Three years ago, supply chains were mostly unthought of outside of the procurement industry. Yet, as new cars became impossible to find retailer's shelves were emptied and construction timelines seemed infinitely extended and suddenly everyone was aware of their impact on our daily lives.
The fragility of supply chains is not new. Rather the growing pains and pressure on the industry have been increasing slowly over time and were simply exacerbated by the pandemic. Of course, COVID-19 was a high-impact and low-probability event. Even as it escalated in March 2020, most were hesitant to accept the impact and implications it would have.
While it is unlikely that another pandemic will derail the retail and purchasing industry in the near future, it is still under duress. The recent and still ongoing digital transformation of procurement, along with a steadily increasing number of bad actors, cyberattacks have been and will continue to be the dominant threat facing the industry in the coming years.
As a chain is only as strong as its weakest link, the increased sharing of information and data between vendors creates a large threat surface and leaves many vulnerable for attack. Bad cyber actors recognize this lack of resiliency and are seizing their opportunity to wreak havoc on the American way of life. In 2021, cyberattacks on supply chains increased by 51%.
President Biden and his administration completed a comprehensive review, identified solutions to secure specific supply chains against a wide range of risks and vulnerabilities and established a first-of-its-kind Supply Chain Disruptions Task Force.
The vulnerabilities to supply chains are clear, but how do supply chain and cybersecurity professionals band together to protect our way of life? To best defend our processes and resources, the supply chain industry must be aware of the key risks, principles and best practices of preventing and resolving cyber-attacks.
A supply chain’s expansive threat surface increases its vulnerability to an attack. From sourcing, vendor management, continuity and quality control to transportation security and more, an attack on just one of these aspects could disrupt the entire chain. Lower-tier suppliers that have fewer resources could be especially vulnerable.
Other risks include compromised or counterfeit software and hardware, malware or low-quality data aggregators.
With a number of external partners and the associated lack of visibility, combatting these factors make cyber-security especially challenging for the supply chain industry. This lack of visibility emphasizes the guiding principles of supply chain security. Defenses must be developed for worst-case scenarios, and plans should be prepared to stabilize a supply chain for any type of attack.
While safeguards should be in place for prevention, accepting their inevitability allows you to be the one with the upper hand when under attack. By creating plans and establishing decision matrices, you can ensure your supply chain withstands any number of incidents.
These measures should not be limited to cyber security measures, but should also include facilitating greater domestic production, a range of supply, built-in redundancies and adequate stockpiles, all of which are recommended in President Biden’s executive order.
Alongside these steps, leaders should also be armed with the industry’s best practices when dealing with vendors, human error and any variety of vulnerabilities. In dealing with partners, it is crucial to establish security requirements that are included in each RFP and contract, address any vulnerabilities and security gaps with partners and limit vendor access to both software and hardware.
To eliminate human error, automate manufacturing and testing as much as possible and implement secure booting processes with required authentication codes.
In the digital age, attacks on supply chains are inevitable. To defend them we must acknowledge and prepare for the risks while living by the guiding security principles and best practices.