Whether you’re shipping physical products or exchanging data digitally, every business relies on some kind of a supply chain - an intricate network of people, systems, and processes working together to keep things moving.
But behind the trucks, warehouses, and partner relationships lies an often overlooked component - the secure movement of files and data. Orders, invoices, stock management, customer records, shipment updates - none of it can reach the right place without a secure, reliable file transfer in place. In many ways, it could be said data movement is the modern supply chain’s backbone, and when that backbone cracks, the entire operation can grind to a halt.
In episode 3 of The Transfer Files, we dig into what “supply chain” really means in the world of file transfer. We look beyond the internal movement of data and shed light on how organisations exchange data with external systems, partners and suppliers. We discuss why supply chain security has come under increased scrutiny, citing recent high-profile cyber breaches that have shown just how devastating a single weak link can be.
You’ll also hear how a well-managed secure file transfer solution can strengthen your security posture - if it’s properly managed, updated, and supported. We unpack the common red flags IT teams should never ignore, from unclear ownership of data movement to not knowing what sensitive information is flowing in and out of the organisation. Supply chain risk isn’t going away, and staying informed and proactive is the best way to protect your business and its reputation.
Watch the full episode below and if you missed episode two, catch up to hear our breakdown of what’s happening in the marketplace and how IT teams can cut through the noise.
If, after watching the episode you have questions or want to learn more about securing your supply chain and file transfer processes, get in touch with our team today.
Episode Transcript
Welcome back to Episode 3 of The Transfer Files, the podcast where we talk all things file transfer, security, supply chain, automation and more. My name is Steph Johnson and today James Lewis and I will be getting into one of the most pressing issues businesses are facing today, supply chain security. Please do remember to hit subscribe and we hope you enjoy the episode.
James, episode 3. How are we feeling?
We're feeling good. Been to the gym this morning. Feeling great.
Lovely.
Could do with some more coffee, but you know.
How many coffees have you had already?
Just 2. Have you noticed something?
Are you going to say we're matching?
We're twinning here.
We've done 3 episodes now and we are in sync.
We are, we are. Got like a little bit of... Anyway, let's not get there. Right, what are we talking about today?
We are talking about, and obviously for my benefit, I don't get into this so much for the day-to-day, but we're going to be talking about supply chain and the supply chain security.
Sure.
And the increased scrutiny that it is facing currently has been very top of mind lately in news articles. But for my benefit and for many people that probably don't think twice about what's going on in their industry supply chain, obviously there's people that are involved actively day-to-day. I know yourself, you are very much involved in what goes on day-to-day in terms of supply chain. But are you able to explain exactly what we mean when we talk about supply chain in the context of file transfer?
I certainly can. Right, so a supply chain generally starts with something like raw materials and ends up with products that's been purchased. And in between, there's lots of different organisations that are either adding value or moving those products around, or I guess they could be services as well. Generally speaking, when it comes to either making these things or procuring these things, files, data, invoices, purchase orders, things are moved around between different suppliers in a supply chain. So when it comes to the files aspect of it, it's typically to do with, I want to order 1000, to use an expression from Glynn, bibbly bob's, one of my colleagues, 1000 of these delivered by Tuesday so that I can make XYZ thing. And then there's the toing and froing of transactional information largely.
It's fascinating. Typically day-to-day, you don't consider how much goes into transferring a file, for example, or within that supply chain. Definitely goes over my head sometimes.
On the retail side, it gets a lot more complicated. We're not going to dive into EDI, but that is a whole level of complication with regards to the transactional messages that go to and fro for one order. It gets a lot more complicated, but that's another conversation for another episode maybe.
And I'm guessing potentially it's not just your internal supply chain you need to consider. When you are working with people outside of your business, do you need to consider their supply chains as well?
Yes, absolutely. So, we'll dive into both those things. So, there's the internal supply chain, so the movement of data around inside your organisation, which MFT solutions are well known for, supporting the security position and ensuring compliance for moving data around inside an organisation. The same can be said with moving outside of the organisation and the broader supply chain. So I think where we're getting to from a security perspective, and I think the things that are evolving most quickly, is that there are lots of breaches. There's lots of news on an almost daily basis of organisations that have been hacked or targeted. And organisations now are looking to take a much more proactive approach to ensuring that one, their organisation and their perimeter is secured, but also who is in their supply chain and are they offering a sufficient enough level of security so that me, the end user, the customer isn't impacted through my supply chain. But that's a conscious decision for me moving data to you securely and similarly you sending it back to me. But the next extension to that would be once the data is with you, is it still then secure? And in auditing, and this goes a bit broader than the file transfer piece, but auditing the security posture of your supply chain in terms of the whole of the organisation. It's where things like ISO 27001 come into ensuring that you're working with the right sort of organisations.
Yeah, no, definitely. And in terms of what's driving the scrutiny, do you think it is largely the breaches that we are continuing to hear about all the time.
