While the digitization of supply chain management comes with a lot of benefits, it also comes with risks. Cybersecurity is the practice of protecting systems, networks, programs, and data from digital attacks. According to Statistics Canada, about one-fifth of Canadian businesses reported being impacted by a cyber security incident in 2019. This number has likely increased since then. The Government of Canada has recognized the growing importance of cybersecurity. They have introduced Bill C-26 to amend the Telecommunications Act and a separate Critical Cyber Systems Protection Act, both of which would have implications for businesses.
An organization should include cyber risk as part of the overall risk management program. See the post on building a resilient supply chain for a methodology to rank cyber threats. Anti-viral software, encryption, blockchains, VPNs (virtual private networks), and firewalls are obvious defenses against cyber threats. But since I’m not technically inclined in this area, I will defer you to IT experts and resources to learn more about them. However, non-technical security measures also contribute to cyber security efforts. These efforts should include prevention, monitoring, detection, and response.
The concept of segregation of duties came from finance to prevent fraud and errors, but having proper segregation of duties will also prevent loss from cyber-attacks. For example, by having separate personnel responsible for approving purchase requisitions, purchase orders, and invoices, a breach in one function may be caught by the others.
Employee training will go a long way in protecting the organization. Humans are often the weakest link in information systems. Having strong passwords, data protection through diligent document controls, and being able to identify phishing emails all play an important part in cybersecurity. Social engineering involves the use of psychological tactics to gain access to systems through its users. By being aware of these tactics, the organization will reduce the likelihood of a systems breach.
As a supply chain blog, we obviously have to include external parties. Having strong internal security is not enough. According to the article by BDO Global "10 things CFOs should do immediately about cyber security" (September 2018), over 60% of data breaches happen through a third party. Some supply chain management actions include screening your suppliers for quality security capabilities, knowledge and resource sharing, common risk/incident identification, audits, and contractual obligations.
Finally, all organizations will need a response plan. Even with diligent monitoring and detection systems in place, cyber-attacks are no longer an "if" but a "when" question. Make sure you have a formal incident response, disaster recovery, and business continuity plans. Emotions will be high after a breach and if plans are not in place, recovery may be chaotic and ineffective.