Simplifying The Digital Supply Chain Risk and Continuity Minefield

I have always said that, if my 10-year-old or my mum can understand it, then anybody can (sorry mum)!

But to be fair, it’s not always the difficulty in understanding something as much as it is being bombarded with the same information, several times over, from several people, via multiple forms of communication. Which then leads to us zoning out, losing interest, or maybe not taking something as seriously as we should. It doesn’t mean we’re ignorant. It just means we’re human. And in a digital age where almost everything around us offers instant gratification. We want the answers straight away so we can move on to the next thing. Unfortunately, we often tend not to realise that the information we received was important until it’s too late and the horse has bolted!

• “I wish I had gone to there now, it looked amazing!”
• “I’m gutted I’ve ordered this meal now, yours looks much better!”
• “I wish I had invested in Bitcoin all those years ago when there was so much chatter about it!”.
• “As the CEO of Blockbuster, I wish I had bought that Netflix company when I was advised to”. Showing my age with that one!
• “I wish I had listened to Mark Ryan from SES now. That software supplier thought was too big to fail……. has unexpectedly failed, and now our business is severely impacted!”

This is not always just through our own doing. As I implied before, it’s how the information is given to us in the first place too.

Take conversations around software supplier risk and cyber security. To begin with they’re not the most interesting conversations to most people. Let’s be honest (well, cyber is at least). Secondly, there are so many people out there all looking to talk about the risks that exist and how their service/solutions can fix those problems and why we should do it. The most common reaction is to take what’s being said and measure that up in a risk vs likelihood matrix. But, if we’re being honest with ourselves, is said risk/likelihood matrix a well-established tried and tested matrix used within our businesses or is it our own gut feel matrix we use ourselves to make a decision. With 20 years in the industry and through my own personal experience, it’s usually the latter.

So how many times have you had similar conversations with a tech supplier (new or existing) where you’ve pretty much made your mind up before they’ve finished or came away and thought.

• “Our software/tech supplier is too big. Nothing will happen to them”.
• “Nobody would attack our business. They’ll go for the bigger companies”.
• “We already do our own IT security so we’re fine thanks”.
• “We’ve worked with our suppliers for years and never had any issues before”.
• “Most companies in our industry use them so I’m sure we’ll be fine”.

I’d bet my signed pride and joy Virgil Van Dijk Liverpool shirt that most companies who have been affected by 3rd party software supplier failure or cyber-attacks, directly or indirectly, have said one if not all those things. And more! Because our natural instincts are to go with our beliefs, and nobody likes to think negatively.

But the reality is it doesn’t matter who you are, what industry you’re in, how big you are, how unknown or know you are, how big or small your suppliers are. Any company that has data or anything of importance to their operations is always at risk. And it’s not just the company itself. Any connection into your company's data/infrastructure, directly or indirectly is a potential target.

The recent cyber-attack that effected many companies that utilised the Zellis payroll system is a prime example.

Anyway, the title of this supposedly ‘easy to grasp’ article includes the word ‘Simplifying’. So, let’s do that.

Think of your company supply chain as your own personal life ??. You have…….

• A house (your company)
• Friends/family (your employees/colleagues)
• A job (your key software suppliers)
• And you have bills/services like broadband for example (outsourced companies used by your suppliers)

We’re all aware of the vulnerabilities of our homes. We make sure we have locks on our windows and doors, and maybe alarms and cameras. We make sure our family know to lock up at night or when they leave the house. Often all seems ok in this area. We’ve done well to make sure nothing happens as these things are more in our own control.

If you’re anything like me then you’ll have endless deliveries being made on a weekly basis. And unfortunately, we all have bills for services provided! We trust the companies behind them and trust that they take the correct security measures to hold our personal identifiable information (PII).

But what about the things that are more outside of our control? What happens when one of our ‘service providers’ are attacked and our PII is exposed? Keeping in mind that not all leaks are made public knowledge, how does the risk element change? Who has access to our payment details. Name, address, D.O.B. Who is that delivery driver? Unless your house is Fort Knox, how secure are those window and door locks? And lastly, what if we unexpectedly lose the job that we never in a million years thought we would lose, for whatever reason. Potentially we could lose our house.

Okay, that’s all very much scaremongering I know. Especially the delivery driver part. I doubt very much that if your broadband provider got hacked that 3 weeks later dodgy Dave is going to break into your house. But, when you take that oversimplified analogy and bring it back into the business world, ‘your company’, it’s not so daft and is a lot more real.

We never expect suppliers of our business-critical software to fail to the point that the software is no longer available to us. Or, in many cases, that we could lose our own data. It’s happening now, it’s been happening for many years, and it will continue to happen. It could be their own fault, it could be because of close malicious activity, or it could be because of one of their suppliers. It’s a ‘never say never’ reality.

So, if you were to lose one of your key software suppliers (no matter how much you believe it would never happen), and/or if you lost your data. After a few days, weeks or months, what would be the impact on your company’s operations, customers, employees, logistics, finances, reputation or even in a rare event - legal implications?

Does your company have a contingency plan in place? What is your Recovery Time Objective (RTO)?

I’ll end with this. For 20 years SES have been working software developers and their users to implement measures that protect against the unthinkable. We are a team of specialists with an average of 12 years industry experience per employee with a range of solutions that could have you back up and running in some cases as little as 1hr. Whilst providing you access to the application source code and other ancillary parts, your data, and the technical build and deployment documentation needed for you (or somebody else for you) to continue to maintain and run the software.

If you would like to understand more about how SES can help ensure the continuity of your company through our Continuity 365, Software Escrow or Cyber Security solutions can help you, please feel free to contact me on +44(0) 7458 002 554, or [email protected]