So what's driving the scrutiny is it is, I guess, yes, a number of the breaches that are getting publicity in the marketplace and organisations and specifically publicly traded organisations not wanting to be seen to be behind the curve or shutting the gate after the horse is bolted. So it's a case of making sure that they've got not just the right technology or the products, but they've got the right services that sit around that as a solution for that part of the supply chain, the moving of data between the organisation and their trading partners.
Yeah. And when it comes to, again, talking about back to breaches, looking outside of file transfer for a minute and at the broader IT space, There, as you say, there's never not a story probably in the news that isn't talking about a breach. And I did do some homework and I have some notes from a couple of breaches that have sort of in the last five years or so, and just some of the impacts that they've had, because actually it doesn't just come down to an internal IT concern. There's legal and financial and all sorts of damages that that happened from a breach. Obviously, most recently, M&S was a major one in the news, and that was a hack from the ransomware gang, correct me if I'm wrong, Scattered Spider. And in terms of the repercussions of that, it halted online orders for nearly two months, estimated to have lost the company up to 300 million pounds in lost profits and 3.8 million in daily sales losses. That's just talking about M&S's losses. It doesn't talk about everyone else that's inside their supply chain that supplies to the company. Co-op was again Scattered Spider at the same time of M&S, but they lost or had 6.5 million of their customer data records stolen. Qantas, the same again, Scattered Spider, 5.7 million customer records stolen. And then going back a few years, a company called Knights of the Old in June 2023, a ransomware group called Akira, they gained access through a weak password, which is assumed to be an employee's weak password. Password 1, 2, 3, 4. But that company was actually forced into administration. So because of the breach. Ouch. Shut down. SolarWinds, that breach was in 2020 and they injected malicious code into software, which enabled them to compromise customers using the software, including industries of government agencies and private companies. So that's quite an important.
SolarWinds, my friends. Not the biggest of fans of their technology, but that's another conversation.
We'll move on. Colonial Pipeline 2021 disrupted the supply of gasoline, diesel and jet fuel along the US East Coast. Major impact. Facebook 2021, I never heard about this and I'm A Facebook user, but they exposed, they had a breach which exposed the phone numbers, e-mail addresses and other personal information of 530 million Facebook users. Some of these went under the radar, especially before I was in the world of file transfer. But I mean, these breaches are happening every day.
Yes, so there's various different types of breaches. And I'm not a broad technologist. I know a lot about managed file transfer and not a lot else when it comes to technology. And luckily enough, we've got some great technical people around us to do the delivery of the solutions. But I mean, in recent times, a number of the MFT vendors, platforms themselves have been targeted from the point of view of being identified as a weak point in that supply chain and a number of breaches, very well publicised breaches have happened as a consequence. And interestingly, before we came in today, I noticed in the news that one of the vendors have just settled, it's gone through the courts and a Microsoft subsidiary has just received 8.5 million in damages for the loss of 1.2 million data records. So getting this wrong can be pretty expensive. And I know financial risk and reputation is one of those things high on the list.
Yeah. And it's not something that I imagine is ever going to go away. It's only just going to not get stronger, but get more challenging as technology develops. Ransomware groups aren't going anywhere.
It's the financial gain, the potential of selling the data on the dark web, and then those organisations that acquire it, both steal it and acquire it, and making use of it, and the financial gains they can generate from the stolen data, so... not only are the end users impacted, but also those organisations that have been breached. And I guess it brings you on to sort of the reputational damage in your supply chain. You mentioned that organisation, I forget which one it was that went into administration, but you only need to have one big breach that you really don't want to be in the news. That can result in the supply chain around you closing down and saying, we don't want to work with you anymore. if you've not been careful enough with their data, I guess.
Yeah. And I guess my next question is how does then a secure managed file transfer system help this and how does it play into almost protecting the supply chain?
It protects part of it. can't protect all of the supply chain. MFT solutions are are one of those things that moves data, as we've talked about, moves data between organisations securely. And the key thing is, and a lot of times what we find with organisations, rightly or wrongly, largely wrongly, is that they sit in the background, they continue to process data as part of a business process, and whilst things are going well, nobody's looking at them. And also, MFT is one of those types of technologies that sort of falls between the gaps in a lot of organisations. It has networking, it has enterprise architects involved with it, people that are involved with authentication, people that are involved with databases. There's lots of functions within a technical department that are integral to making sure that it's put in properly in the 1st place. And then who picks it up and runs with it afterwards can sometimes be a little bit of a hot potato. Now I say that because if it's running in the background and it's doing its job and it's processing data, but it's not being given the due care and attention that it needs, then the likelihood is that the software patches are not being updated on it. It's not conforming to best practices, which means then you become a weak link in your supply chain. And that's an area that's being one from a CIO's perspective should be high on their agenda. Certainly an enterprise architect should be looking at this sort of stuff. Some of the more cutting edge types of technology in this space are now looking at and have capability built in to audit the supply chain. So on the assumption that you're not the weak link, it looks at how your supply chain is transferring data to you. So what encryption algorithms are they using? What's the authentication processes that they're using? Are these modern and secure enough, or have they been deprecated and been breached in the past and therefore no longer appropriate to use. So it's really important that organisations keep on top of ensuring that their products are sort of kept up to date. One, have a product, and two, make sure it's kept up to date.
