Cybersecurity within the supply chain
Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance, discusses the increasing issue of cybersecurity in the supply chain sector and how companies can counteract the threat to meet the challenge head-on. Research from Ponemon Institute indicates that cybersecurity is a growing supply-chain challenge, with 56% of organisations reporting to have had a breach that was caused by one of their third-party vendors. As the supply chain becomes increasingly more connected through digital transformation, the exposure to potential cyberattack increases. There is, therefore, a critical need for organisations to effectively secure their supply chain ecosystems and mitigate risk as much as possible. The supply chain is the backbone of an organisation but just one broken link in the ever-complex supply chain can send shockwaves throughout the rest of the associated suppliers and potentially leave the entire operation exposed to attack.
A dynamic supply chain is essential in the modern industry, but each new supplier only adds to an organisation’s vulnerability in terms of security. Following the Equifax hack, both Visa and MasterCard alerted that 200,000 credit cards may have been compromised as a direct result. Every third-party supplier along the Equifax supply chain was consequently exposed to increased risk. Equifax subsequently published a report following the data breach to raise awareness of threats caused by supply chain security. The report found that 32% of businesses don’t know where all of their third-party suppliers store personal data and 25% of businesses who have experienced a breach believe the third-party supplier would be accountable for the data breach response.
The Information Commissioner’s Office (ICO) is responsible for how GDPR is implemented and enforced in the UK. One of the core principles of why it was introduced into law was to provide greater transparency and visibility for data protection. When GDPR came into force in May 2018, it introduced compliance requirements that also extends to suppliers. The ICO states that if a third-party supplier suffers a personal data breach involving personal data controlled by another organisation, and it does not inform the data controller of the incident promptly, then they are putting the data controller at risk of breaching their obligations under the GDPR. So, whilst organisations may have internal GDPR compliance policies in place, can the same be said for all of their suppliers?
It’s important for organisations to take control of security auditing, and understand what data suppliers hold on file, where it is stored and who has access to it. By following this process for every supplier, businesses can proactively limit their exposure to risk and not just assume that each supplier's compliance policies will go far enough. Data processing is prone to human error and is subject to misinterpretation and rarely updated, therefore, data quality checks and data flow mapping plays a crucial role in providing supply chain and cybersecurity assurance.
The vetting of third-party suppliers has become a much more arduous process as risks to security must be thoroughly evaluated – and rightly so. Examples such as the attack on the freeware utility CCleaner led to at least 18 other companies being targeted in one campaign. Fortunately, on this occasion, the attack was quickly exposed and counteracted, but it still set a precedent for future supply chain attacks.
Many organisations are now placing greater emphasis on internal cybersecurity measures, as demonstrated by the fact that cybersecurity and risk management is second only to IT automation when it comes to priority initiatives that organisations are planning to invest further in during 2019. With high profile cyberattacks often a daily occurrence in the media, more organisations are viewing data breaches and the protection of personal data as an important part of business risk. This is encouraging news, however, within a complex supply chain it is possible that security can potentially be compromised by just one supplier that has left a hole in their defences. While no organisation is immune from cyberthreats, effective supplier management in terms of thoroughly screening new suppliers, vetting practices and procedures, limiting access to data and undertaking frequent security auditing, can ensure that the compliance standard of the supplier meets the needs of the organisation and mitigates risk.
Organisations should be diligent in verifying the security practices and procedures of third-party suppliers, vendors and partners in order to reduce threats and minimise risk. Independent certification to a framework such as the information security standard ISO 27001, the industry best-practice for information security, is now becoming a more prevalent requirement for obtaining certain contracts, especially those involving public sector contracts and other critical industries, such as the financial services sector. Certification to standards and schemes such as ISO 27001 and the UK Government-backed Cyber Essentials scheme allow organisations to provide their suppliers with the assurance that they have taken a baseline approach towards cybersecurity.
Pandora and IBM digitise jewellery supply chain
Pandora has overhauled its global supply chain in partnership with IBM amid an ecommerce sales boom for its hand-finished jewellery.
The company found international success offering customisable charm bracelets and other personalised jewellery though its chain of bricks and mortar retail destinations. But in 2020, as the COVID-19 outbreak forced physical stores to close, Pandora strengthened its omnichannel operations and doubled online sales.
A focus on customer experience included deploying IBM’s Sterling Order Management, increasing supply chain resiliency and safeguarding against disruption across the global value chain.
Pandora leverages IBM Sterling Order Management as the backbone it its omnichannel fulfilment, with Salesforce Commerce Cloud powering its ecommerce. Greater automation across its channels has boosted the jeweller’s sustainability credentials, IBM said, streamlining processes for more efficient delivery. It has also given in-store staff and virtual customer service representatives superior end-to-end visibility to better meet consumer needs.
Jim Cruickshank, VP of Digital Development & Retail Technology, Pandora, said the digital transformation journey has brought “digital and store technology closer together and closer to the customer”, highlighting how important the customer journey remains, even during unprecedented disruption.
"Our mission is about creating a personal experience and we've instituted massive platform changes with IBM Sterling and Salesforce to enable new digital-first capabilities that are much more individualised, localised and connected across channels and markets,” he added.
Pandora’s pivot to digital
The pandemic forced the doors closed at most of Pandora’s 2,700 retail locations. To remain competitive, it pivoted to online retail. Virtual queuing for stores and virtual product trials via augmented reality (AR) technology went someway to emulating the in-store experience and retail theatre that is the brand’s hallmark. Meanwhile digital investments in supply chain efficiency was central to delivering on consumer demand.
“Consumer behaviour has significantly shifted and will continue to evolve with businesses needing to quickly adapt to new preferences and needs,” said Kareem Yusuf, General Manager, AI Applications and Blockchain, IBM. “To address this shift, leading retailers like Pandora rely on innovation to increase their business agility by enabling and scaling sustainable supply chain operations using AI and cloud.”
Yusuf said Pandora’s success was indicative of how to remain competitive by “finding new ways to create differentiated customer experiences that protect their enterprises from disruptions to help mitigate risk and accelerate growth”.