The following article was prepared by Mike Taylor, C.P.M., for distribution to ISM affiliate newsletters
Supply Chain Security
Great article December 2011, Inside Supply Management
This article discusses some of the issues and concerns businesses face relative to cyber security. It's well worth the read. Pay particular attention to the inserted text box talking about defensive strategies.
The supply chain accounts for a large percentage of operating budget and business continuity risk. Sensitive information, and weak spots in the supply chain may not be obvious to many employees and even to some senior managers. In addition to our own employees, businesses in our supply chain, and their personnel, may also have access to information which could be sensitive. IT departments can only do so much to provide system and hardware protection. It's up to the people using the systems to know which data needs to be protected and it is up to supply chain management to make sure they understand.
Supply Management often gets asked to discuss or explain the risks in our supply chains. Those briefings traditionally focus on single source suppliers and long-lead-time materials. Natural disasters in the past few years have inspired us to expand out thinking of supply risks in terms of catastrophic loss. This article on cyber security, and a Business Week article referenced below, highlights yet another very real threat to the supply chain - data loss. Whether it's data about a bid evaluation, planned strategic acquisition, or intellectual property; data and information store on our computers can be sensitive and critical to continued cost-effective operation of our business.
It's not just data stored on our computers or locked in engineering files. As supply chain managers, we also understand that company information is transmitted thousands of miles and through many different hands both up and down the length of our supply chains. A good friend once described a very real concern her company had about sending a proprietary drawing to a new supplier in a foreign country. Today, drawings and specifications are often transmitted electronically. Accordingly, not only must we be concerned about mishandling of the drawing at a supplier's facility, we need to additionally be concerned about security and data loss in cyberspace. And this concern should extend to the supplier's computer systems as well as our own.
Data, drawings, business plans, financial information, key personnel lists and email addresses are carried around on laptops, iPhones and stored on computers that belong to our employees, and to employees of our suppliers, business partners, former employees and even in some cases our supplier's suppliers. The concern includes proprietary design information, electronic invoices, product performance data, manufacturing plans, projected shipping schedules, new sources, new materials and new methods.
If the IT department thinks the best way to protect data is to lock it behind a password and make sure only authorized personnel have access – then they have buried their heads in the sand. Of course, someone could deliberately hack into the database and steal the information. But as we all know, a lot of sensitive information is transmitted in an out of the Supply Chain organization as part of normal business processes.
O.K. - do we agree the problem is huge? So what can we do? I think we can take several steps to be proactive.
1- Convene a discussion of Supply Chain risks with staff and senior management. This could be an interesting educational exercise. Ask each staff members to do some research about problems that similar businesses have had with respect to cyber security and supply chain information. Then get the staff together to share findings and talk about potential risks.
2- Have regular discussion with the IT department about data security and risk of loss. Expand the discussion to include risks of loss throughout the supply chain and include all types of sensitive data. Talk about what can realistically be done to ensure key suppliers are as safe as you are.
3- Educate senior management, company employees and suppliers about the kinds of supply chain data or information which is critical or sensitive. [ In my opinion, we don't do a very good job of explaining supply chain business to the rest of the company. The more people know about why we are concerned about protecting bid information, the more they can help.]
Educating the organization about how the supply chain operates, negotiation objectives and market conditions has to start with Supply Chain Management. Sure we can write a procedure that says “bid information must remain confidential”, but what the heck is “bid information” and how broad is that definition? People need to be told why we consider the information sensitive and about the potential impact to operations and cost should the wrong information be disclosed. A person who inadvertently obtains sensitive information needs to know enough to realize the information is sensitive in the first place.
More than just a supplier and a carrier, supply chains now involve, importers, forwarded, export representatives, translators, regulators and more. Each additional touch point is a increased potential for information loss and damaging leaks and thus an opportunity for education.
4- Add Intellectual property, and data protection language to all
contracts. Ensure all suppliers understand expectations
about data security. Here is a sample to think about - get a lawyer
to help make it bulletproof.
All data, information, drawings, plans, practices, etc. furnished by buyer or obtained by contractor during performance of this contract which are owned by or considered sensitive by the buyer shall be held strictly confidential. This information shall be provided to contractor employees on a need-to-know basis for performance of this contract and shall not be disclosed to a 3rd party without specific written approval of the buyer. Upon conclusion this contract all sensitive data shall be returned and/or deleted form all contractor controlled data storage locations.
5. Don't wait until the cows leave to close the barn door -educate key executives about sensitive information and risks of loss. Have similar discussion with each of your supplier' key executives. Don't assume understanding and good judgment comes with the title. I’d suggest a short letter to managers signed by your CEO (and ghost written by Supply Management).
Unfortunately, even a proactive process and tight contract language can't always help. Take a look at this Business Week magazine article. In this case, even a company's own bank, claimed cybercrime losses were the fault of the business.
Still not convinced we need to get involved? Here are some more examples supply chain risk and exposure:
Bottom line. Proactive supply chain management is a big task. Articles like the two referenced above, are relevant to our profession.
|Read more articles about negotiation and creative contract solutions in the Purchasing Toolbox at http://www.mltweb.com/prof/tools.htm and in the BuyTrain news article archive at http://www.mltweb.com/tools/buytrain/index.htm|