Business models have greatly evolved and changed over the years. Global, multi-billion dollar enterprises are a far cry from the days of rural cottage industries. But this also adds a large degree of complexity – and risk can be found where it is least expected.
Do you want fries with that?
Global giant McDonald's is famous for the fast food. However, it’s not their burgers and fries that made the business profitable. Ray Kroc struggled to initially bring enough revenue from his franchised restaurants in order to pay for the land and the building for restaurants. Which meant growth was limited to one restaurant at a time.
In 1956, Kroc hired Harry J. Sonneborn, who saw that the real money in the business wasn’t in the burgers, but in real estate. The idea was to have McDonald’s sublease the land and building for each restaurant to the franchisee. This plan eventually developed to take out mortgages, so McDonald's would eventually own both the buildings and the land.
So while it can appear that the business was profitable through its food, it’s real business value (and associated risks) lies in real estate – of which it occupies prime locations across the world.
Cinnamon on top
McDonald's still operated in the traditional realm of bricks and mortar. However, the digital revolution has changed business models for many companies, sometimes by pure chance.
It was reported that Starbucks has more money loaded on gift cards and its mobile app than many banks have in deposits. With an estimated $1.2 billion as of the first quarter of 2016.
This represents a traditional coffee shop business, that is just as profitable, if not more so, than some banks. But without the vaults, guards, and most of the financial service regulations.
It begs the question: where does Starbucks’ value lie? Is it in their shops, their coffee and syrups, or in their electronic wallets?
Your handsome grandfather had one blade AND polio
Looking further, we see an increasing number of businesses that were ‘born in the cloud’ and subsequently attributed nearly all their success to the cloud.
A recent example is one of Dollar Shave Club which was acquired by Unilever for $1 billion.
Affordable blades that were conveniently delivered to the doorstep were only part of its success. Amazon Web Services (AWS) made it affordable and easy to start an online company that could scale and compete with the likes of larger, well-funded rivals.
Similarly, YouTube made it easy to create and distribute a video, while social media like Facebook and Twitter enabled it to be shared to millions.
On the internet (and in the cloud) companies are not restricted by storage space, don’t need forklifts, high visibility jackets, or safety helmets. It is the great equalizer – allowing startups to compete with any company of any size.
Show me the risks
The famous criminal Willie Sutton was once asked why he robbed banks and he responded by saying, “because that’s where the money is.”
All businesses run with risks, but these risks change as the business change. In today’s realm of digital business, the risks have largely shifted away from bricks, mortar, and stock to the cyber realm.
But it’s not just that risks have shifted online, it’s that businesses today now have a much larger dependency on third party providers and suppliers than they’ve ever had in the past.
With Dollar Shave Club, it had critical businesses dependencies on third parties - AWS, Amazon, couriers, Facebook, Twitter, and many others. Very little of the risk was wholly on in-house systems. If any one of the components had failed, or not delivered, the business may not have succeeded.
Similarly, whilst Starbucks may have $1.2 billion sitting in gift cards, the company relies on a number of providers and partners to offer customers a seamless experience. Many hackers have realized the value of this and there have been many cases of fraud against customer accounts.
These are not hypothetical risks. Whilst suppliers can allow companies to be more innovative, create new products, and level the playing field against larger competitors, there are many dangers and risks that manifest within this ecosystem. Some examples include:
- In August 2008, a bank’s customer data ended up being sold on eBay because a third party didn’t dispose of equipment in accordance with policy.
- In August 2010, the Financial Services Authority (FSA) issued Zurich Insurance with a £2.275m penalty following a data loss incident for not checking their controls over outsourced data processing.
- In December 2013, Target suffered a data breach that resulted in 70 million credit card records being stolen. The attackers were able to breach Target via a third party HVAC provider.
- In November 2014, Home Depot disclosed a breach which was perpetrated by hackers initially breaking in via credentials stolen from a third party vendor.
Protecting against Supply Chain Risks
Third parties remain an essential requirement for any business, but the risks need to be understood and managed accordingly. Some points to consider are:
- Business Impact Assessment: Having a business impact assessment in place to understand what level of dependency is being placed on the third party. The more critical the role it plays in supporting the business, the greater the risk.
- Knowing your partners: It’s essential to keep an up-to-date and accurate view of all business partners and the role they play. Relationships change over time and it is important this is captured and reflected as it happens, not only once when initially engaged.
- Policy & Legal: While good intentions largely prevail, they are not enforceable. It is important to have a security policy documented for third parties that explains what is expected, how data should be handled, and what needs to happen in the event of an incident. Legal council should be sought in order to ensure the terms are legally binding and enforceable.
- Communication & Education: Communicating clear security needs with partners is vitally important. Some third parties may not yet appreciate the need for security, so an element of partner education should also be considered.
- Technical Assurance: Assuring technical controls is particularly important when a third party has direct access into your systems. Whilst the existence of certifications or audits go some way in providing assurance, gaining technical assurance via penetration testing, vulnerability scanning, or deploying monitoring controls in the partner environment can go a long way to help.
- Threat Intelligence: Appropriate threat intelligence can be very useful in understanding attack vectors, and also where a third party may have been breached. Keeping abreast of leaked information for sale in underground web forums can help pin point a particular weak control.
- Incident Response Planning: A joint incident response plan should be put in place to clearly map out roles and responsibilities in the event of an incident at a third party. These can include technical controls, such as isolating critical environments. PR and media communication plans, or looking at ways to end, or replace the third party service temporarily, or even permanently.
Businesses continue to evolve and will continually adopt strategies that will provide a competitive edge. Partners and suppliers are a critical part of many companies success in the digital era. However, it is important that companies understand the risks that lie within