How Leaders Can Protect Supply Chains Against Cyber Risks
Explore procurement leaders’ vital role in safeguarding supply chains against cyber threats.
Baber Farooq, senior VP at SAP Procurement Solutions, highlights the rise of supply chain cyber-attacks. Despite the threat, organizations lack the know-how and resources to tackle them, underscoring procurement’s crucial role in enhancing resilience.
As companies and consumers increasingly rely on global, interconnected supply chains, procurement operations are now a favorite target for cybercriminals. The past two years have seen a worrying rise in cyber-attacks: Documented instances of supply chain-focused attacks have increased 633% over the past year – equating to a 742% average yearly increase in software supply chain attacks since 2019. With distributed, multi-tiered supply chains a standard for today’s businesses, these attacks will likely continue to increase in the years to come.
Despite growing threats, companies continue to fall behind — failing to invest in the resources or processes needed to prevent these attacks and respond effectively to large-scale incidents. In fact, according to a 2023 survey of 500 C-level executives by Economist Impact, cybersecurity was found to be the fourth-highest organizational risk priority, cited by 27% of respondents. The overall lower status of cybersecurity could be problematic, given that cyberattacks are growing more sophisticated as hackers specifically target supply chain weaknesses.
According to Interos’ 2023 Supply Chain Survey, 90% of organizations lack awareness of sub-tier supplier disruptions for up to 48 hours of occurrence. In a digital-first landscape, that is more than enough time for attackers to cause incredible damage.
Procurement plays a pivotal role in operational resilience. Therefore, prioritizing supply chain and third-party risk management should be foundational for any successful company. To stay ahead of these cyber risks, here are three ways procurement leaders can set themselves up to prevent supply chain disruptions before they occur—and respond faster when they do.
Analyze Supply Chain Variables and Dependencies
Today’s supply chains are sprawling enterprises comprising multiple suppliers, stakeholders, and partners. While these multi-tiered setups offer many benefits, they can create transparency and dependency issues.
Each supply chain tier has the potential to expose a critical gap that organizations need to be aware of. However, Deloitte’s 2023 Global Chief Procurement Officer Survey found that just 2% of firms said they had “high visibility” beyond tier one of their supplier networks.
Meanwhile, the most common source for disruptive supply chain incidents, including cyber-attacks, in the past 12 months was tier-2, followed by those at tier-3. This is a glaring issue. If enterprises don’t know who they are doing business with—directly and indirectly—it is almost impossible to manage risk proactively.
The demands of managing multiple suppliers across various levels of the supply chain can be daunting. But given the task of effectively managing risks that stem from not just direct suppliers but from others further down the chain, doing so is crucial to ensuring higher levels of security. Procurement leaders can uncover crucial dependencies that may affect operations by fostering a relationship built on open communication with suppliers. These conditions could be as simple as suppliers’ contracts for data storage or as complex as their relationship with vendors from which they purchase materials or other resources.
With a more detailed understanding of the variables at each level of the supply chain, organizations can create requirements for suppliers, such as shared tools that surface important insights and identify risks in real-time—staying ahead of vulnerabilities and preventing cyberattacks before they occur.
See More: Quantum-Driven Innovation To Disrupt the Shipping Industry
Ensure Continuous Due Diligence With Suppliers
Unfortunately, supply chain disruptions aren’t going anywhere. Whether they’re the result of material restraints or cyberattacks, according to Knut Alicke and Daphne Luchtenberg of McKinsey, on average, these disruptions cost companies 45% of one year’s profits over a decade.
For instance, a cyber-attack on a shipping company, major port, or logistics company could have serious consequences for those entities, extending to retailers, customers, and the global economy. According to GOV.UK, 90% of all goods are carried by sea at some time in the supply chain. Given how many industries rely on the maritime, ports, and logistics sectors, any disruption in the supply chain can have far-reaching consequences. For example, global supply chains are currently facing severe disruption because the world’s biggest shipping companies are diverting journeys away from the Red Sea in response to Houthi attacks on commercial ships.
With the Suez Canal handling about 12% of global trade, all of that will have to be redistributed elsewhere, which can incur additional costs and delay travel times by more than ten days – these extra costs being passed on to customers. While the attack on commercial vessels is unprecedented, it illustrates the consequences and fragility of supply chain disruption.
Periodic monitoring is insufficient to mitigate these risks or quickly respond to events. For procurement leaders to avoid risks, they need to start from square one. That means performing due diligence during the supplier selection process and implementing continuous monitoring across their extended supply chains throughout their relationship.
Considering a supplier’s suppliers might seem daunting, but it should not be ignored. Risk Ledger reports that over 20% of organizations do not conduct security due diligence before entering a contract. On top of that, 23% of suppliers do not have formal agreements in place with their third parties regarding security clauses. These situations compound the risks of cyberattacks and make an organization increasingly vulnerable to a breach.
From the beginning of any supplier relationship, procurement teams should inquire about the cybersecurity risks inherent to their businesses and the steps they’ve taken to mitigate them. This will require transparent information sharing and may even require shared investments to ensure security.
Going a step further, procurement teams should consider increased monitoring throughout their partnership. Interos reports that most organizations, around 59%, say that they conduct risk monitoring on their most critical suppliers quarterly or annually. That frequency is even lower for other suppliers—closer to just once a year. By performing frequent due diligence, you can build new processes and ensure both parties take the supply chain’s security seriously.
Invest in Risk People, Processes, and Technology
The growing rate of cyberattacks proves that becoming the victim is a matter of when not if. By now, every modern enterprise is equipped with solid network and cloud security systems that can detect the early phases of an attack. However, good detection technology is not enough. Staying ahead of cyber risk involves a balanced approach combining technology and talent. Company executives echo this philosophy.
According to the Interos report, nearly all companies (95%) think they need to improve their risk management capabilities, and executives say they want to increase their investments significantly or moderately across people (52%), processes (56%), and technology (53%). With the right blend, procurement leaders can drive down the costs of supply chain disruptions as more mature organizations report lower costs associated with disruption and better visibility in their supply chain.
Just as companies look to invest in powerful threat prevention tools, they should increasingly invest in their cybersecurity workforce. The rising volume of cyberattacks has left security teams overworked and overwhelmed. That makes it difficult for them to differentiate between an actual attack and noise, exposing further vulnerabilities for attackers to exploit.
According to research by ISC2, the nonprofit member organization for cybersecurity professionals, two-thirds (67%) of organizations report a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.
As a result, many organizations are focused on building strategies that help address the shortages and burnout facing their organizations—investing in training, providing more flexible working conditions, and using technology to automate aspects of the security job, among other approaches.
Managing risks throughout the supply chain is essential for today’s businesses. By investing in these key elements of threat prevention – people, processes, and technology – companies can strengthen their protection against cyber risks while building a better experience for security teams going forward.
What strategies have you implemented to protect your company’s supply chains from cyber risks? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON SOFTWARE SUPPLY CHAIN ATTACKS
- Software Supply Chain Risks Loom Over Elections Systems
- Address and Improve Supply Chain Resilience With Technology
- Beware Of Cybersecurity Threats Across Your Supply Chain
- The Business Case for Improving Open Source Software Supply Chain Security and Resilience
- Demystifying Business Networks: Building a Resilient Supply Chain
- CISOs Beware of The Rising Risk of Supply Chain Attacks
