The rise of the digital supply chain has brought countless new opportunities and efficiencies for companies, helping them evolve to meet the modern customers’ demanding expectations for speed and service. However, the digital supply chain also has brought with it fresh and uniquely dangerous security risks for companies to monitor and manage.
“As companies transition to a digital supply chain, the traditional supply chain risks are still there, but there are all these new risks coming up, too,” said Craig Moss, a director of the Cyber Readiness Institute and the Digital Supply Chain Institute and executive vice president of Ethisphere. “Cybersecurity issues and data loss or information security issues are an enormous and growing threat to companies.”
According to a Harvard Business Review article, Sonatype estimated an increase in digital supply chain attacks of 400% between July 2019 and March 2020 compared to the previous four years combined. The seriousness of these attacks is clear—a Verizon study estimated that 60% of small- and medium-sized organizations go out of business within six months of a cyberattack.
“Organizations are suddenly armed with a wealth of additional data, and this often needs to travel to others across the supply chain and out to empowered, informed customers who demand visibility and transparency,” shared Andy Bridden, an Internet of Things expert with PA Consulting. “Intellectual property theft, industrial espionage and malicious interference in operations are all crimes made easier as supply chains increasingly rely more heavily on digital technology.”
In April 2021, Paul Nakasone, the commander of U.S. Cyber Command, told the U.S. Senate Select Committee on Intelligence that countries increasingly are targeting supply chain vulnerabilities. Jeannette McMillian, assistant director, supply chain and cyber directorate, National Counterintelligence and Security Center, said foreign states use cyber operations “to steal information, influence populations and damage industry—including physical and digital critical infrastructure.”
“Although an increasing number of state and non-state actors have these capabilities, we remain most concerned about Russia, China, Iran and North Korea,” McMillian said. “Many skilled foreign cybercriminals targeting the United States maintain mutually beneficial relationships with these and other nations that offer them safe haven or benefit from their activity.”
Reducing risk
McMillian noted that all industries rely on digital infrastructure now in their supply chain, so “every sector is vulnerable to cyberattack.”
“Therefore, having a strong cyber risk management program is the first step companies can take to reduce their risk of and quickly recover from a cybersupply chain attack,” she said.
Moss points to four key areas where the typical small- or mid-sized company in the supply chain needs to take basic steps internally to confront cyber risks. One is that staff members use strong passwords and multifactor authentication. A second is timely software updates on both company-issued devices and personal devices that workers use to connect to company networks. Third is an emphasis on preventing phishing incidents. And the fourth area is contending with removable media and file storage, such as USB flash drives— which can get infected easily when they move from computer to computer.
“Whether it’s the cyber side, or the broader information security side, human behavior is really something that’s critical to reducing risk,” Moss said.
With that in mind, McMillian said a common mistake that organizations make is treating cybersecurity as an afterthought. Instead, cybersecurity is a necessary component of enterprise risk management for today’s companies, particularly those tied to the supply chain. A successful enterprise risk management framework will prioritize cybersecurity throughout an organization.
“Companies should develop a culture in their organization where every employee sees cybersecurity as their responsibility,” McMillian said.