9 Steps to Safeguard Your Digital Supply Chain
Even as digital supply chains have become more critical, they’ve also become increasingly vulnerable to attack. Here’s how to lock up your information.
Best Practices to Manage Cyber Risks
Digital supply chains—the flow of information that accompanies physical supply chains, providing visibility and connections to suppliers and logistics partners—have become as essential to a company’s success as the boxes, pallets, and containers they and their partners fill and move.
Digitally enabled supply chains are rapid, scalable, intelligent, and connected, says Alan Amling, distinguished fellow with the University of Tennessee Supply Chain Institute.
While the information that makes up the digital supply chain has always been important, the pandemic highlighted its criticality. Over the past few years, many companies, including those with best-in-class operations, discovered disruptions at Tier 3 or Tier 4 suppliers upended their own supply chains, says Andrew Stevens, research director within Gartner’s supply chain technology group.
In 2020, more than 40% of organizations reported COVID-related disruptions in Tier 2 (and beyond) suppliers, finds a Business Continuity Institute (BCI) report. Without the visibility that strong digital supply chains can provide, these firms lack the information they need to craft alternate plans.
Even as digital supply chains have become more critical, they’ve also become increasingly vulnerable to attack. One-third of organizations reported supply chain disruptions caused by cyberattacks and/or data breaches in 2020, up from 26.1% in 2019, BCI finds.
One reason may be that more organizations are incorporating the Internet of Things (IoT) into their plants, warehouses, and equipment. The global number of connected IoT devices will jump to more than 27 billion by 2025, up from 12.3 billion in 2021, estimates IoT Analytics.
While IoT connections provide visibility and efficiency, they can leave organizations more vulnerable to cyberattacks, says Sebastian Reiter, partner with McKinsey & Company and digital supply chain expert.
Safeguarding digital supply chains has become essential. “Technology is a double-edged sword,” says Randal Waters, senior vice president in the emerging risks group of Marsh Advisory. It enables efficiency gains, but the impact of an outage can be significant business interruption, he adds.
Here are nine steps that can help secure digital supply chains.
1. Take a security-first approach to prevent future cyberattacks.
The supply chain system connects many vendors, suppliers, and organizations and it’s inevitable that one organization has a weak security infrastructure. “Securing all endpoints within the supply chain system is critical to staying in front of supply chain threats,” says Theresa Lanowitz, head of cybersecurity evangelism with AT&T Business.
2. Start with people.
Criminals usually find it easier to call a company employee and try to persuade them to divulge information, or to send a “phishing” email that attempts to get information, rather than hack into a system, which requires some level of technical expertise, says Mark Simon, vice president of strategy with Celigo.
Moreover, phishing attempts are becoming more sophisticated and difficult to identify, even as employees are busier and often juggling multiple roles, making them more susceptible to these attempts.
Given that the biggest security risks tend to be not hardware and software, but employees, proper training and policies are key. For instance, employees should be instructed not to follow emails that purport to come from a company executive and request an immediate action that falls outside established processes.
When an email looks like it’s from senior leadership, “there’s an implied sense of urgency,” says Simon. Employees may feel justified in circumventing security processes—exactly what the criminal is counting on.
Corporate policies should incorporate checks and balances that can help thwart social engineering attempts. For instance, an organization might prohibit the use of email, rather than the payment system, to initiate funds transfers to vendors.
3. Implement the appropriate governance.
Strong governance ensures that each player in the supply chain has in place a clear and effective cybersecurity plan that is regularly maintained and remains up-to-date with ongoing requirements of the cyber industry, Lanowitz says.
An organization must work side-by-side with its vendors and suppliers to reduce weak points in its network and prevent vulnerability to attacks. With strong governance, organizations in the supply chain should have a strong digital security infrastructure.
4. Work closely with suppliers.
Cyber-criminals typically take the path of least resistance when they try to penetrate a high-stakes corporate database, Amling says. Rather than attack the fortified networks of most large companies, some identify Tier 2 or Tier 3 suppliers that lack the capital or knowledge to protect themselves.
Businesses need to assess the security not only of their own networks, but those of their suppliers. That requires carefully evaluating potential vendors. Look closely at the contract terms: What risk is contractually defined, transferred, and/or shared? What are the potential damages if something goes wrong?
Ideally, vendors will have their own cyber-insurance policies, as this indicates they understand their cyber risks and have controls in place.
