In the first installment of this series, we discussed how risk assessments can be a vital first step in identifying potential problems across the supply chain that may have a detrimental effect on your organization’s ability to deliver products in a timely fashion. Using external tools that scan easily identified vulnerabilities can serve as great resources for identifying holes in an organization’s supply chain caused by vendor vulnerabilities.
Attacks on food and agriculture are not to be taken likely. The U.S. Department of Homeland Security labeled this industry one of the 16 national critical infrastructures that are at a higher risk for an attack than many other sectors. While technology is enabling supply chains to be more operationally efficient, poorly managed IT systems and software can lead to cyberattacks, interrupted operations, and operational downtime that can severely impact an organization’s revenue. Some of these key threats include:
IoT device risk: As agribusinesses of all types, from farmers to processing plants, rely more heavily on automated processes, their automated equipment, and processing systems are becoming prime targets for bad actors – especially because they are inter-connected by the Internet of Things (IoT). These systems and devices, ranging from processing plant sensors to remote scan guns, control virtually every piece of the agricultural processing system, leaving many opportunities for gaps in security.
Increased phishing scams: Phishing scams are becoming increasingly common in businesses in general, including those within agriculture. Using files embedded with malware to infiltrate email systems, cybercriminals are gaining access to financial information and taking control of operating systems by leveraging super admin credentials. These harmful viruses can impact everything from temperature regulators to equipment uptime, which can cause major health-related issues if not kept in check.
Ransomware: The most common uses of ransomware are designed to infiltrate an organization’s network and hold critical data for ransom. In an industry where anything from warehouse inventory data to shipment tracking and temperature monitoring can damage products or interrupt the supply chain, cryptolocking (a form of ransomware) is especially dangerous to business continuity. Recovering from a cryptolocking attack can take anywhere from a few hours to a few days, which can have a detrimental effect on a distributor’s ability to deliver fresh product across the supply chain and to retailers – and can even put the entire business at risk.
To address these threats, risk assessment is only the beginning. As potential issues become known and key vendors are identified as being essential for your business, the management of your incoming and outgoing supply chain becomes a central focus.
What is supply chain management?
Supply chain risk management takes a broader view to identify potential influences and even “blockers” to the supply chain that disrupt or negatively impact operations. Using a fresh produce business as an example, it takes strategic steps to identify, assess, prioritize, and mitigate upstream and downstream IT security risks. This requires an assessment of administrative, operations processes, and the impact of supply chain partners on these processes.
Identifying vendor risk management opportunities
Fresh produce and agriculture-related businesses rely heavily on time: the time it takes to harvest the foods, process, package, ship, and sell is finite, and any interruption to this process means a loss in not only the product but revenue.
Take a company that grows and processes fresh strawberries, for example. The timeline for strawberries to go bad is between 2-3 days if not refrigerated, which means time is of the essence. In a traditional supply chain for processing, packaging is needed to contain the strawberries before being shipped to a retailer. If your packaging doesn’t arrive on time or is somehow delayed because of a system that has gone down either from software malfunction or a cyberattack – and you don’t have a secondary supplier for those containers – your business can be out tens of thousands of dollars.
Managing this risk, identifying where inefficiencies lie, and executing a plan to keep your supply chain intact begins with examining the technology being used by your vendors.
Core components of technology supply chain risk management
To start supply chain risk management, it’s critical to work with a consulting organization that can guide the organization to determine what process the company will use to manage vendor risk. This might be an additional outsourced function created to manage this process to reduce overall risk to the organization for the long term in line with the company’s overall technology strategy.
The core components of this include:
- Identifying the risk, which is achieved in the risk assessment portion of the process.
- Prioritizing supply chain partners based on business impact.
- Collecting and assessing supply chain risk, implementing a rating system that can easily identify potential risk based on factors such as a single factory, “just-in-time” delivery practices, and more.
- Establishing processes, procedures, and policies to work with vendors based on the information collected about the risk to your organization.
Some questions to ask when establishing policies and procedures include:
- Who are the participants in our supply chain, and which are critical?
- How do you determine and validate their IT security posture?
- If they’re failing in your security rating system, how do you respond?
- What is the process to work with them to rectify and remediate their issues?
- How is this process maintained as the IT security landscape changes?
- What are the measurements of success?
Starting the risk assessment and management process
To simplify: Your vendor’s security is your security – and now is the time to not only look at your own security and business operations but also those of your suppliers on which you rely to ensure that products are able to ship on time and reach their destination before they’re lost.
When you are ready to take the next step in securing your organization by looking at your vendor supply chain, identify a true partner that can not only assess your vendor IT security risk but manage and continue to mitigate this risk as part of a long-term strategy. This is a process that ZAG is building as another way for us to enable our clients to succeed.