“Security is not a revenue generating discipline, according to conventional thinking,” says Chuck Forsaith. “And most see security and marketing as two functions in an enterprise that are furthest apart in the corporate space.”
“But security is marketing,” according to Forsaith. “We advertise a comfortable, secure feeling—as a result of being risk averse—so that our customers will confidently use, and will continue using, our products and services. Finally, you profit from good security.”
Forsaith’s remarks came at the Healthcare Distributors Alliance 2019 Distribution Management Conference and Expo, March 10-13 in Palm Desert, CA.
How do you create supply chain security? By minimizing risk, and that’s why the term “risk management” describes things much better than a vague term like security.
Risk is primarily reduced by means of control. You want to define and control your property, set boundaries, and control/filter the access of people into the property.
There are no formulas for achieving a desirable level of control. Each organization balances risk management according to their own level of concern, comfort, importance of assets, operational requirements, budgets and organizational identity.
One thing is for certain, the level of security is usually inversely related to comfort, convenience and openness.
So how do you get started establishing your supply chain security plan? The first step is to identify your assets—people, confidential information, property, products and reputation.
Threat is the potential harm to your asset. Risk is the likelihood of that threat being realized. Security solutions that mitigate risk are your preventive measures. Security solutions that mitigate threats (decreasing the severity of harmful incidents once they have started) are your reactive emergency measures.
A typical corporate security infrastructure should include a Chief Security Officer, an investigation unit, program management (guard contracts, audits, executive protection services), security systems (CCTV, access controls), a supply chain security/brand protection team, intelligence analysts and a cyber arm.
For smaller companies, the security function is often combined with other duties like Environmental Health and Safety, or facilities management.
What is the supply chain security team protecting against? Outside threats include burglary, robbery, cyber hacking, theft, trespassing, etc. Inside threats include disgruntled employees stealing product, compromising cyber security, and stealing intellectual property.
For buildings such as manufacturing plant or warehouse, protection is designed using concentric circles:
- The grounds around the building
- The building perimeter
- The building interior
- People and product
This concept is known as defense in depth, the closer you get to your most important assets, the more intense the security infrastructure will become.
Forsaith cautions, “Electronic security systems do not a secure property make. A sophisticated access control system and CCTV
are not going to magically protect you and your assets. It’s not about the hardware, it’s how it’s used.”
Near field communications (NFC) technology is gaining in popularity for security access control. This involves two electronic devices (like a door lock and a cell phone) to establish communication when brought within a few inches of each other.
Inspections of facilities and personnel can reveal gaps in security. Door hinges unpinned, lights that do not work, windows next to door locks, CCTV cameras with spider webs and fingerprints blocking the lens, etc., all can contribute to helping criminals gain access to your facility. Badges you can swipe are better than keys, but anyone can get access to a key or a badge. Multiple identification systems that require a badge and a fingerprint are better. Again, less convenient for the employee, but more secure.
Inspections have uncovered employees who have a vault or safe combination written on the back of their badge! It’s better to remember a phrase that relates to the combination rather than numbers which are easily forgotten.
Your plant or warehouse security are important to your supply chain, and break-ins do occur, but most theft takes place when drugs are in transit.
Many risk management firms produce “heat maps” to indicate high-theft areas. Bad guys do concentrate on “target-rich” environments around distribution centers.
But cargo theft can take place anywhere, and heat maps can give you a false sense of security. Risk might be higher in a “red” area, and you should take precautions there for sure. But it is critical to protect cargo from theft everywhere you ship.
Unfortunately, Forsaith reports that the FBI no longer has a major crime unit for cargo theft, the Bureau concentrates primarily on terrorism.
Tracking technology has changed considerably and security is now a smaller (though no less important) aspect of a “total visibility” supply chain tracking solution.
Customers want to know where the product is (GPS) but also want a clear picture of environment (temperature and humidity), driver behavior, and even weather and traffic that could delay shipment.
Forsaith recommends a single “unified” viewpoint combining sensors, GPS, etc., where deviations from the norm are tracked in real time. Have the tractor and trailer been separated? Has the driver left the vehicle or deviated from the route? Is the reefer unit malfunctioning? Is someone trying to jam your signals?
Things to remember when devising your supply chain risk mitigation strategy include:
- Developing documented Standard Operating Procedures.
- Personally auditing all sources of supply--know who you are doing business with.
- Creating an individual risk profile for every product you import or export based on region of the world, handling characteristics (cold chain, etc.), routing of freight, duration of shipment, value, visibility and illicit demand.
- Develop security requirements for all transportation and warehouse vendors.
- Include security requirements in all contractual agreements with vendors.
- Consider the addition of brand protection or supply chain security specialists.
- Consider participation in governmental supply chain security programs like C-TPAT (Customs-Trade Partnership Against Terrorism) and CCSP (Certified Cloud Security Professional).
Chuck Forsaith is Senior Director – Healthcare Distribution Alliance, Pharmaceutical Cargo Security Coalition.