With the number of data breaches in the last year and the coming implementation of the General Data Protection Regulation (GDPR), data security has become a core focus for governments for a good reason. Warehouses have traditionally been a place not just to store goods, but also to store sensitive data for greater insights. In the past any business in the supply chain simply had to be compliant and pass an occasional audit if regulations were in place. Things have changed just in the last few years, however.
According to a Thales Security report, 67 percent of enterprises were breached in 2017. Of those that were breached, 71 percent were based in the United States. Countries are moving very quickly to implement penalties and reign in poor cybersecurity practices in organizations. The GDPR represents the most significant paradigm shift in decades regarding data security. It impacts any organization who holds any data about an EU citizen, and if you’re part of a global supply chain, this means you. Warehouse managers who may only work domestically in the US will need to increase their data security efforts as well.
In 2017 cyber security regulation introduced on the state level more than doubled. While the federal government has not passed security regulations as fast, pressure is increasing for businesses due to global and state level regulatory changes.
Supply chains account for roughly 80 percent of all cyber-attacks according to the SANS institute. Organizations manage a lot of data that could reveal vulnerabilities to a hacker or malicious insider about a client’s network. Your data security practices could be the difference between you experiencing a data breach and anyone who is a client or partner of yours.
Supply chain managers are likely well aware about existing regulations and standards that they are required to be in compliance with. You may be aware of Sarbanes-Oxley Act of 2002 (SOX), Dodd-Frank Act (conflict minerals clause), ISO 27001 and PCI DSS in some cases. These regulations all have an impact and require security of data to some degree.
Best practices have only increased in the last few years due to the increase in data security regulation. The practices listed below also take into account what will be required to be in compliance with the GDPR.
Integrate Data Security into Supplier Governance
While data security is an issue that many organizations are concerned about and take regular action internally, there needs to be accountability and standards for suppliers that work with you. Your organization already has standards for who you work with and what constitutes a termination of contract. It is here in your vetting process that you should integrate. Ask questions about their data security management program. If they have none or are unable to answer, they likely will not be able to keep your data secure.
Define & Classify Suppliers and Data
It is important to identify what suppliers are most critical to carrying out your mission, but also need to understand what data is transferred to make that possible. By identifying the data, you will also need to understand how, when and where that data is transferred and stored. While you may have excellent cyber security practices in your organization and your supplier doesn’t, you both could be held accountable. You need to understand how data moves between you and other suppliers.
Appoint a Data Protection Officer
Your organization is full of people trying to fulfill their roles and data security can become a burden on a person or a team it is assigned to. Appointing a Data Protection Officer (DPO) will help your organization in the long run. The DPO is a leadership role which is responsible for data protection strategy, implementation and management. The DPO doesn’t necessarily have to be a new person, but it must be someone who has a strong understanding of how data flows through suppliers, clients and all business relationships.
Audit Your Suppliers
If you have identified any of your suppliers or partners to be a high risk, it may be time for an audit. The purpose of a data security audit is to ensure that your suppliers have proper controls, measures and a security program established in order to mitigate the risk of a data breach. When organizations do not assess the risks of their suppliers or just do not audit them, they could potentially increase their risk to attack.
Target, who was the victim of a data breach, found that the cause of their breach was from their small AC supplier in Pennsylvania. If Target had integrated strong data security risk controls in their supplier management program, this may have been prevented.
Clearly the pressure is on for business, and even more important supply chain managers. If you’re a supply chain manager organize an effort to integrate data security into your programs today.