Developing a contingency plan and
avoiding disruptions from a security
breach
Danie Schoeman
5 November 2015
A changing landscape
The road to globalisation – and greater
risk
1. World Economic Forum Study 2012, Insurance News; 2. Deloitte 2012 Risk Management Report; 3. BCI Supply Chain Resilience Survey 2014;
4. Ruud Bosman (2006) - The New Supply Chain Challenge: Risk Management in a Global Economy, Factor Mutual Insurance
“81% of respondents report
at least one instance of
supply chain disruption in
2013.3”
Increasing complexity and fragility
Adapted from G. Linden, K.L. Kraemer, and J. Dedrick (2009), “Who Captures Value in a Global Innovation Network? The Case of Apple’s iPod”,
Communications of the ACM, March 2009, Vol. 52, No. 3, pp. 140-144; World Economic Forum Global Risks 2015.
$80
$75
$85
$19 $27
$7 $5 $1
$40
$80
$75
$85
$19 $27
$7 $5 $1
$40
Apple (Margin) Distribution and Retail Major Components
Other Inputs Japan (Margin) USA (Margin)
Taiwan (Margin) Korea (Margin)
The Chief Supply Chain Officer
agenda
43%
55%
56%
60%
70%
Globalization
Cost Containment
Customer Intimacy
Risk Management
Supply Chain Visibility
IBM, The Smarter Supply Chain of the Future - Insights from the Global Chief Supply Chain Officer Study 2010
Full of risk
Typical supply chain risks
Business continuity risks
•Natural disasters
•Man-made disruptions
•Supplier redundancy & contingency
Security risks
•Cargo disruption
•Cargo theft
•Hijacking exposure
•Unmanifested cargo
•Information/cyber attacks
•Sea piracy
•Supply chain terrorism
•Anti-western terrorism
Brand protection risks
•Facility traceability (forced & child labour)
•Compliance to social & human rights
•Compliance to environmental, health & safety
•Counterfeiting
•Intellectual Property violations
Geopolitical risks
•Political stability
•Economic & financial stability
•Corruption
•Crime & government effectiveness
•Employee screening practices
Causes of supply chain disruption
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Environmental incidentIntellectual Property violation
Product quality incidentHealth & Safety incident
Animal diseaseEarthquake/tsunami
Insolvency (in the supply chain)Human illness
Civil unrest/conflictIndustrial dispute
Outsourcer service failureAdverse weather
Energy scarcityLack of credit (cost, availability)
Currency exchange rate volatilityNew laws or regulations
Loss of talent/skills
Act of terrorismFire
Business ethics incidentData breachCyber attack
Transport network disruptionUnplanned IT/telecoms outage
High Impact Some Impact Low Impact
Security risks
Business continuity risks
Brand protection risks
Geopolitical risks
BCI Supply Chain Resilience Survey 2014; G4S Analysis
Identifying security breaches
Cyber attacks
Verizon 2015 Data Breach Investigations Report
0,1%
3,1%
3,3%
8,1%
9,4%
10,6%
18,0%
18,8%
28,5%
Denial of serviceattacks
Payment cardskimmers
Physical theft andloss
Miscellaneouserrors
Web app attacks
Insider andprivilege misuse
Cyber espionage
Crime ware
Point of saleintrusions
Almost all cyber attacks can be
classified by 9 patterns
24% 16% 16%Transportation
Cyber-espionage Insider and privilege misuse Web app attacks
WEB APP ATTACKS
When attackers use stolen
credentials or exploit
vulnerabilities in web
applications — such as
content management
systems (CMS) or e-
commerce platforms.
INSIDER AND PRIVILEGE
MISUSE
This is mainly by insider’s
misuse, but outsiders (due to
collusion) and partners
(because they are granted
privileges) show up as well.
Potential culprits come from
every level of the business, from
the frontline to the boardroom.
CYBER-ESPIONAGE
When state-affiliated actors
breach an organization, often
via targeted phishing attacks,
and after intellectual property.
Typical cyber attack incidents for
transport & logistics
of the incidents in an industry can be described by just
three of the nine patterns.
Verizon 2014 & 2015 Data Breach Investigations Report
ON AVERAGE
72%
Cyber attacks are physical
of insider and
privilege misuse
attacks used the
corporate LAN.
of theft / loss
happened at
work.
of miscellaneous
errors involved
printed
documents.
