There hasn’t been much good news around in 2020, but the world of tech – for example, software as a service (SaaS) and the Industrial Internet of Things (IIoT) – have at least shown some glimmers of hope. While the Coronavirus disease (COVID-19) has closed factories and workplaces, many enterprises have managed to navigate the uncertainty by leveraging technology for operations, for communications and throughout their supply chains. In fact, the ability to share information remotely has helped some to transform, optimize and future-proof their companies, even in the face of adversity.
These lessons are hard won, but extremely valuable. However, digital transformation inevitably brings a certain amount of risk, and that is particularly true when we consider risks to the supply chain.
Supply chains can often be an overlooked part of a company’s security posture, leaving them targets for cybercriminals, who may attack organizations opportunistically or as part of a planned and targeted attack. Even the most security-conscious business may have hundreds or even thousands of suppliers, and never really know which of those suppliers may lack awareness of cybersecurity measures needed or fail to protect their organizations appropriately.
Obviously, this is bad news for organizations that utilize suppliers that have poor security controls. If a supplier suffers a data breach or malware attack, this can affect others in the supply chain in many ways, for example:
· The compromised systems may be used as a “beachhead,” a digital foothold used for further advancement to deliver malware or spyware into the systems of others in the supply chain.
· The compromised supplier may lose data, including sensitive commercial or customer information, which may cause more harm for their customers than it does for themselves.
· The company producing the end product often bears the brunt of the brand damage from a compromised supplier.
· Customer data may be lost or compromised.
These are all substantial risks, but many organizations worry they cannot control such risks because so much of the supply chain lies outside their control. After all, they can’t manage cybersecurity for a whole chain. So, how can a business protect itself?
Supply chains – all for one and one for all
Supply chains are almost always a conduit for large volumes of data, much of it sensitive. This information can come from contracts, design schematics and details, working processes, operational systems, e.g., sensors in IIoT equipment on factory floors, components in connected products and business planning.
Over time, supply chain members share risk, and that is an important consideration for any business because it can often be surprisingly easy for cybercriminals to reach the connected networks and systems we use in our supply chains today. Criminals may launch distributed denial of service (DDoS) attacks, lace innocent-looking emails with links to fake websites (or files) that are loaded with malware and send them to staff members at any organization they want to harm, or see open source software with vulnerabilities that they can later exploit as required.
Cybercrime is now the most common form of crime in many regions, and thousands of new threats emerge every single day. Cybercriminals often target companies in a supply chain that are ultimately linked to their actual target, especially if they believe that supplier will be easily breached.
The nature of the digital supply chain means there is a certain amount of trust involved and that they share a certain amount or risk. However, savvy businesses do not rely on trust alone when it comes to supply chain security, and they take determined steps to minimize the risk.
Raising cybersecurity levels across the supply chain brings commercial benefits
The advent of Industry 4.0 and the increasing volume of data being shared across supply chains means that businesses must now put cybersecurity at the forefront of supply chain management.
Most businesses now face increasing risk of a cyberattack, due to the growing complexity of supply chains and increased attack surface from IIoT connectivity.
And yet, fortunately, it is straightforward for one organization to set the security requirements for their suppliers, in procurement processes for example, and in doing so, enhance cybersecurity across the board.
The key is to make sure that specific levels of security assurance for cybersecurity are being enforced across the entirety of the supply chain. Just as most organizations would not buy a crucial hardware component without making sure that it meets the relevant requirements, so they must ensure that suppliers’ cybersecurity is assured to the right level to minimize that supplier’s risk – and their own.
This means that:
· An appropriate level of cybersecurity must be defined, shared and agreed on by all members. It must be documented and it must be comparable across different hardware, software and service providers, depending on the risk levels they present. All suppliers must commit to achieving and maintaining this security level in their daily business.
· All organizations must have robust plans and policies for dealing with a cyberattack and, crucially, for informing other members of their supply chain as soon as a breach or incident occurs.
· These plans and policies should be required and documented.
· Where appropriate, cybersecurity measures should be written into supplier and staff contracts (staff members are a key source of digital compromise, often through a lack of training or awareness of cybersecurity matters) as part of procurement processes.
· All suppliers must be able to demonstrate their compliance with the agreed security requirements.
Not only does this approach assure security for the entire supply chain, and minimize the risk of cyberattack, it also conveys genuine commercial benefits. An organization that can prove its understanding of and commitment to cybersecurity becomes an attractive prospect for other businesses to work with and for customers who are increasingly wary of sharing their data with companies they don’t know to be trustworthy.
This collaborative approach can also help more security-conscious organizations raise the level of security across their supply chain, including sharing best practices and helping them achieve higher levels of performance.
It may take commitment to achieve, but the effort is well worth it.
Most suppliers share a great deal of data with purchasing organizations now, but with increased connectivity that volume will continue to grow dramatically. Industry 4.0 is here to stay and companies in all sectors are increasingly reliant on embedded software, connected systems and digital processes.
At the same time, the threat from cyberattacks is growing by the day. More than half of all breaches are caused by third party lack of security practices.
Yet, paradoxically, it is possible for organizations to protect themselves from cybercrime by being more open, by sharing information such as cybersecurity best practices, requirements and alignment, with their suppliers. In a world that is increasingly aware of cybersecurity threats, the prospect of engaging with a business that can be trusted to protect its suppliers and customers – and, most importantly, can clearly document that trustworthiness – is extremely attractive indeed.