In today's market, organizations must take potential supply chain threats seriously or risk being vulnerable to potentially devastating attacks. The efficiency and security of a company’s supply chain are critical to the overall health of the business because these complex systems help minimize cost, waste and time in the production cycle if properly secured and managed.
Often, your organization’s supply chain can face both physical and cyber threats. Because supply chains rely heavily on the internet, they are vulnerable to cyberattacks, which could affect sourcing, vendor management, supply chain continuity and even product quality. Physical threats to your supply chain include more traditional methods of harm, such as theft, sabotage and piracy, which can come from both internal and external sources. For example, if cargo is at sea and the ship is hijacked by pirates, this is an external threat. If a disgruntled employee decides to steal or sabotage inventory during transport, this is an internal threat. However, when considering ways to mitigate physical security threats to your company's supply chain, it is critical to consider both internal and external threat factors.
Mitigating Security Risks
Who is responsible for supply chain security? It is important to clarify whether the organization or the suppliers are responsible for supply chain risk management, which requires excellent communication between security departments, organizational leadership and third-party vendors. Risks can increase without appropriate due diligence on suppliers. Once clear lines of responsibility have been defined, it is best to work with a security team that is well versed in enterprise security risk management.
The terrorist attacks of September 11 had a profound effect on the management of security across all industries. Since then, organizations have taken a proactive look at their security programs and developed a more formal approach to enterprise security management. Security teams, whether internal or outsourced, should take a risk-based approach to supply chain security. They should ask organizations questions about what needs to be protected, what are potential threats and how we can best and most efficiently protect it. These questions will help identify and prioritize assets to be protected; understand the security risks to the enterprise and their relationship to those assets; take the necessary, appropriate and realistic steps to protect against the most serious security threats and risks to those assets; and finally, help continuously improve and advance the overall security of the supply chain system.
The following are nine best practices for businesses to consider to improve supply chain security:
1. Due Diligence of Suppliers, Employees and Partners: Companies should include a review of security policies and procedures as part of the due diligence on suppliers. This due diligence should include a risk assessment of the supplier’s organization, which should include a review of security policies and procedures, as well as an analysis of country-of-origin risks, sector risks, entity risks and financial risks.
2. Background Checks: It is also important to perform background checks, where possible, on employees involved in the chain of custody of your goods and supplies. Organizations should audit any transport partners using licensed third-party auditors to certify potential transportation partners.
3. Testing: If possible, organizations should perform penetration and vulnerability testing along various points in their supply chain. Vulnerability assessments will alert companies to flaws in the system and pinpoint where those flaws are happening. Penetration tests attempt to exploit vulnerabilities to determine which flaw could pose a threat.
4. Training: Employees working within the supply chain should be trained to be alert to changes and inconsistencies in their environment. They should always be situationally aware, knowing where they are, what is going on around them, and being more alert and informed to make better decisions.
5. Tracking: As a best practice, every organization should log and track shipments. GPS devices can be affixed to cargo, sea containers, air shipment containers and even on people for personal protection. The signals from those GPS devices can be monitored by a security operations center. No matter where the cargo is, if something happens, there will be a live person tracking it and responding.
6. Equipment and Devices: Companies should implement locks and tamper-proof seals, such as smart internal container detection and environmental monitoring technology which monitor container doors from the inside. These advanced systems go beyond track-and-trace, monitoring each door independently and sensing environmental changes such as humidity, temperature, dew point and light. For rail, there are systems that use air brake lockouts to thwart trailer theft. The systems enable the locking and unlocking of the trailer brakes to prevent unauthorized movement of the assets.
7. Security Escort: For higher value cargo, a security escort may be required in some locales. The escort should have predefined security protocols, including route planning and escalation procedures. They will communicate continuously with dispatchers, drivers and security operators. All security escorts should be vetted, have local knowledge and undergo standardized training.
8. Response Plan: Every organization should have a response plan in place for quickly acting on discovered threats. Security teams should provide a fully indemnified response service that will support the load recovery efforts and investigative process. On receipt of a cargo security alert, operators should initiate an immediate police response and provide a live tracking link to law enforcement.
9. Cargo Recovery Plan: If cargo ends up where it is not supposed to be, organizations will need to coordinate efforts to get it back, which is not always easy. Security operations center operators specialize in cargo recovery. With 24/7 live monitoring and centralized incident response management, they will deploy escalation processes involving both electronic and human assets for immediate police response. They may also initiate incident response teams to coordinate with local law enforcement. Working with a global security partner that has all these capabilities is an asset given the supply chains are often global in nature.