Embed Size (px)
Citation preview
Developing a contingency plan and
avoiding shutdowns from a security
breach
Danie Schoeman
1 July 2015
A changing landscape
The road to globalisation – and greater
risk
World Economic Forum Study 2012, Insurance News; Deloitte 2012 Risk Management Report; BCI Supply Chain Resilience Survey 2011; Ruud Bosman (2006)
- The New Supply Chain Challenge: Risk Management in a Global Economy, Factor Mutual Insurance
“Despite the known dangers
and costs of supply chain
disruptions, only 21% of
companies assess value and
supply chain risk continuously.”
Increasing complexity and fragility
Adapted from G. Linden, K.L. Kraemer, and J. Dedrick (2009), “Who Captures Value in a Global Innovation Network? The Case of Apple’s iPod”,
Communications of the ACM, March 2009, Vol. 52, No. 3, pp. 140-144; World Economic Forum Global Risks 2015.
$80
$75
$85
$19 $27
$7 $5 $1
$40
$80
$75
$85
$19 $27
$7 $5 $1
$40
Apple (Margin) Distribution and Retail Major Components
Other Inputs Japan (Margin) USA (Margin)
Taiwan (Margin) Korea (Margin)
The Chief Supply Chain Officer
agenda
Top 5
Cost
Containment
Customer
Intimacy
VisibilityGlobalisation
Risk
55%
56%
70%43%
60%
IBM, The Smarter Supply Chain of the Future - Insights from the Global Chief Supply Chain Officer Study 2010
Full of risk
Typical supply chain risks
Business continuity risks
•Natural disasters
•Man-made disruptions
•Supplier redundancy & contingency
Security risks
•Cargo disruption
•Cargo theft
•Hijacking exposure
•Unmanifested cargo
•Information/cyber attacks
•Sea piracy
•Supply chain terrorism
•Anti-western terrorism
Brand protection risks
•Facility traceability (forced & child labour)
•Compliance to social & human rights
•Compliance to environmental, health & safety
•Counterfeiting
•Intellectual Property violations
Geopolitical risks
•Political stability
•Economic & financial stability
•Corruption
•Crime & government effectiveness
•Employee screening practices
Causes of supply chain disruption
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Environmental incidentIntellectual Property violation
Product quality incidentHealth & Safety incident
Animal diseaseEarthquake/tsunami
Insolvency (in the supply chain)Human illness
Civil unrest/conflictIndustrial dispute
Outsourcer service failureAdverse weather
Energy scarcityLack of credit (cost, availability)
Currency exchange rate volatilityNew laws or regulations
Loss of talent/skills
Act of terrorismFire
Business ethics incidentData breachCyber attack
Transport network disruptionUnplanned IT/telecoms outage
High Impact Some Impact Low Impact
Security risks
Business continuity risks
Brand protection risks
Geopolitical risks
BCI Supply Chain Resilience Survey 2014; G4S Analysis
Identifying security breaches
Only 9 cyber attack patterns to
consider
Nine patterns classify almost all of the attacks and cover 92% of over
100,000 incidents
0,1%
0,7%
0,8%
3,9%
4,1%
15,3%
20,6%
25,1%
29,4%
Payment card skimmers
Point of sale intrusions
Cyber espionage
Denial of service attacks
Web app attacks
Physical theft and loss
Insider and privilege misuse
Crime ware
Miscellaneous errors
Verizon 2015 Data Breach Investigations Report
Cyber attacks are physical
of insider and
privilege misuse
attacks used the
corporate LAN.
of theft / loss
happened at
work.
of miscellaneous
errors involved
printed
documents.
Verizon 2015 Data Breach Investigations Report
Typical cyber attack incidents for
transport & logistics
24% 16% 16%Transportation
Cyber-espionage Insider and privilege misuse Web app attacks
of the incidents in an industry can be described by just
three of the nine patterns.
WEB APP ATTACKS
When attackers use stolen
credentials or exploit
vulnerabilities in web
applications — such as
content management
systems (CMS) or e-
commerce platforms.
INSIDER AND PRIVILEGE
MISUSE
This is mainly by insider’s
misuse, but outsiders (due to
collusion) and partners
(because they are granted
privileges) show up as well.
Potential culprits come from
every level of the business, from
the frontline to the boardroom.
CYBER-ESPIONAGE
When state-affiliated actors
breach an organization, often
via targeted phishing attacks,
and after intellectual property.
