Why are supply chains growing in significance?
There is a recognition that the effective use of technology can have a fundamental impact on how an organisation delivers services to its customer base. With an increasing focus on digitisation, many companies are struggling to establish and deliver digital transformation projects alone. This is being driven by the need for specialised skills which are not available internally.
At a macro level, globalisation has also played a significant role. Enterprises can quickly take advantage of growth opportunities in different markets all with relative ease, many of which centre on partnering with third party organisations based in the local market utilising their knowledge of infrastructure, people, legal and regulatory frameworks to deliver change.
As a result the business case for using suppliers continues to grow...
The optimal use of suppliers
A key objective for those responsible for managing supply chains and 3rd party supplier relationships should be the creation of high performing, value generating and secure supply chains. They should optimise performance, security and resilience to maximise the upside and reduce risk to an acceptable level.
What are the implications?
Over the past decade there have been numerous examples where organisations have failed to manage their suppliers in an optimal way leading to vulnerabilities being identified in their supply chain. Whether the organisations have been in shipping, financial services, retail, automotive or pharmaceuticals the long lasting impact has been significant. Impacts have included financial (millions of dollars in clean up and remediation costs), loss of customer trust and regulatory censor - to name a few.
For this reason, risk management in the supply chain has become a high priority, if not the number one concern for many organisations. It is important to consider supply chain risks both upstream and downstream from the organisation.
Most organisations focus on those upstream implications e.g. those suppliers who create goods and services used in a company's own operations. Downstream organisations include those companies who may be engaged to sell or distribute the originating products and services. Can you be assured that your brand isn't at risk by the way in which a third party is marketing, selling and distributing your product or service?
Examples:
The past decade has seen numerous examples of issues and incidents which disrupted supply chains. Here are just a few:
Hanjin Shipping Company:
Many retailers use 'Just in Time' inventory management systems to source their products and reduce their capital investments. In the years following the 2008 financial crisis, the global economic downturn had affected profits across the cargo shipping industry. It led to overcapacity, lower freight rates and rising debt levels.
The question was not whether a big shipping line would go under, but which one would be first. The honour eventually fell to Hanjin Shipping Company, at that time South Korea's biggest shipper and the seventh largest in the world.
Crippled with $5.4bn (£4.1bn) in debt in August 2016, the company failed to get any more money from its creditors. The collapse of the Hanjin Shipping Company demonstrated how a supply chain can be interrupted due to a financial failure. Many retailers who had products on board, especially those with perishable goods, found themselves without adequate insurance (physical loss or cargo damage is insurable, shipment delay is not). As a result, there were huge financial, reputation and customer impacts for those reliant on Hanjin.
Target:
In 2013 attackers gained access into the US retailer Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a HVAC refrigeration contractor.
A phishing email opened by at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for Fazio Mechanical's login credentials.
Fazio apparently had access rights to Target's network for carrying out tasks like remotely monitoring energy consumption and temperatures at various stores. The attackers leveraged the access provided by the Fazio credentials to move about undetected on Target's network and upload malware programs on the company's Point of Sale (POS) systems.
At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner.
The hackers first tested the data-stealing malware on a small number of cash registers and then, after determining that the software worked, uploaded it to a majority of Target's POS systems. Between Nov. 27 and Dec. 15, 2013, the attackers used the malware to steal data on about 40 million debit and credit cards. U.S., Brazil and Russia.
Ticketmaster:
The much-reported Ticketmaster breach was carried out when the Magecart group, which was behind the attacks, compromised one of Ticketmaster’s third-party suppliers.
The Magecart attackers injected malicious JavaScript code onto Ticketmaster’s website after they compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites. Magecart was then able to alter the JavaScript code on Ticketmaster’s websites to capture payment card data from customers and send it to their servers. The code may have been on the Ticketmaster website for almost a year. Inbenta said Magecart had exploited vulnerabilities to target its front-end servers and alter its chatbot code.
Following the Ticketmaster breach, it was identified that Magecart was widely targeting third-party companies that are used on e-commerce sites to manage analytics, website support, and other services.
Feedify is one such third-party service that is used by many websites to serve up push notifications to website visitors. It was notified by a threat researcher that some of its JavaScript code had been modified with the Magecart script, which prompted Feedify to delete the code. However, within 24 hours the code had been modified again. Feedify again deleted it but it once again reappeared, with threat researchers subsequently warning users of Feedify to stop using it until the issue was resolved.
What steps can organisations take?
For many organisations the process of on-boarding potential supply chain partners is often a rushed process in terms of evaluating their control capabilities. Such assessments rarely cover the required level of detail to provide organisations with assurance that the risks which they face have been adequately managed.
At the heart of an effective system must be the capability to identify, monitor, manage and eliminate risk continually, not just as a one-off exercise. Such systems also need to be adaptive and agile to keep pace of the changing digital, geo-politcial and regulatory environment and other evolving risks. Below are just a few of the steps which organisations should consider.
Focus on the effectiveness of the procurement process: Could root cause of the issues which you have experienced with your suppliers been identified before you on-boarded them? In many instances, the simple answer is yes. Establishing an effective procurement process which governs how you identify business need, evaluate, appraise and contract with suppliers can have a profound impact on the level of risk you carry in the future.
Identify the suppliers you currently use: Sounds obvious? Surely every organisation holds central list or system of record which contains all the suppliers they work with, the service they provide? Unfortunately in many enterprises, (even those accredited to ISO 27001) the engagement and on-boarding of suppliers / third party vendors often takes a very different route dependent on the scale of spend, department involved and maturity of procurement processes. As a result trying to answer this question often becomes a challenge.
If you already work with a number of suppliers but don't have a consolidated view, this step is critical and should be prioritised. If you do have a central view but know that the data is inaccurate, focus on engaging with supplier owners or individual teams who manage the supplier relationship.
Assess and segment their relationship type: Not all suppliers are or should be equal. Some may provide more critical activities which underpin the products and services which you provide your customers. Others may be seen as routine or run of the mill providing ad-hoc or non critical services to your operation. Additionally, you may seek to invest time in building strategic partnerships with specific organisations who may help to accelerate the delivery of your strategic objectives.
How do you segment these suppliers and what governance and oversight do you establish to ensure that they deliver the value which you require? It is important that such segmentation is performed prior to a supplier being on-boarded so that their role is clearly defined and understood prior to the commencement of a service. There are various methods but one of the most notable is the Kraljic Matrix.
Whatever the method used to segment your supplier base, it should factor and include a balance between managing value from a relationship e.g. performance and outcomes expected vs the risk associated with use of the supplier e.g. access to data and where it is stored.
Identify the key risks which may materialise from your use of suppliers: There are inherent risks (e.g. the things that could go wrong) associated with each third party supplier which you use. Typically these risks arise from i) the type of service they offer to your organisation and ii) the way in which they run their operations. It is important to identify these risks as early as possible and ideally prior to a supplier being formally contracted and engaged to deliver a service. Doing so allows the contracting organisation to manage the upside of an engagement with a supplier whilst managing any risks to an acceptable level.
For example, you are about to start work with a key supplier in the development of an eCommerce application which underpins a service generating over £200m in revenue for your group. You have identified historic issues reported publicly around poor software development practices at the supplier which have caused bugs and security vulnerabilities to be deployed into production systems. Additionally, the financial viability of the supplier has been questioned due to a number of high profile legal cases.
Unsurprisingly, none of these issues were identified by your Head of eCommerce Operations leading the initiative. They were however identified through the organisations formal due diligence process for on-boarding new suppliers which involved a comprehensive financial and media checks (to name a few) prior to engagement. Introducing such a proactive measure can help to reduce potential losses (financial and reputation).
Develop and implement methods for monitoring the performance and levels of risk associated with the use of your suppliers: Build transparent and open relationships with your suppliers and regularly monitor their performance. The steps which you take include:
Defining roles, responsibilities, ownership and accountability for each supplier relationship. Whether that is through a centralised or federated model for supplier relationship management, it is important that there is a clear sense of who, what, how and why for each supplier used by your organisation.
Develop, implement and monitor key performance, key risk and key control indicators. Ideally your procurement process will have helped to identify key measures by which you assess the performance of the supplier. Dependent on the segmentation of the supplier, these indicators may also be included within in your contract clauses.
Annual control assessments and periodic deep dive reviews of key control themes. It is important that you understand the control position of your suppliers and this gain be gained by a variety of assurance mechanisms, for example supplier control questionnaires, assurance visits and audits. The mechanism by which you gain assurance from your suppliers should be layered e.g. from regular reviews of performance and outcomes aligned to key metrics, underpinned by regular reviews of specific control themes which a supplier operates.
Clearly assurance comes with a cost and therefore it is important to use a risk based approach. The approach should target assurance over the most significant suppliers, with the term significant being based on your own criteria e.g. annual spend, service supported / provided, data usage and access).
When it comes to resilience and cyber risk, whilst we can’t change the resilience of our suppliers against cyber-attackers directly, we can have a transparent relationship when it comes to cyber risk. Under such a paradigm, we would be alerted to the early warning signs of cyber risk in a third-party supplier, and we would be able influence changes in their controls or take steps to back out of partnership if the risk is deemed too high.
If you are looking for additional support or guidance in this area, visit our Operational Resilience service page or reach out to our knowledgeable team.