Verizon 2014 & 2015 Data Breach Investigations Report
85%
49%
55%
Look inside your company
0% 5% 10% 15% 20% 25% 30% 35% 40%
Unknown
Domestic intelligence service
Foreign nation-states
Competitors
Activists / activist organisations / hacktivist
Organised crime
Hackers
Suppliers / business partners
Former service providers / consultants / contractors
Current service providers / consultants / contractors
Former employees
Current employees
Likely sources of incidents
All industries in all regions Transportation & Logistics
PWC Global State of Information Security Survey 2015
Screening and vetting is business
critical
0% 10% 20% 30% 40% 50% 60% 70% 80%
Conduct personnel background checks
Require 3rd parties to comply with our privacy policies
Employee security awareness training programme
Priviledged user access
Secure access-control measures
Accurate inventory of where personal data foremployees and customers are collected, transmitted…
Employee Chief Information Security Officer in chargeof security
Information security strategy that is aligned to thespecific needs of the business
Security safeguards in place
All industries in all regions Transportation & Logistics
PWC Global State of Information Security Survey 2015
Cargo theft
FreightWatch International
Cargo theft
Non-residential
Robbery & Burglary
SAPS - Crime Situation in South Africa (Released 29 September 2015)
0
200
400
600
800
1000
1200
1400
1600
4000
4200
4400
4600
4800
5000
5200
5400
5600
Nu
mb
er
of
incid
en
ts
Nu
mb
er
of
incid
en
ts
Burglary Robbery
Hijacking exposure
SAPS - Crime Situation in South Africa (Released 29 September 2015)
Truck hijacking
0
10
20
30
40
50
60
70
80
90
Nu
mb
er
of
inc
ide
nts
Sea piracy
Based on info from IMO, IMB, ReCAAP
Sea piracy – current activity
ICC: International Maritime Bureau Piracy & Armed Robbery Map 2015
Corruption
2014 Transparency International
Customs “integrity”
Brazil
Russia
India
ChinaSouth Africa
Morocco
Rwanda
Nigeria
Gabon
Ghana
Ethiopia
Benin
Angola
Uganda
Cameroon
Gambia
Kenya
Egypt
Hong Kong
Indonesia
Korea, Rep.
Malaysia
Philippines
Singapore
Taiwan
Thailand
0
0,2
0,4
0,6
0,8
1
1,2
0 1 2 3 4 5 6 7
Cu
sto
ms T
ran
sp
are
ncy In
de
x
Irregular Payments (1 = common, 7 = never occurs)
Honest Joe’sHonest Crooks
AngelsDark Horses
DS&C Analysis, WEF ETI (2014)
Major factors contributing to
security breaches
C-TPAT Program Study June 2009
90%
68%
53%
44%
41%
35%
34%
Involved “trucks” as the mode of transportation for breached cargo
Security procedures not followed (lack ofchecks, balances, accountability)
Inadequate transportation monitoring
Lack of seal procedures
Containers, trailers, pallets, etc. Notsecured/properly inspected prior to loading
Failure to screen business partners
Conveyances not inspected
Consequences of security breach
Consequences of supply chain
disruptions
BCI Supply Chain Resilience Survey 2014
5%
7%
7%
7%
18%
18%
24%
27%
34%
35%
38%
41%
45%
48%
59%
Share price fall
Product recall/withdrawal
Fine by regulator
Payment of service credits
Increase in regulatory scrutiny
Loss of regular customers
Product release delay
Stakeholder/shareholder concern
Delayed cash flows
Damage to brand reputation
Service outcome impaired
Customer complaints received
Loss of revenue
Increased cost of working
Loss of productivity
Significant losses
BCI Supply Chain Resilience Survey 2014
49%
17%
10%
18%
4%1% 0% 1% 0%
Making a plan
Contingency planning
Conduct a Threat
Assessment
Identify and Review Core
Business Functions
Conduct a Business Impact
Analysis
Apply Prevention
and Mitigation Measures
Implement Tests and
Maintain the Plan
What can go wrong?
What are the exposures
to the supply chain?
Look for your
Achilles' heel.Have a well-
thought-out
plan.
Test the plan!
What does the combination Step #1
and #2 can do to your business?
Risk mitigation strategies
Research, analysis, training, and guidance to
support your company through supply chain
security efforts such as TAPA, C-TPAT, AEO and
Maritime ISPS for review and support, security
criteria gap analysis, financial risk exposure review,
and continual improvement support.
Utilising business continuity management
standards such as ISO 22301:2012, ISO/IEC
27001 information security management and
ISO 28000 2007 supply chain security
management standard.
Supplier oversight and cargo custody controls.
Utilising comprehensive supply chain security intelligence resources, including trade and compliance
intelligence, global supply chain security risk data and analysis.
Using real-time trade interruption updates and reports on major disruption incidents, countermeasure
programs, and risk mitigation best practices. Country-specific reports on supply chain terrorism, cargo
disruption, business and political climate, population and culture, economy and trade, transportation
infrastructure, general governance, export control governance, employer security practices, and customs-
trade supply chain security programs.
Thorough vetting of your supply chain and participating firms’ supplier base.
Automating the supplier risk assessments for Anti-Western terrorism and cargo disruption data.
Modelling the risk of global cargo tampering data and terrorism.
The payoff
Benefits to you
Decreased supply chain disruptions
Effectively protect and manage your supply chain with the ability to
productively respond to stresses
Decreased losses and lower associated production costs
Improved business continuity via a more robust, resilient, and responsive
supply chain
Increased supply chain visibility and improved lead-time predictability
Greater end-to-end transparency for improved process management and
efficiency
Competitive advantages over industry rivals when supply chain risks arise
Brand Protection
Significant decrease in U.S. Customs inspections (up to 42.8%)*
Increase in new customers for transport and logistics companies (35.2%)*
Increase in sales (24.1%)*
Access to the U.S. Customs FAST (Free and Secure Trade) program*
Decreased wait time at the border (Green Lane)*
*The C-TPAT Cost/Benefit Survey - University of Virginia Center for Survey Research and the Weldon Cooper Center for Public Service
for the U.S. Customs and Border Protection Service August 2007
Thank you