By Steve Durbin, Chief Executive of the ISF
Make security a core consideration in procurement alongside legal so that it doesn’t become an afterthought. Retrofitting security is far more challenging and costly than building it in from the start
Steve Durbin, Chief Executive of the ISF
Supply chains need to be flexible and responsive to cater to shifting customer demand without squeezing profit margins. With pandemic pressure threatening to throw supply chains off-balance, retailers focusing on the bottom line can easily make the mistake of forgetting about information security. The last thing any business wants right now is a high-profile data breach, so with cyber-attacks on the rise, it’s vital that security remain a priority.
Amid global uncertainty and widespread disruption, many organizations are choosing to invest significant sums in their supply chains. An impressive 89% of 1,300 supply chain professionals surveyed by Gartner plan to invest in greater agility over the next two years, and 87% want to make their supply chains more resilient. Information security professionals should be included from the early planning stages through to realization, to ensure at-risk data is fully protected.
Identifying Potential Risks
Retailers should start by taking the time to assess their systems and build a holistic view of their supply chain security. With a supply chain that includes a complex mix of suppliers, service providers, and other third parties, establish where data flows, with whom it is shared, and how it is managed at each stage. Consider everything from shipping and logistics to transportation. Tighten up data exposure wherever possible and ensure that any data sharing is truly necessary for the business to function.
Analyze the information you are collecting from customers. Everything is subject to data privacy laws, so confirm GDPR compliance and consider any other regulatory requirements. This is particularly important when it comes to payment processing. While most retailers have third-party partners handling digital payments, you can’t assume their security standards are acceptable. Are there secure and reliable systems in place every step of the way, both internally and externally? Do your due diligence and ensure security is considered a priority and upheld properly.
Create a Risk Assessment Ranking
Having options is an important element of any agile supply chain, but you must hold every prospective partner to your own high security standards. If they fall short and you can’t mitigate the risk, then it’s time to seek out a replacement. With budgets under pressure, it may be tempting to switch to low-cost suppliers, but if they cut corners with information security, this could prove to be a false economy.
It’s a smart idea to categorize suppliers by potential risk. To do this effectively, you need to consult with and empower information security personnel to craft a secure framework that highlights the potential risks in any third-party relationship. Make security a core consideration in procurement alongside legal so that it doesn’t become an afterthought. Retrofitting security is far more challenging and costly than building it in from the start.
Bake Security into Contracts
With a clear idea of necessary regulations, preferred security standards, and risk appetite, you can build security into contractual agreements. Information security should be part of your everyday supplier management. Fail to include security at the outset, and it can be perceived as a barrier to agreement in late negotiations. This can also create pressure to rush in to add it much later, which invites mistakes and omissions.
With information security professionals involved from the start, you can ensure crystal clarity in contracts so that everyone has equal expectations. Lay out precise procedures with a step-by-step guide to cover different incidents. Include clear channels of communication and rules that ensure timely and effective management of any security issue that may arise. This will help you deal with incidents effectively and avoid disruptive disputes.
Establish Continuous Assessments
It’s not enough to take a snapshot of your supply chain security and tick a box; you must have provision in place to continually assess information security on an ongoing basis. Partners and routes are not permanently fixed, and new technologies and product lines will be adopted and added; every change that occurs has the potential to introduce new vulnerabilities and data exposures. Continuously monitor your supply chain to build a picture of potential threats or issues as they emerge.
Conducting a prolonged in-depth audit isn’t practical, so consider automated monitoring and reporting tools that are configured to focus on the risks in your business. If you can establish real-time visibility, then security threats in the supply chain will be flagged as early as possible so you can act swiftly to nullify them. To achieve this, you must first identify the vital data and performance metrics that can paint an accurate picture of your own and your partners’ security standards.
Balance Security with Pragmatism
While security is important, a balanced approach is required to avoid creating too onerous a burden for stretched suppliers and service providers. You also need to allow space in your business for innovation and flexibility. With so many rapid changes afoot, the need for ongoing visibility into data security across your supply chain is made that much more urgent. Be proactive about mitigating potential threats and act decisively now to build a resilient foundation for future success.