Yeah, and I guess just on that point, it's not a case of you can't be in your organisation, it's not ok, we've got a file transfer solution. Yeah, we're fine. It's actually, you need to support this and you need to make sure it's up to date because if you don't, you're not, it's not what's the phrase where it's not when it's, no, it's not if it's when, it's going to breach you. If you don't support it and keep up to date with it and keep on top of training and someone dedicated to looking after it, you're on the back foot already.
Yeah, absolutely. And I guess the other thing is, making sure that in the event that you are taking a proactive approach to securing your data. It's, and we talked about this in the last couple of episodes, it's about the consolidation piece. A lot of times organisations have multiple solutions to do the same thing. So you have data ingress and egress out of an organisation into an organisation through multiple, let's call them portals or gateways. If those aren't, if there isn't a level of visibility over what's happening with each of those, then it increases exponentially your, or decreases your security posture and increases your likelihood of being hacked or breached. Our position is always, certainly wherever possible, to consolidate all of these tools that you may have had for 5, 10, 15, 20 years in some instances, put them all into one solution, use best practice, making sure that everything's kept up to date, and lean on lean on people that are experts. Shame this plug again.
That, yeah, I mean, it sounds like a ticking time bomb if it's not set up and supported correctly. Now, the younger generation of today talk about red flags. Have you heard the term red flags?
I have.
You've got red flags, you've got green flags.
I have. Yeah, my kids sports Love Island.
In terms of red flags. What should organisations, whether it's CEOs, CISOs or team leaders or head of IT infrastructure, what should they be looking for within their processes and within their team? And if they spot a red flag, what are some concerns that if they see that they need to act and put something into place?
Well, going back to my point about it falling between the cracks or being a hot potato, I think first and foremost, there needs to be somebody who's responsible for it. It sits within their remit. And in the event that something happens, heads roll, I mean, hopefully not physically, but somebody has the responsibility to keep an eye on this type of technology. You have a network security specialist that's looking at firewalls and that sort of thing. You have a database administrator and experts to look after the databases. You really need somebody that is ultimately responsible for the movement of data into and out of your organisation. If you don't have someone, then for me, that's a red flag. If you at the very least, again, shameless plug, you don't have somebody you can call upon who's an expert in this space, then you're decreasing your security posture some more. Other red flags for me is not knowing what data is going in and out of your business, and certainly what data is going in and out of certain processes. So it could well be that the systems have been set up to move data from an internal file share to HSBC Bank so that all of the suppliers are paid on a weekly basis. Now if somebody isn't aware of the context of that file transfer and the security profile of the transfers and the encryption is not kept up to date, then for me it's a red flag that some of the most financially sensitive data and and that sort of thing. If an organisation doesn't know where their most sensitive data is going to and from or which processes are moving it, then for me that's another really big issue.
Just a few, just a few red flags there to watch out for.
When it comes to cyber security and supply chain, supply chain risk, I mean, again, coming back to the, what was it, Kings of Leon? No.
Knights of the old.
Knights of the old, nearly the same. Then, an organisation can go out of business within a very short period of time. you can't not pay attention to this sort of thing.
You can't. What is the, I guess, biggest takeaway someone watching or listening should take away with them today?
You know, if you don't put time and effort into knowing your supply chain, you live by the sword and die by the sword, I guess, to continue with the knights analogy. I think the most important thing is to understand in terms of your own, so there'll be two. So in terms of your own system, understanding what's going through it, understanding each of the processes that are taking place and attributing some sort of description to it - it is moving payroll data from here to here. And then I would probably give those different processes a different score in terms of their priority inside of business. But the fundamental flip side to that is auditing your supply chain, understanding that all of your suppliers that are moving data to, you're moving data to and from can be the weakest link for you. And it's really important that you understand what it is that they're using to exchange data with you and that it is sufficiently secure.
That's great. There's some great takeaways there, I think, James. Supply chain risk isn't going to go anywhere. As I said, technology is only going to continue to grow and get smarter.
Going back to the AI thing, aren't you?
I know, yeah.
Don't worry about the AI thing. But yeah, no, it's an area for increased concern for organisations, for organisations that are really considered about their supply chain and their longevity. It's always going to be there. I think something to pay attention to.
Well, thank you.
Thank you as well, twin.
Episode 3 is that?
It is, yes.
Wonderful. We have something very excited for. We have a special guest next episode.
We do.
We do. Looking forward to that. Thank you again, James, and a big thank you to our audience for tuning in. If you enjoyed today's discussion, please remember to hit subscribe. And if you have any questions, please do reach out to our team. We will make sure we leave the contact details in the notes below. Thank you very much, and we'll see you in the next episode.
Compare MFT Solutions
Further Reading: