Christopher Schuetze: Necessary Components of an Effective Cyber Supply Chain Risk Management (C-SCRM)

Ashford already introduced. My name is Christopher Schutze and I'm responsible for the practice cybersecurity. I've mentioned this on the presentation before this mainly means I'm something like the bridge between events, research, and advisory for cybersecurity. Today, I will share a session about a very interesting topic with you, maybe a new topic for some of you, especially these days. It is a very essential topic because it is also highly related to the general logistics. And just remember when you tried to buy some toilet paper floor or yeast in a few weeks ago, it was a little bit difficult for the non-German attendees. We in Germany used this paper, yeast and floor for dinner. I think I'm not 100% sure, but how logistic is related and which steps are needed for an effective cyber supply chain, risk management will be part of the next 15 minutes. First of all, we will start with a short introduction based really on pure logistics and the relationship to non, to a non cyber supply chain.
After some facts that will already mention some of them, we will continue with what does the C mean in the CS CRM for your organization? So CST M briefly explained, and then last but not least followed by five recommendations to boards, a good supply chain, risk management for you. So the idea today is really to give you and introduction and a great overview about what it is and what you can do as the first steps. When I started my career, I started to do a vocational training as a forwarding merchant. So working in the area of delivering goods from a to B, from manufacturer to customer, but what does this all have to do with CSCM? Well, first of all, it has a lot to do with supply chain, deliver goods products, and if a truck or a plane is late or not able to start, this can have a huge impact on the other end of the supply chain.
If you think about just in time delivery and in the automotive industry, if they have to wait for the next car parts on the assembly line, this can lead to production down times because most organizations really tend to limit the buffer. So something to be prepared for, to a minimum, to reduce the cost for storage here, going back to the pandemic crisis, or maybe any other impact, if we are not able to deliver goods for, to the supermarket, we will have shortage shortages there. Or if we have, for instance, an unpredictable increase in demand of floor, high demand, and a low supply or normal demand and a disorder in the supply chain leads to a shortage in supermarkets, as we all realize the most critical point is talking about medical supplies here in hospitals, or in general for the supply of the people. What if important medicine is not available or cannot delivered to the customers?
Because the ship, the plane, which is turn transporting the freight container is not allowed to be imported into the country. For instance, in, in Hamburg, this is very critical and also an important topic for critical infrastructures, which is not the topic for today. But if you have questions regarding debt, we have a lot of good content in our research database. In general, you need sufficient buffer or a plan B to solve or to limited down times and shortages. So this is really the key message, okay? It is difficult to get floor and yeast, but how is this related to cyber security and CS CRM? Everything is supported by it here, but we will come to this back to this on the next slides, let's start with some facts where that's, what already mentioned. Some, the turnover in the logistics industry in 2018 was 1,120 billion euros in Europe. So really a lot of money and where a lot of money is the potential criminals are not far away. On the other hand, we had approximately 4.1 billion data breaches in the first six months of 2019. And this is only the number we know to realize. And this is in some way related to my previous presentation to incident response management, it takes 72 days to realize that you have an incident within your organization.
And at least 6% of all companies had an cybersecurity. 66% of all organizations had an cybersecurity incident in 2019 to raise another high number 363% increase the number of ware text, which block your organization, your computer, your so whatever to access your data. And on the other hand, we have the decision makers, maybe you who is responsible for cybersecurity in your organization, you that have to fight the windmills together with your team. 80% say that the cyber supply chain will become an increasing target. So the interrelationship of your organization and others who deliver you in some way, it is very complex and complicated. And this is mainly the interrelationship here. Now we will start with supply chain related to it. And I will explain to you what the CS CRM CS CRM means for your company, because it has mainly two aspects. On the one hand, we have the delivery of it services.
And on the other hand, we have it supported delivery. The delivery of it services consists for sure of pure infrastructure. This can be managed by yourself or by externals, for instance, the classic cloud providers. Then we have software you can use maybe in as a service model, or cloud-based still two very essential parts of your organization. This customizing software, also a very complex topic. Just imagine you have some standard software for your assembly line, and there is one important module missing, maybe it's customized or it's implemented for you. And if this is missing, you are not able to work. And also an critical component is OT and OT devices, which you buy and integrate as part of your product. Typical example here is for instance, an ex horse gas control system in the automotive industry. If you buy some module that integrated into your product, this is also part of the supply chain.
And on the other hand, we have the it supported delivery, the classic thing. So to say, you might have some software outages that you are not able to see who ordered something or who is the recipient. For instance, one of your it suppliers is maybe the victim of a cyber attack. He is not able to deliver his service to you. So what does this mean for you? Just think again about the high numbers on the slide before maybe one of your suppliers has a data breach and data of your customer is affected cruel really. And the last one is very critical. The theft of a construction plan, just think about data breach for the Coca-Cola received and at one of its partners. And that is why Coca-Cola is selling, or is only delivering the syrup to their producing organizations in between. And everything you do within your CSCM is really to try to reduce the impact of one of these risks at the end. And that is what a C is for.
So let's have a look at the short example to make it more concrete, going back to the classic supply chain and it supported delivery. Some sample scenario, Mr. Gomi orders, a pallet of strawberries. The order is forwarded to the logistics center. The deliveries planned by the dispatch, the goods are assembled by the order. Picker goods are loaded onto the truck. And finally, the trial delivers this is the normal behavior, but this is a good example of digitalization and things which might go wrong. What happens if the order system is down Mr. GOME, and all the others will never, or late receive his or their strawberries, the dispatcher will never plan the tour. The order picker will not prepare because he does not have the information on his order picking device. And the driver does not have the information that he has to deliver something at the end, the strawberries will be thrown away because it's, it seems that nobody ordered them.
And this is just just a sampling scenario. Can do it really complex here, especially the logistics and the whole process I've mentioned. This is really highly it supported when I did my training, it was in 2002 or three. We really used printed documents for order picking today, you do it with an electronic device. So we have digitalization in almost every single step. And that's a risk and an important thing when talking about risk, never, ever underestimate the impact. And the probability just think about the COVID 19. Everybody was sure that the pandemic will have a high impact on our everyday life, but almost everybody underestimated the probability of occurrence. And this is what happened.
So what do you need for an effective cyber supply chain, risk management? What do you have to do to minimize the risks and the impact? First of all, integrate across your organization. You have to set up a team of experts with all relevant organizations of your supply chain, to identify and monitor the risks, and to be able to act if something is happening, implement a former program. And this helps you to have budget, to have processes and a higher level of maturity. If a new supplier is onboard, you can use your organizational standards to rate him and to integrate him as a supplier or supporter for it services. You also need to know your critical suppliers and therefore you must identify them and maybe define specific measures, a good and common way to use rating like risk scoring to have a potential measurement. And as we learned in the pandemic crisis, resilience is an important thing, but not only for such situations, also as general approach to improve your cyber supply chain, this can be done best with your suppliers together, integrate and involves them into your resilience and improvement activities.
And not only the critical suppliers must be monitored. Also those who are very important for you, the, the key suppliers, they must be monitored too, because an audit can have a high impact for you. And at the end, you are not able to produce. And last but not least, you must cover the full life cycle. You must prepare for malfunctions within your cyber supply chain, because at some point in time that will happen something. And this is the same I share within the incident response masterclass two. And I mentioned this on the presentation before preparation is key. You need to prepare. And at the end cyber supply risk management is the management of the risks of the supply chain for cyber.
And this is already the last slide of my slide take. I hope I gave you a good overview and insight into supply chain and especially cyber supply chain, risk management, and the component or processes you should implement for an effective CS CRM. Maybe you remember that 80% of it decisions, makers assume that cyber supply chain will become an increasing target within the next few years. Now, I would also like to give you five hints, how to proceed if you haven't invested or not sufficient invested into the topic right now, the first thing learned from logistics. When I was preparing this presentation, I realized how highly related it is into each other. At the end using it is nothing different than having a traditional supply chain with the delivery of products or goods reuse that knowledge, the N 800 and 161. And the ISO 28,000 are standards for that area.
And especially the NIST has a lot of content and can be used as a blueprint or a base to invest into that area rating the it or the it security. A supplier is sometimes difficult, especially if you are looking for a new cyber supplier, there are some specialized companies which can offer you a permanent scoring. Use them work together with your suppliers, support them because they are an important part of the process. And at the end of your business, treat them well. And at the end, it is all about the management of risk, integrate the cyber supply chain risk management into your enterprise risk management and consider the cyber supply chain from end to end at a process level, prepare controls, and have a plan B and implement sufficient buffers. Thank you.