Verizon 2015 Data Breach Investigations Report
Look inside your company
0% 5% 10% 15% 20% 25% 30% 35% 40%
Unknown
Domestic intelligence service
Foreign nation-states
Competitors
Activists / activist organisations / hacktivist
Organised crime
Hackers
Suppliers / business partners
Former service providers / consultants / contractors
Current service providers / consultants / contractors
Former employees
Current employees
Likely sources of incidents
All industries in all regions Transportation & Logistics
PWC Global State of Information Security Survey 2015
Screening and vetting is business
critical
0% 10% 20% 30% 40% 50% 60% 70% 80%
Conduct personnel background checks
Require 3rd parties to comply with our privacy policies
Employee security awareness training programme
Priviledged user access
Secure access-control measures
Accurate inventory of where personal data foremployees and customers are collected, transmitted…
Employee Chief Information Security Officer in chargeof security
Information security strategy that is aligned to thespecific needs of the business
Security safeguards in place
All industries in all regions Transportation & Logistics
PWC Global State of Information Security Survey 2015
Cargo theft
FreightWatch International
Cargo theft
Hijacking exposure
ISS Crime Hub - http://www.issafrica.org
Sea piracy
Based on info from IMO, IMB, ReCAAP
Sea piracy - current
ICC: International Maritime Bureau Piracy & Armed Robbery Map 2015
Corruption
2014 Transparency International
Customs “integrity”
Brazil
Russia
India
ChinaSouth Africa
Morocco
Rwanda
Nigeria
Gabon
Ghana
Ethiopia
Benin
Angola
Uganda
Cameroon
Gambia
Kenya
Egypt
Hong Kong
Indonesia
Korea, Rep.
Malaysia
Philippines
Singapore
Taiwan
Thailand
0
0,2
0,4
0,6
0,8
1
1,2
0 1 2 3 4 5 6 7
Cu
sto
ms T
ran
sp
are
ncy In
de
x
Irregular Payments (1 = common, 7 = never occurs)
Honest Joe’sHonest Crooks
AngelsDark Horses
DS&C Analysis, WEF ETI (2014)
Consequences of security breach
Consequences of supply chain
disruptions
0 10 20 30 40 50 60 70
Share price fall
Product recall/withdrawal
Fine by regulator
Payment of service credits
Increase in regulatory scrutiny
Loss of regular customers
Product release delay
Stakeholder/shareholder concern
Delayed cash flows
Damage to brand reputation
Service outcome impaired
Customer complaints received
Loss of revenue
Increased cost of working
Loss of productivity
BCI Supply Chain Resilience Survey 2014
Significant losses
49%
17%
10%
18%
4%
1%
0%
1%
0%
<€50K
€50K-€250K
€251K-€1M
€1.1M-€10M
€11M-€50M
€51M-€100M
€101M-€250M
€251M-€500M
>€500M
BCI Supply Chain Resilience Survey 2014
Making a plan
Contingency planning
Conduct a Threat
Assessment
Identify and Review Core
Business Functions
Conduct a Business Impact
Analysis
Apply Prevention
and Mitigation Measures
Implement Tests and
Maintain the Plan
What can go wrong?
What are the exposures
to the supply chain?
Look for your
Achilles' heel.Have a well-
thought-out
plan.
Test the plan!
What does the combination Step #1
and #2 can do to your business?
Risk mitigation strategies
Research, analysis, training, and guidance to
support your company through supply chain
security efforts such as TAPA, C-TPAT or AEO
Review and Support, Security Criteria Gap
Analysis, Financial Risk Exposure Review, and
Continual Improvement Support.
Utilising business continuity management
standards such as ISO 22301:2012.
Utilising comprehensive supply chain security
intelligence resources, including trade and
compliance intelligence, global supply chain
security risk data and analysis.
Supplier oversight and cargo custody controls.
Using real-time trade interruption updates and reports on major disruption incidents,
countermeasure programs, and risk mitigation best practices. Country-specific reports on Supply Chain
Terrorism, Cargo Disruption, Business and Political Climate, Population and Culture, Economy and
Trade, Transportation Infrastructure, General Governance, Export Control Governance, Employer
Security Practices, and Customs-Trade Supply Chain Security Programs.
Thorough vetting of your supply chain and participating firms’ supplier base.
Automating the supplier risk assessments for Anti-Western terrorism and cargo disruption data.
Modelling the risk of global cargo tampering data and terrorism.
The payoff
Benefits to you
Effectively protect and manage your supply chains with the ability to productively respond to stresses
Decreased losses and lower associated production costs
Improved business continuity via a more robust, resilient, and responsive supply chain
Greater end-to-end transparency for improved process management and efficiency
Competitive advantages over industry rivals when supply chain risks arise
Brand Protection
Thank you
