Faith in data management
Back before the Sept. 11, 2001 terrorist attacks, a shipper that sourced its goods from a far-flung destination really only had to consider a couple things about its supplier.
First was the quality of the goods produced by that supplier, and second was the supplier’s ability to deliver them in a timely manner.
Then, in an instant, things changed. After 9/11, security regulators went into overdrive and it had an inevitable effect on supply chains. Beneficial cargo owners were being held responsible not just for the security of their suppliers, but for their suppliers’ suppliers. The responsibility of the shipper went all the way up the chain.
Consider this evolution in physical supply chains when you think about the way supply chain data interchange and management has evolved. There’s this constant drive among supply chain IT vendors to collect, aggregate and recycle data for the benefit of their customers.
It’s the old argument: “You only get as much as you give.” Advanced IT systems don’t just manage data, they make sense of it, and then feed it back into the decision-making processes of shippers’ transportation management and compliance departments.
But there’s a potential dark side to this intensified data management – one that an astute technology manager for a major consumer goods company pointed out to me recently.
With companies increasingly urged to share as much data as possible with their IT vendors, there’s inevitability that someone’s data will be compromised, even with all the safeguards in place to handle such a breach.
The vulnerabilities most likely lie in the actual back office work that is sometimes contracted out to business processing outsourcing companies in places like India or the Philippines – in other words, your IT vendor’s vendor.
Does that sound familiar? In many ways, shippers are taking as big a leap of faith with their information chains as they took with their physical supply chains prior to 9/11, before regulators required them to stop having so much faith.
The inevitability of a breach doesn’t mean there will be some widespread leaking of critical information across an entire sector. It might be confined to one part of a single company’s database. But to that company, it could represent a significant problem.
The same IT manager also confided: companies recognize this risk and realize it is part of the gamble they take when releasing data to a trusted party. The question is what will happen when a breach of supply chain information from a major shipper occurs? What’s the fallout?
It’s the reason why many shippers are supremely careful about which parties have access to their data. There are companies that are driven by collaboration and openness with supply chain partners, and American Shipper’s research has borne out that this approach yields results.
But the companies that are conservative about their data can point to this security breach inevitability as a major reason why. Maybe they want to see data security regulations become as robust as physical supply chain security regulations. Or perhaps they believe there’s an inherent vulnerability to electronic data, that critical information will always be a click away from being leaked.
“The risk of shared data being compromised is one of the key risks in the supply chain,” Michael de Crespigny, chief executive of the U.K.-based Information Security Forum, said in August. “The sharing of information across multiple tiers in a supply chain magnifies that risk and many organizations find it difficult to understand or track where their information goes.”
The ISF is a non-profit group that is leading a project to “examine how to collaborate and share intelligence that would enable organizations to be sure information in their supply chains is secure,” according to a Financial Times report in August.
There are all sorts of data points that suggest supply chain data is ripe for security breaches. Half of companies reported a data breach due to the complexities of managing multiple systems, according to a study in the fall by the network security firm AlgoSec. The same study found three-fourths of companies manually manage their network security.
The study wasn’t limited to supply chain functions, but it’s easy to extrapolate the dangers for supply chain information.
American Shipper’s most recent International Transportation Management Benchmark Study found the average shipper operates 3.6 systems.
Put all of this together, along with the fact that data shared with IT vendors is then frequently passed to outsourced vendors, and the risks grow pretty quickly.
“IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years,” said Neil MacDonald, research vice president and Gartner fellow.
Gartner said in an October report that by 2017, supply chain IT security will emerge as a top three security-related concern by major companies, inevitably changing the way it is managed. The report suggests IT supply chains will be targeted and compromised.
“They are growing more complex as IT systems are assembled from a large number of geographically diverse providers, and now of mainstream concern to enterprise IT,” said Ray Valdes, also research vice president at Gartner.
The questions to consider going forward: do you get enough out of data-sharing and collaboration with your IT vendor and other partners to offset the risks of a potential data breach? Does your vendor provide enough peace of mind in terms of data security? Do you think the risks associated with sharing supply chain data security are overblown? If you answered yes to all these questions, then share away.
But be mindful that a shipper asked about its physical supply chain pre-9/11 would have likely had the same faith in its unseen downstream suppliers, faith it’s no longer allowed to have.