Custom Information Services (CIS)

Supply Chain Resilience – Preventing and Reducing Supply Chain Risks

Email | Print

We recently had an urgent call from a Dynamics GP distribution customer that was hit with a virus.  This was not our customer, however they are now.  Their system was compromised by the crypto virus and they did not have a proper backup of their Dynamics GP and file server.   The Custom Information Services (CIS) team of technicians worked hard to get the virus cleaned and the systems up and running, however the customer lost two days of processing since there was not a good backup for us to restore.  This scenario plays out every day in businesses.  You think you are getting a good system backup by relying on your IT and when you have a disaster you find out that your team has not been doing the job.   In this case it was an internal IT person, but we have seen this same scenario with companies that have outsourced their IT.   Business owners must make sure that in the case of a virus or disaster that the company’s assets are protected.  I write about this topic often – too often. 

Zurich released a whitepaper this morning:  Supply Chain Resilience 2013.  It is their 5th annual international survey that addresses orgins, causes and consequences of supply chain disruption.   Authored by Lee Glendon and Lyndon Bird of the Business Continuity Institute with 519 verified respondents in the supply chain industry this 23 page paper addresses the range and cost of disruptions and how a disruption in one company can spread out over the entire supply chain.   The number one cause of disruption in the USA was for adverse weather and number two was unplanned IT/Telcom outage.

Here is a recap of the study’s key findings:

  • 75% of respondents still do not have full visibility of their supply chain disruption levels. Only 25% coordinate and report to gain an enterprise‐wide view of disruption. This is unchanged from 2012
  •  75% of respondents experienced at least one incident that caused disruption. This is consistent with findings in each of the previous four years
  •  42% of disruptions originated below the tier one supplier, an increase from 2012
  •  15% of respondents experienced disruptions that cost in excess of €1M and 9% experienced a single event disruption that cost in excess of €1M
  • The primary sources of disruption were unplanned IT or telecom outages, with 55% stating they experienced high or some impact from this type of disruption. This was followed by adverse weather (40%) and outsourcer service provision failure (37%)
  •  While insolvency in the supply chain maintained its ninth place in 2013, other financial risk related sources of disruption did recede: lack of credit fell to 21st place from 12th and currency exchange rate volatility dropped from fifth place to 17th
  •  Below the top three, there have been some significant changes from 2012 to the main causes of disruption: transport network disruption climbed from 14th place to fourth with 30% experiencing high or some impact. The high profile media reporting of the danger of cyber‐attacks has resulted in this type of disruption rising from 18th place to fifth. The non‐availability or loss of talent/skills increased from 10th place to sixth
  • When considering sources of disruption by country and sector of activity, some new sources rise to prominence: product quality incidents are prominent in manufacturing, engineering and construction,  while in the USA adverse weather takes the top spot in 2013 as a source of supply chain disruption
  • 41% stated that customer complaints were received as a consequence of disruption, an increase from 35% in 2012, bringing it into second place behind loss of productivity (55%) as the primary consequence of supply chain disruption
  • Strategic consequences maintain their presence with 24% stating they experienced damaged to their brand and reputation and 26% stakeholder/ shareholder concern. 3% experienced a fall of share price as a result of a disruption

There are steps you can make to ensure your company reduces DATA risks, however take nothing for granted.  Spend a day reviewing these items and see if your policies are truly in place.   An ounce of prevention is worth a pound of cure.   This list will also help reduce your adverse weather and IT/Telecom risks.

  1. Have a written policy that clearly explains where employees should save their data, and check adherence to it regularly.  It amazes me that companies allow staff to save to their desktops.  Talk about risking lost productivity… we have a document that our new hires have to sign in regards to this issue.  We know we can be fired if we don’t adhere to the rules.
  2. Ensure that all of your systems have antivirus software and are on a program for automatic updates of virus definitions, and frequently check for success.  Even a good antivirus can’t prevent all attacks, but if you train your staff or remind them regularly about how to determine if an email is suspicious and of course train them to not be afraid to report that they opened a suspicious email!  This has happened to me on more than one occasion and I work for an IT company!  I get in a hurry and since I am in sales and marketing, I get lots of emails that I open because I think it might be a sale…   I did report it immediately and our team gets an automatic notification that our system might be at risk.
  3. Ensure that all    systems are on a program for automated update of (nearly) all software security patches, and frequently check for success.  Now this could be a concern for some of your software.  You don’t want to willy-nilly install patches on your ERP system.  These types of updates should be considered carefully with your ERP vendor prior to patching.  This is also why software and network equipment become obsolete.  It is impossible for software publishers and resellers like CIS to keep up with all the old versions and keep up with the newest viruses.
  4. Protect  your network with a firewall that is regularly monitored, tested and updated by an IT professional.  If you have internal IT then you must be a large company and I am sure you keep them educated on the latest and greatest software and hardware.  Right?  If you are a small to mid-sized company then you probably have someone on your staff that kind of fills in as an IT person as the need arises.  Do not think that you are too small to hire a managed IT services firm like CIS.   It is okay to have someone on hand to take care of the little issues, BUT firewalls, antivirus, patches, network planning and budgeting, should be reviewed and handled by professionals like CIS.   To find out more on this topic read this article:  Can Your Business Benefit From Outsourcing CIO Services?  
  5. Have a written policy that clearly outlines the appropriate use of your business technology, and enforce it regularly.  See number one and keep in mind that your business could be in a lot of trouble if you have staff downloading unlicensed music and software or even pornography.  This type of behavior also reduces productivity and is prone to viruses.
  6. Design your network permissions so that employees only have access to the data they absolutely must have access to in order to do their jobs, and nothing more.  Again, see above and keep your business – business to only the folks that need access to your financial and proprietary data such as formulas and recipes.
  7. Keep spare hardware for your most critical systems on hand replacement and systems for fast recovery.  CIS does this for our managed IT customers.
  8. Get rid of your tape backup system immediately.  Every company should have daily off-site backup.  CIS sets these up for our customers.  Most companies are on a one hour recovery service level with us.  This is part of our disaster recovery business continuity service.  To find out more about this type of service you will have to contact your IT professional like CIS.

This paper also discusses considering your suppliers.  Do they have a continuity plan in place?   Do you have a backup vendor in place should the need arise?  If this means you have to increase the cost of your inventory then make sure your ERP pricing can be quickly updated and your customers notified of any price increases.  Remember to include freight in these costs…

Compliance is another risk that can be averted with good serial/lot controls in place in case of a recall.  How fast can you identify where specific lots have been shipped?  Again, having the right controls in place, doing self-audits, and using a good ERP system can help you prevent a recall disaster.

Conclusion

I only touched on a couple of the areas this paper addresses.  I would strongly recommend reading this paper and a few more, then completing an audit on your business and even top suppliers.  Every business owner knows that is not a matter of if they have a server or IT outage, it is more of a matter of when.  As a business owner you are responsible for security and disaster recovery.  You must know that your database and networks are secured regardless of where they are located; on-site or in the cloud.

For more information please review the following resources:

Supply Chain Resilience 2013 Annual Survey

Is Your Business IT and Data at Risk?

You can also contact me, Nancy Phillippi at Custom Information Services.   I can be reached at 817-640-0016 or [email protected].  CIS is a Dynamics GP Silver ERP Partner located in N. Texas.  CIS also offers managed IT support.

Related Posts



Ask This Expert a Question or Leave a Comment

Subscribe

By RSS:

Rss

Get New Posts:

Distribution Software Logo