Originally published on capsresearch.org
Supply managers face a daunting challenge when it comes to data. Sharing data with suppliers can improve efficiency, flexibility, quality, and new product development. But there are risks to intellectual property, corporate, and personal information, as well as regulatory and legal concerns, and attacks that could severely impair the organisation.
Given the benefits, supply managers face pressure to share increasingly sensitive data but face challenges in securing systems and preventing breaches.
The new CAPS Research report Digital Connectivity and Data Protection in Supply Management examines risks, challenges, and best practices for sharing and protecting data.
Today, buyers and suppliers are more connected than ever. Organisations benefit from sharing data with suppliers to improve efficiency, flexibility, quality, and new product development. But those connections carry risks as well.
Though high-profile breaches of personally identifiable information (PII) have been made public, there have been relatively few reports of operational data breaches. This could mean protection plans are effective or it could indicate that companies aren’t aware they have been breached or are reluctant to go public unless legally required.
Organisations face an array of risks in managing relationships with suppliers and multiple tiers of suppliers. The growing use of connected devices, outsourced suppliers, and international supply chains elevate the challenge.
Factors that complicate data sharing
Attackers often look for weak links among smaller companies without sophisticated technology or security partners. That means your supply chain partners are on the front lines of protecting your organization's data. Here are a challenges companies encounter when sharing data:
- Technological differences: Not all parties use the latest protection standards, technology, and policies.
- Procedural differences: If they exist at all, policies and procedures can lead to confusion and gaps in protecting data.
- Employee training: Suppliers may not have adequate employee training in managing and handling confidential information, reporting breaches and incidents, and overall cybersecurity threats and intrusion strategies that lead to vulnerabilities.
- Monitoring: It's difficult to track data use and distribution at supplier locations, especially if that information is further dispersed into the sub-tiers of the supply base. Assessing supplier policies, procedures, and governance is critical, as well as, ensuring supplier management practices validate data protection & governance procedures are adequate.
- Communications: While under investigation, information about attacks and breaches may be delayed or, in case of a loss, heavily filtered.
- Legal liability: Establishing and enforcing liability is difficult, even when covered in contracts. It's even tougher with international relationships.
Tensions in security
Organisations face tradeoffs in managing security and business requirements.
- Protection vs. Speed: Assessing and validating data protection requirements slow supplier selection, qualification, and onboarding.
- Protection vs. Cost: Requirements may eliminate low-cost provider options.
- Protection vs. Agility: Supplier base could be limited to only sophisticated suppliers that can meet requirements.
There's an overlap between internal data security and external security in relationships with suppliers. Both aspects are built on technology, people, and processes. As part of the supplier due diligence and evaluation process, organisations should examine suppliers’ capabilities in managing the risks inherent in sharing data.
Although it may not be possible to eliminate performance tradeoffs, understanding the gaps and looking for alignment between the organisations in the risk areas will help guide the process. The tensions mentioned will be a part of that process, as business priorities compete with security considerations.
After considering risks and relationships, it's helpful to look at best-in-class organisations that are effectively addressing these issues.