection. It's up to the people using the systems to know which data needs to be protected and it is up to supply chain management to make sure they understand.

Supply Management often gets asked to discuss or explain the risks in our supply chains. Those briefings traditionally focus on single source suppliers and long-lead-time materials. Natural disasters in the past few years have inspired us to expand out thinking of supply risks in terms of catastrophic loss. This article on cyber security, and a Business Week article referenced below, highlights yet another very real threat to the supply chain - data loss. Whether it's data about a bid evaluation, planned strategic acquisition, or intellectual property;  data and information store on our computers can be sensitive and critical to continued cost-effective operation of our business.

It's not just data stored on our computers or locked in engineering files. As supply chain managers, we also understand that company information is transmitted thousands of miles and through many different hands both up and down the length of our supply chains. A good friend once described a very real concern her company had about sending a proprietary drawing to a new supplier in a foreign country. Today, drawings and specifications are often transmitted electronically. Accordingly, not only must we be concerned about mishandling of the drawing at a supplier's facility, we need to additionally be concerned about security and data loss in cyberspace.  And this concern should extend to the supplier's computer systems as well as our own.

 Data, drawings, business plans, financial information, key personnel lists and email addresses are carried around on laptops, iPhones and stored on computers that belong to our employees, and to employees of our suppliers, business partners, former employees and even in some cases our supplier's suppliers. The concern includes proprietary design information, electronic invoices,  product performance data, manufacturing plans, projected shipping schedules, new sources, new materials and new methods.

If the IT department thinks the best way to protect data is to lock it behind a password and make sure only authorized personnel have access – then they have buried their heads in the sand. Of course, someone could deliberately hack into the database and steal the information. But as we all know, a lot of sensitive information is transmitted in an out of the Supply Chain organization as part of normal business processes.

O.K. - do we agree the problem is huge?  So what can we do? I think we can take several steps to be proactive.

1- Convene a discussion of Supply Chain risks with staff and senior management.  This could be an interesting educational exercise. Ask each staff members to do some research about problems that similar businesses have had with respect to cyber security and supply chain information. Then get the staff together to share findings and talk about potential risks.

2- Have regular discussion with the IT department about data security and risk of loss. Expand the discussion to include risks of loss throughout the supply chain and include all types of sensitive data. Talk about what can realistically be done to ensure key suppliers are as safe as you are.

3- Educate senior management, company employees and suppliers about the kinds of supply chain data or information which is critical or sensitive. [ In my opinion, we don't do a very good job of explaining supply chain business to the rest of the company. The more people know about why we are concerned about protecting bid information, the more they can help.]

Educating the organization about how the supply chain operates, negotiation objectives and market conditions has to start with Supply Chain Management. Sure we can write a procedure that says “bid information must remain confidential”, but what the heck is “bid information” and how broad is that definition? People need to be told why we consider the information sensitive and about the potential impact to operations and cost should the wrong information be disclosed. A person who inadvertently obtains sensitive information needs to know enough to realize the information is sensitive in the first place.

More than just a supplier and a carrier, supply chains now involve, importers, forwarded, export representatives, translators, regulators and more. Each additional touch point is a increased potential for information loss and damaging leaks and thus an opportunity for education.

4- Add Intellectual property, and data protection language to all contracts. Ensure all suppliers understand expectations about data security. Here is a sample to think about - get a lawyer to help make it bulletproof.

All data, information, drawings, plans, practices, etc.  furnished by buyer or obtained by contractor during performance of this contract which are owned by or considered sensitive by the buyer shall be held strictly confidential. This information shall be provided to contractor employees on a need-to-know basis for performance of this contract and shall not be disclosed to a 3rd party without specific written approval of the buyer. Upon conclusion this contract all sensitive data shall be returned and/or deleted form all contractor controlled data storage locations.

5. Don't wait until the cows leave to close the barn door -educate key executives about sensitive information and risks of loss. Have similar discussion with each of your supplier' key executives. Don't assume understanding and good judgment comes with the title. I’d suggest a short letter to managers signed by your CEO (and ghost written by Supply Management).

Dear executive, as a key person in our supply chain we want you to be aware of our desire to safeguard information systems, processes, data and records that we consider to be sensitive and critical to our success. We are depending on you to exercise sound judgment and help us protect this information from disclosure, release or theft (either physically or electronically). Please participate in a short teleconference with our CPO on January 1 to review  data protection concerns and plans. Contact me if you have any concerns or reasons to question the integrity of the data you receive, etc.

Unfortunately, even a proactive process and tight contract language can't always help. Take a look at this Business Week magazine article.  In this case, even a company's own bank, claimed cybercrime losses were the fault of the business.

Banks to Small Business: Online Theft? Tough Luck -

BusinessWeek  Banks are holding companies responsible when their accounts are raided by cyber crooks

Still not convinced we need to get involved? Here are some more examples supply chain risk and exposure:

  1.  Hackers have a specific type of computer system attack, called a denial of service attack. That is, they cripple a company web site, by overloading it with information - thus the company and its customer lose service until the hacker attack can be broken. What is a competitor decided to play dirty and launched a cyber attack on your supply chain. How hard would it be to disrupt production of a critical supplier?
  2. We can secure of credit card information internally with encryption and passwords. But if a key supplier, keeps our credit card information in an open spreadsheet, we are vulnerable. 
  3. We can perform a business analysis showing that even a 1-week disruption in deliveries could be devastating. What would happen if someone altered export/import paperwork so it was rejected in customs?
  4. What if a primary transportation provider releases information during a trade show that their services will be dropped year because the "secret" new product will require regulated shipping.
  5. Could raw materials costs jump if a key raw material supplier announces to its shareholders that a new exotic raw material will replace their product the following year?
  6. What if, a draftsman in a design firm hired by one of your suppliers, loses his iPad with your design data and doesn’t report the loss.
  7. Would you be concerned if, an engineer informally shares unmarked copies of new tooling designs with several potential suppliers (who might also supply your competitors)?
  8. Could emails discussing plant closing or relocation show up in a Facebook posting?
  9. Would it be a concern if names and home addresses of your accounts payable department or senior executives are made public
  10. Could a foreign competitor sends bogus emails to key suppliers changing production schedules or authorizing material substitutions.
  11. Would your bank cover the loss if electronic invoices from a suppliers are altered to change the remit-to bank account.
  12. Even easier - could a hacker just forge a few bogus emails cancelling an important shipment or changing a specification?

Bottom line. Proactive supply chain management is a big task. Articles like the two referenced above, are relevant to our profession.

Read more articles about negotiation and creative contract solutions in the Purchasing Toolbox at and in the BuyTrain news article archive at
MLTWEB is owned by Michael L. Taylor, C.P.M.  Mail:  
Materials prepared by Mike may be shared for supply chain education, provided that this source is credited and no fee is charged. The rights for any other use are withheld.
Copyright;  Michael L. Taylor, C.P.M.