An external party should evaluate companies that provide digital supply chain services, such as cloud computing, software-as-a-service, or chatbots and virtual assistants using artificial intelligence, advises Mark Brown, global managing director of cybersecurity and information resilience with BSI Group. This could mean obtaining a SOC 2 report that examines the organization’s logical and physical security controls.
Brown also recommends reviewing existing contracts. Over the past year or two, many organizations had to quickly move to cloud-based services, leaving little time to check their providers’ governance and compliance protocols.
Now, they may find some contracts don’t include reasonable cybersecurity protocols, such as the ability to audit the services provided. Organizations should seek to change the terms, if possible.
5. Implement security technology.
While the human element is key in cybersecurity, technology also plays an essential role. Although the tools vary from one organization to another, a few are commonly used across industries, Waters says. One is multi-factor authentication, which requires users accessing accounts or apps to provide an additional identity verification, such as scanning a fingerprint or entering a code received by their phones.
Other cyber-hygiene controls Waters recommends include endpoint detection and response; secured, encrypted, and tested backups; and privileged access management.
Cyber-risk management information systems that consider key risk indicators can provide the transparency supply chain leaders need to ensure their organizations’ cyber resilience, Reiter says. Looking at key risk indicators can help companies evaluate their digital assets and determine what controls are appropriate, given the threat levels to which assets are exposed.
6. Consider the cloud.
The cloud is gaining traction as a security tool, particularly for mid-market and smaller companies.
“With the increasing scale of many cloud providers, they can deliver security capabilities that may be out of reach for middle-market companies,” according to the RSM US Middle Market Business Index 2021 Cybersecurity Special Report. Forty percent of survey respondents indicate they moved data to the cloud due to security concerns over the past year.
The axiom “failing to prepare means preparing to fail” holds true when safeguarding digital supply chains.
The traditional approach to testing supply chain services has generally been threefold: completing a questionnaire of compliance/risk management, and incorporating an annual right to audit review as well as an independent audit review, like a SOC 2 report, Brown says.
Today’s approach takes these actions one step further and incorporates real-time monitoring of information on critical suppliers within digital supply chains.
As part of their testing efforts, organizations should develop business continuity plans, says Raj Samani, chief scientist and fellow with McAfee Enterprise and FireEye. That includes outlining the steps to take if a system goes down.
8. Consider insurance.
When evaluating cybersecurity efforts, consider whether risk transfer products have a role to play. No matter its size, any organization that is heavily reliant on its digital infrastructure should evaluate whether a cybersecurity insurance policy is right for them, Waters says.
A policy can reduce balance sheet volatility and the overall risk to the business, while helping to ensure its ability to continue serving customers.
9. Accountability remains.
While many supply chain organizations benefit greatly from partnering with third-party service providers, such as cloud computing partners, they can’t outsource accountability.
“Where an external service provision within the digital supply chain operations fails, the accountability remains with the company,” Brown says. Potential consequences include damage to the company’s reputation and compliance penalties.
Companies need to consider warranty, indemnity, and liability provisions in their contracts with service providers. They also need to put in place the systems, policies, and technology that enhance the resilience of their digital supply chains and their supply chain networks.
The security challenges to digital supply chains remain formidable, yet a bright spot can be found. A growing number of business leaders and board members understand the importance of active involvement in building cyber-resilience, as well as the connection between cyber risk and their strategies.
More than 82% of respondents to the BCI report say management’s commitment to supply chain risk is “medium” or “high”—up nearly 10 percentage points from 2019.
Best Practices to Manage Cyber Risks
These practices can help organizations manage their cyber-supply chain risks, according to the National Institute of Standards and Technology (NIST):
- Include security requirements in every RFP and contract.
- Deploy a security team to work on-site with vendors that have been accepted into the formal supply chain, to address any vulnerabilities and security gaps.
- Implement “one strike and you’re out” policies with respect to vendor products that are either counterfeit or do not match specifications.
- Control component purchases tightly. Prequalify component purchases from approved vendors. Unpack, inspect, and X-ray parts purchased from other vendors before accepting them.
- Obtain source code for all purchased software.
- Establish track-and-trace programs to identify the provenance of all parts, components, and systems.
- Ensure personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and that cybersecurity is part of suppliers’ and developers’ employee experience, processes, and tools.