Your Partners' Risks Are Your Risks

We don’t think about supply chain risk...until we don’t have toilet paper.

Imagine the supply chain chaos of the COVID-19 vaccine. Delivering COVID-19 vaccines to the world can be a supply chain nightmare. COVID-19 vaccines need to be kept at a certain temperature and even 1 degree higher can ruin the vaccine. Imagine the route the vaccine needs to travel before you get it. We're talking about transportation, ships, planes, trucks, and in between...storage. Even if a single supplier in the supply chain fails to keep it secure, an attacker can take advantage of this and change the temperature. So how is the temperature monitored and who has access? What if that software gets infected with ransomware and we need to pay a fortune so that the temperature remains the same? It sounds like a Hollywood movie but it could happen.

On the supply chain side of things, we are just scratching the surface to thinking and acting on the security thought process. We want to not only make sure it works well but also consider risks and resiliency into our business model in order to be successful.

Not all risks are the same
Your risks are based on your product and business processes and differ between companies. For sourcing products, you may need multiple vendors to reduce the risk of product shortage. In Information Technology, you may want less vendors to reduce the risk of exposure to sensitive information.

In the early days, companies focused solely on making technology or their product better and making sure it worked. That is until threats came our way. Now, we focus more on security and it is part of the practice of everything we do.

Educating your employees on Security Awareness remains a priority as well. Your suppliers will thank you for it. This also means that if your suppliers are educating their employees, it reduces your risk. We should all do our part!

Mapping risk to protect your future
You can start by looking at who and where suppliers are and what are the alternatives. You rely on relationships with suppliers to get what you need so they must be secure. You can ask for information from them directly but asking them to give up information on their suppliers may be a little more difficult. You need visibility into the supply chain.

If you can find public data on suppliers such as their suppliers, geographical location, and transportation methods, you can analyze it to forecast possible risks and make decisions. This allows you to put the story together to see what the supply chain looks like. Then, you can start monitoring based on incident alerts and check with your vendors when risks present themselves. An earthquake in Malaysia could impact one of your suppliers. You can contact that supplier and ask them if your product or information is at risk and what is being done to mitigate that risk. In addition, if you find you are unable to use that company, you can quickly find another.

The Waffle House Index is part of the way FEMA measures an impact on tornadoes. They literally check to see if Waffle Houses across a region are open or not. US Bank does a quarterly index of transportation policies. During our pandemic shutdown, they were able to see the economic impact in the data charts. Everything collapsed. We know that the South of the USA has been bouncing back faster than the rest of the country. Could this be because they have prepared for this with all of the natural disasters they face?

Rank your suppliers by risk to revenues
Supply Chain Risk Management is a discipline. Assume you are always vulnerable.

Look at linking risk at the potential of impact on revenue and not just what you are spending. Do this with all of your suppliers. Rank suppliers differently instead of looking at only dollars spent. Companies like Security Studio can help rate your suppliers by risk.

Look at managing your supply chain risks like you manage your dental health. To keep your teeth healthy, you brush them every day, replace your toothbrush every quarter, and visit the dentist twice per year. While you are always at risk of getting a cavity at this time and some risks are waiting to appear, you are proactively taking steps to minimize their impact on your health.

Could Contracts Save Us?
The short answer is “No.” Contracts are meant to try to shift risk and responsibility but they don’t necessarily protect us from it. If you get someone else to take the risk in a contract, it still has to be enforced. While there may be some sort of peace of mind, there is still no guarantee that you are safe. If information is stolen, it will still cost you no matter who is liable. Reputations are also at stake. If a company is out of business that you have a contract with, the contract may not be worth anything.

Even if your agreements entitle you to audit your suppliers, don’t rely on that. What if you have 1,000 suppliers? Can you really audit all of them? And what about their suppliers…

Don’t assume something is safe because someone told you it is. Do a Dungeons and Dragons Exercise. Ask your suppliers these questions...What can I do to kill you in 24 hours? What would it take? Discuss the answers to those questions with your suppliers and your teams. Acknowledge with vendors that you share the risk and work together to mitigate and monitor. Collaborate when issues come up. Collaborate as you never have before. Educate employees.

For Your Toolbox
Supply Chain Management for Dummies by Daniel Stanton  
The Association for Supply Chain Management
Harvard Business Review Articles and Case Study from Dr. David Simchi-Levi 
Cisco helps companies with Supply Chain Risk Management
Security Studio can help place a risk score on vendors. 

Moderated by

• Wizer’s hacker, Chris Roberts!

Panelists:

• Christopher G. Johnson, MBA, CISA - Strategic IT Leader

• Daniel Stanton -  Mr. Supply Chain®