What is supply chain security?

Many in the supply chain recall the major data breaches at Target and Home Depot, which occurred within months of each other and stemmed from third‑party relationships. Six years later, supply chain security breaches still make headlines—most notably, the SolarWinds breach currently reverberating across the industry.

The most recent analysis estimates the average cost of a data breach at USD 3.86 million with mega breaches (50 million records or more stolen) reaching USD 392 million. Given the surge in supply chain attacks in 2020, we can already imagine the impact when the analysis is updated.

So, what’s it going to take to tackle supply chain security?

Part of the challenge is that there is no single, functional definition of supply chain security. It’s a massively broad area that includes everything from physical threats to cyberthreats and from protecting transactions to protecting systems. It also spans mitigating risk with parties in the immediate business network to addressing risk derived from third, fourth, and “n” party relationships. However, there is growing agreement that supply chain security requires a multifaceted and functionally coordinated approach.

Supply chain leaders tell us they are concerned about cyberthreats. In this blog, we are going to focus on the cybersecurity aspects of protecting the quality and delivery of products and services, along with the associated data, processes and systems involved.

“Supply chain security is a multi-disciplinary problem and requires close collaboration and execution between the business, customer support and IT organizations, which has its own challenges. The companies that get this right start with IT and a secure multi-enterprise business network, then build upward with carefully governed and secured access to analytics and visibility capabilities. From there, they continuously monitor every layer for anomalous behavior.”

Marshall Lamb, CTO, IBM Sterling

Why is supply chain security important?

Supply chains are all about getting customers what they need at the right price, place and time. Any disruptions or risks to the integrity of the products or services being delivered, the privacy of the data being exchanged and the completeness of associated transactions can be highly damaging. They can lead to serious operational, financial and brand consequences.

Data breaches, ransomware attacks and malicious activities from insiders or attackers can occur at any tier of the supply chain. Even a security incident confined to a single vendor or third-party supplier can still significantly disrupt the “plan, make and deliver” process.

“A supply chain is only as strong as its most vulnerable entity. The Port of Los Angeles’s Cyber Resilience Center will help each participating member of the supply chain to better protect themselves and by extension each other.”

Wendi Whitmore, Vice President, IBM Security X-Force

Mitigating this risk is a moving target and mounting challenge. Supply chains are increasingly complex global networks made up of large and growing volumes of third-party partners who need access to data and assurances that they can control who sees that data. Today, new stress and constraints on staff and budget and rapid unforeseen changes to strategy, partners and the supply and demand mix, add further challenges and urgency.

At the same time, more knowledgeable and socially conscious customers and employees are demanding transparency and visibility into the products and services they buy or support. Every touchpoint adds an element of risk that needs to be assessed, managed and mitigated.

Top 5 supply chain security concerns

Supply chain leaders across industries and regions have shared their top five security concerns. These issues are significant enough that they often keep them awake at night.

1. Data protection. Data is at the heart of business transactions and must be secured and controlled at rest and in motion to prevent breach and tampering. Trusting the source of data exchange—be it a third party or an e‑commerce site—is critical. Verifying that the party is authentic is a vital safeguard.

1. Data locality. Critical data exists at all tiers of the supply chain, and must be located, classified and protected no matter where it is. In highly regulated industries such as financial services and healthcare, data must be acquired, stored, managed, used and exchanged in compliance with industry standards and government mandates. These requirements vary depending on the regions in which organizations operate.

1. Data visibility and governance. Multi-enterprise business networks not only facilitate the exchange of data between businesses, but also allow multiple enterprises access to data so they can view, share and collaborate. Participating enterprises demand control over the data and the ability to decide who to share it with and what each permissioned party can see.

1. Fraud prevention. In a single order-to-cash cycle, data changes hands numerous times, sometimes in paper format and sometimes electronic. Every point at which data is exchanged between parties or shifted within systems presents an opportunity for it to be tampered with—maliciously or inadvertently.

1. Third-party risk. Everyday products and services—from cell phones to automobiles—are increasing in sophistication. As a result, supply chains often rely on four or more tiers of suppliers to deliver finished goods. Each of these external parties can expose organizations to new risks based on their ability to properly manage their own vulnerabilities.

Supply chain security best practices

Supply chain security requires a multifaceted approach. There is no one panacea, but organizations can protect their supply chains with a combination of layered defenses. As teams focused on supply chain security make it more difficult for threat actors to run the gauntlet of security controls, they gain more time to detect nefarious activity and respond effectively.

Here are a few of the most important strategies organizations use to manage supply chain security risk. These methods also help them mitigate potential threats and strengthen overall resilience.

• Security strategy assessments. To assess risk and compliance, you need to evaluate existing security governance—including data privacy, third-party risk and IT regulatory compliance needs and gaps—against business challenges, requirements and objectives. Security risk quantification, security program development, regulatory and standards compliance, and security education and training are key.

