Cybersecurity and supply chains: be very afraid

A scene early in The Lord of the Rings trilogy has the warrior king Aragorn asking Frodo Baggins whether he is afraid, and then warning the hobbit hero that he is not nearly afraid enough. The ring of power that Frodo carries is being sought by evil forces whose reach is underestimated.

Supply chain leaders should also be afraid, because the information they carry is in similar peril. Sony’s recent problem with hackers is not a one-off, but instead a warning to all that cybersecurity deserves a lot more attention in terms of supply chain risk management.

Protect the Precious

The Hobbit’s ring is called “the Precious” in a maniacal and obsessive way throughout the story, representing as it does a huge and mystical power. The analogy to information in our modern economy may a bit of a reach, but it’s not crazy.

Dematerialisation of economic activity is well under way, which means that most of what we source, make and deliver has value because of information embedded in the supply chain. This is true of product information like patented technologies, trademarked images and, of course, customer information.

Each time we handle such information we risk having it fall into the wrong hands. This increasingly precious resource unfortunately is too often under-protected, as Sony’s situation vividly demonstrates.

If this were just a one-off, we might be justified treating cybersecurity as one of many things deserving a formal risk management strategy. Unfortunately, it is not. Retailers in the US and elsewhere have been pounded on this front repeatedly in recent years with Staples, K-Mart, Albertson’s and Home Depot among those reporting customer data losses since September last year.

Related concerns over information abuses, including software piracy, counterfeit drugs or machine parts, and even unauthorised uses of artwork all live under the same leaky roof, which is our massively ill-prepared system for information security and control.

Not enough vigilance

In our 2014 Chief Supply Chain Officer Survey we asked more than 1,000 practitioners about their level of concern across 15 different supply chain risks. The highest rated overall as “very concerning” was safety or quality incidents, followed closely by customer demand volatility. Data security or cybercrime was ranked sixth.

Considering how much damage was done at Sony, one wonders whether it’s time to watch this threat a bit more closely.

Industry cuts of this risk survey show only four groups of respondents whose top answer regarding cybersecurity is “very concerned”. These were aerospace, media & telecommunications, finance and academic. The common thread as compared to bigger groups of respondents from other sectors is that all are acutely sensitive to the value of information.

My fear is that supply chain leaders in pharmaceuticals, hi-tech and retail are underestimating the importance of safeguarding the information they handle every day.

Perhaps many of the 350 respondents who said they weren’t concerned about cybersecurity expect corporate IT departments to own this problem. This may sound fair enough, except that supply chain by its very nature must operate beyond the firewall.

Whether that means sharing engineering data with contract manufacturers or collecting customer data from thousands of points of sale, the reality is that information is out there and someone has to protect it.

Best practice

For all the dismal news around cybersecurity, it’s interesting how little we hear about Amazon. Having experienced a big data breach at its Zappos unit back in 2012, Amazon has since been very successful in maintaining shopper confidence for data security.

Its lack of stores may be part of the reason, with more information concentrated physically in massive data centres rather than distributed across thousands of points of sale.

Strategically, Amazon’s approach to information also offers clues. While the company’s physical products, especially the Kindle, rely on standard component technology, its demand capture systems embed lots of proprietary information value. Plus, its cloud business institutionalises data security as a primary provider, not just another user.

How smart is Amazon? I have criticised its supply chain strategies as essentially undifferentiated, but praised its genius for mastering demand information.

Amazon is very smart and may have more to teach about cybersecurity than anyone in the world.