Prioritizing risk shouldn’t be an ad hoc process. Just as we discussed how lower-tier suppliers can sometimes prove pivotal to an entire process once every step in the chain has been analyzed, so too we can take a data-based approach to examining which steps in the chain could have the greatest impact on a business should calamity strike — and ideally, conduct cost comparisons as well, so decisions makers can understand what’s best for their bottom line.
Take Sony, for example. In 2011, a major breach in the PlayStation Network, which linked to the popular PS3 game system, cost the company some $170 million to fix. Execs took the whole system off-line, brought in forensic analysts and offered customers free games and identity theft protection, according to Computer World magazine. Fast forward three years, and another data breach, this time targeting the motion picture arm of Sony’s mega corporation, flooded gossip rags with days’ worth of fodder about the inner workings of the studio.
The first hit has been tied a lawsuit the company brought against an American hacker, while the more recent incident, from November, looks like a North Korean attempt. At least one expert has said that the breach was so sophisticated, 90 percent of the Internet’s defenses would have probably been just as vulnerable. But it has also raised questions as to how serious Sony takes the confidentiality of data, given that major hacks occurred just a few years apart.
Clearly data security is a major potential problem in the supply chain that Sony uses to bring entertainment of various forms to customers. While the firm spent $170 to mitigate the 2011 attack, the 2014 version begs the question of whether the company was shortsighted in not spending even more — and eventually lost out a second time.
Truth is, there’s no perfect system. But planning can make all the difference.
“The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand,” writes Steve Durbin, managing director of the Information Security Forum (ISF). “But being proactive now also means you, and your suppliers, will be better able to react rapidly and intelligently when something does happen.”
In previous posts we’ve discussed how to adopt an SCRM program, and how to get started. It takes some effort, such as evangelising to make sure everyone is on board. But it’s all about making informed choices. Thorough, thoughtful analysis of a chain, be it one delivering data or physical goods, allows management to assess the cost of risk, and decide where to invest to head off the worst — and how to plan for the inevitable.
Take the Sony example. One story suggested that the company had let go some security personnel in between breaches. We don’t know why that occurred, but consider a firm that might, for example, need to shrink payroll and decide IT security has some extra positions. But a supply chain risk assessment might have found that keeping a few more employees might have been worth it in the case of a costly hack attack.
Which would you rather be — a Sony putting out multimillion dollar fires, or a Nissan lauded for smart planning in a crisis?
The Supply Chain Risk World 