• Vulnerability mitigation and penetration testing. Identify basic security concerns first by running vulnerability scans. Fixing bad database configurations, poor password policies, eliminating default passwords and securing endpoints and networks can immediately reduce risk with minimal impact to productivity or downtime. Employ penetration test specialists to attempt to find vulnerabilities in all aspects of new and old applications, IT infrastructure underlying the supply chain and even people, through phishing simulation and red teaming.

• Digitization and modernization. It’s hard to secure data when you’re relying on paper, phone, fax and email for business transactions. Digitization of essential manual processes is key. Technology solutions that make it easy to switch from manual, paper-based processes while adding security, reliability and governance to transactions provide a strong foundation. This foundation enables secure data movement within the enterprise as well as with clients and trading partners. As you modernize business processes and software, you can take advantage of encryption, tokenization, data loss prevention and file access monitoring and alerting. At the same time, it is important to bring teams and partners along with security awareness and training.

• Data identification and encryption. Data protection programs and policies should include the use of discovery and classification tools to pinpoint databases and files that contain protected customer information, financial data and proprietary records. Once data is located, employing the latest standards and encryption policies protects data of all types, at rest and in motion—customer, financial, order, inventory, Internet of Things (IoT), health and more. Incoming connections are validated, and file content is scrutinized in real time. When transacting online, digital signatures, multifactor authentication and session breaks ensure improved protection.

• Permissioned controls for data exchange and visibility. Multi-enterprise business networks ensure secure and reliable information exchange between strategic partners with tools for user- and role-based access. Identity and access management security practices are critical to securely share proprietary and sensitive data across a broad ecosystem, while finding and mitigating vulnerabilities lowers the risk of improper access and breaches. Database activity monitoring, privileged user monitoring and alerting provide visibility to catch issues quickly. Adding blockchain technology to a multi-enterprise business network provides multi-party visibility of a permissioned, immutable shared record that fuels trust across the value chain.

• Trust, transparency and provenance. With a blockchain platform, once data is added to the ledger it cannot be manipulated, changed or deleted which helps prevent fraud and authenticate provenance and monitor product quality. Participants from multiple enterprises can track materials and products from source to end customer or consumer. All data is stored on blockchain ledgers, protected with the highest level of commercially available, tamper-resistant encryption.

• Third-party risk management. As connections and interdependencies between companies and third parties grow across the supply chain ecosystem, organizations need to expand their definition of vendor risk management to include end-to-end security. allows companies to assess, improve, monitor and manage risk throughout the life of the relationship. Start by bringing your business and technical teams together with partners and vendors to identify critical assets. Then, assess the potential damage to business operations when faced with a compliance violation, system shutdown or public data breach.

• Incident response planning and orchestration. Proactively preparing for a breach, shut down or disruption and having a robust incident response plan in place is vital. Practiced, tested and easily executed response plans and remediation prevent loss of revenue, damage to reputation and partner and customer churn. Intelligence and plans provide metrics and insights your organization and partners can use to guide decisions to prevent attacks or incidents from occurring again.

Supply chain security will continue to get even smarter. As an example, solutions are beginning to incorporate AI to proactively detect suspicious behavior by identifying anomalies, patterns and trends that suggest unauthorized access. AI-powered solutions can send alerts for human response or automatically block attempts.

How are companies ensuring supply chain security today?

IBM Sterling® Supply Chain Business Network set a new record in secure business transactions in September of this year, marking a 29% increase compared to September 2019. It is also helping customers around the world rebuild their businesses with security and trust despite the global pandemic.

International money transfer service provider Western Union completed more than 800,000 million transactions in 2018 for consumer and business clients rapidly, reliably and securely with a trusted file transfer infrastructure.

Fashion retailer Eileen Fisher used an intelligent, omnichannel fulfillment platform to build a single pool of inventory across channels, improving trust in inventory data. This approach also enabled more flexible fulfillment and helped reduce customer acquisition costs.

Blockchain ecosystem Farmer Connect transparently connects coffee growers to the consumers they serve, with a blockchain platform that incorporates network and data security to increase trust, safety and provenance.

Financial services provider Rosenthal & Rosenthal replaced its multiple approaches to electronic data interchange (EDI) services with a secure, cloud-based multi-enterprise business network. This shift reduced operational costs while delivering a responsive, high-quality service to every client.

Integrated logistics provider VLI is meeting myriad government compliance and safety regulations while enabling its 9,000 workers to access the right systems at the right time to do their jobs. It achieves this outcome with an integrated suite of security solutions that protect its business and assets and manage user access.

One of the busiest seaports in the world, the Port of Los Angeles is building a first-of-its-kind cyber resilience center with a suite of security offerings. The initiative is aimed at enhancing its supply chain ecosystem’s awareness and readiness to respond to cyberthreats that might disrupt the flow of cargo.

Solutions to keep your supply chain secure

Keep your most sensitive data safe, visible to only those individuals you trust, immutable to prevent fraud, and protected from third-party risk. Let IBM help you protect, with battle-tested security that works regardless of your implementation approach—on-premises, cloud or hybrid.