Cyber Security and the Supply Base.

I have been involved in advocating the use of technology to enable greater efficiency and effectiveness from supply bases for many years now. This has evolved from the early days of reverse auctions back in the nineties to a world in 2018 where data analytics, eRFx, P2P and even AI technologies have truly revolutionised the way we manage the supply base and seek and deliver opportunities and value to our customers.

However, like all things positive, technology brings with it the negative. I am of course talking about cyber-crime. Whilst technology has changed our daily lives both personally and professionally it has also opened up whole new areas of risk for us to worry about. At home these risks might be about how safe our family is on-line, or how safe our money is on-line or has that unfortunate holiday picture of me in my speedos been posted on Facebook!

According to Interpol: “The increasing use of technology and the Internet in all aspects of daily life puts everyday citizens at risk of becoming targets of cyber-criminals. As society comes to rely more and more on the Internet, the dangers posed by different types of cyber-crime have become very real threats. These threats come in a variety of forms and target different features of the Internet, technological devices and their users.”

At work, however, it presents itself in a whole set of new ways. If risk management strategies were complex before Mr Berners - Lee invented the World Wide Web, they have definitely increased exponentially since his wonderful idea began to dominate our personal and professional lives.

With this new challenge emerging faster than most of us can log or remember our mothers’ maiden name, as Procurement and Supply Chain professionals we need to take our role as custodian of external supplier relationships a step further. We need to think of ourselves as guardians of our company’s reputation, products, intellectual property and data across the supply base like never before. We need to ensure we are monitoring the cyber-risk profile of our supply chains so that we can detect data breaches, detect illicit product and IP trafficking and be ready with corrective actions if we are alerted to these risks.

Almost all of your suppliers will have some kind of digital connectivity with your company. They will transact with you via some kind of internet based technology. They will talk to you via email, they will invoice you directly via an enterprise system and they will get paid through an electronic transaction from your bank. All of these routes are open to infiltration by cyber criminals. So your supply base suddenly becomes an increased cyber-risk exposure for your company.

What is the Dark Net?

To many of us, this word of cyber-crime may well feel like something out of a Scandinavian TV detective show, not so much lots of long shots of Volvos disappearing over snow covered horizons, but still plenty of mysterious goings on and with lots of players you don’t quite see or understand and perhaps the odd arun jumper thrown in for good measure. In reality the Dark Net is a bit of a misnomer. There isn’t really a separate internet dark or otherwise. What there is are huge numbers of servers supporting huge numbers of URLs that simply can’t be seen by Google or other conventional search engines. These servers aren’t ‘other-worldly’ as such, you just can’t see them with the search engine on your laptop so we say they are unchartered. The ‘unchartered web’ or ‘the deep web’ are therefore much better ways of describing this. It is a bit like the old sea fearers before we had mapped the world. Islands, countries and strange places were there, they were just not on the map. The tree in the forest does still fall down even if you don’t know about it. Whether it makes a noise or not is another question too weighty for Supply Management Magazine I fear.

Interpol describes it thus:

“When you look up a word or phrase on an Internet search engine, it scans the Internet to find a match. But there are large sections of the Internet which search engines cannot detect – this is known as the ‘deep web’. Whilst most of what exists in the deep web is not dangerous information, it can be deliberately misused by those with malicious intent.”

And it is this malicious intent that we now need to guard against. Criminals can hide in the deep or unchartered web and they have clever ways to use this hiding place to run their enterprises.

Interpol again; “By using specialized software to conceal their activities and guarantee anonymity, criminals can conduct illegal enterprises such as selling drugs or weapons, illicit gambling, and trading in counterfeit identity documents or child abuse material.”

The Unchartered Web and Supplier Management

There are three key ways that the Supply Base can compromise your company in cyberspace:

1. Product: selling stolen or counterfeit products is a key activity of cyber-criminals. Liasons are carried out in the unchartered or deep web and transactions can then be carried out in plain site on traditional sites like eBay but in such a way as to seem innocent. If your supply base is responsible for any part of managing your product whether it be manufacturing, packaging or transportation, cyber-criminals will have access to it, they will know where it is, where it is going and how to intercept it or counterfeit it.

Just take healthcare industry for example. Interpol again:

“The increasing prevalence of counterfeit and illicit pharmaceuticals has been compounded by the rise in Internet trade, where they can be bought easily, cheaply and without a prescription. It is impossible to quantify the extent of the problem, but in some areas of Asia, Africa and Latin America counterfeit medical goods can form up to 30% of the market.” Clearly this is a lucrative business.

2. Intellectual Property: as companies increasingly rely on suppliers for more and more of their product supply, research and development as well as marketing and even sales, our intellectual property becomes exposed to high degrees of risk. Most intellectual property is surprisingly easily and freely shared between a company and its suppliers. And then in all likelihood the suppliers share it with their suppliers. Not in any illicit way but just so they can get on with delivering the goods or services you have contracted with them for. Intellectual property has value, huge value if sold to the highest bidder. It also carries risk such as exposing confidential projects you might be working on or business arrangement you have with your customers. With access to your systems, possibly with as little as an email address, hackers and cyber-criminals can trawl your networks looking for IP. So that blueprint for a new micro-chip or the formula for the cure for cancer is open to theft.

3. Data: The easiest thing for you to lose is data. Email addresses, passwords, company credit card details. With just small elements of this data, informed criminals can and do deduce passwords, hacking strategies and access to further, more sensitive information. This they can then sell to the highest bidder.

So what can be done about it?

One thing is for sure, risk, cyber or otherwise, is always present you can’t mitigate it entirely. You can however be more in control and start to get more pro-active. Deep Web monitoring tools such as DarkBeam (www.darkbeam.com) can detect what information from your company is being trafficked on the unchartered web and monitor that activity. Such technology can also see if information from your company is being leaked from any of you suppliers and produce a dashboard showing you where the leaks are occurring. This then gives you the ability to work with those suppliers to stop it. The tool can also be used in sourcing evaluation as you can see if certain suppliers are more susceptible to cyber security issues before you do business with them. If a potential supplier has just too much deep web traffic you might decide they are just too risky for you to use.

Technology such as this should not just be used to manage what you already managed but in a slightly different way, it should be used to help you fundamentally shift your view of risk management in light of new and very dangerous realities. It should be used to help you re-shape how you work with your internal stakeholders and your suppliers to produce a technology enabled, collaborative approach to a global threat.

#cybersecurity #riskmanagement