Okay, I admit the headline is sarcastic. It comes as NO surprise that in the digital age cyber threats are becoming a greater concern. The late Palestinian poet Mahmoud Darwish once wrote, “Sarcasm helps me overcome the harshness of the reality we live, eases the pain of scars and makes people smile.” I’m not sure sarcasm will help supply chain professionals smile, but it may help them face the harshness of the reality they face as they transform traditional supply chains into digital supply chains. In an article about a survey conducted by Supply Chain Insights, Alarice Rajagopal (@Alarice_R) writes, “When asked about the top three events which impacted their supply chains during the period of 2013-2018, respondents mentioned cyber security, port infrastructure issues and shifts in economic policy with Brexit.”[1] As Lora Cecere (@lcecere), founder and CEO of Supply Chain Insights, states, “Cyber-attacks are worthy to note. The impact is growing. It was not a major factor in our prior risk management reports. It is expected to grow through the evolving decade.”[2] That’s the harsh reality supply chain professionals are facing.

Cyber security risks

The digital age introduced a number of new risks business leaders needed to confront, like software glitches, network outages, and data breaches. By far, the most worrying for most businesses are data breaches. New legislation enacted by the EU and California — respectively the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) of 2018 — can significantly impact how organizations gather, store, and use personalized consumer data. Data breaches can result in significant monetary fines and expose companies to costly litigation. Data breaches aren’t acts of God like natural disasters. They are deliberate attacks by hackers. JP Morris explains there are at least four different types of hackers.[3] They are:

• Malicious amateur: “A hacker who breaks into systems just for the challenge, without any specific motivation tied to the company under attack.”
• Criminal attacker: “A hacker who breaks into systems with the goal of committing a criminal act that is enabled by the break-in (extortion, blackmail, selling data, etc.).”
• Competitive attacker: “A hacker who breaks into systems in order to put a competitor at a disadvantage.”
• State-sponsored attacker: “A hacker who acts as a representative of a country and is looking to disrupt other countries via cyber attack.”

When it comes to cyber attacks, vigilance is the watchword. Hackers are relentless. Jill Jusko (@JJuskoIW) reminds us of cyber attacks involving WannaCry ransomware and NotPetya assaults that cost companies billions of dollars. She notes, “Today geopolitical tensions are increasing and with them, the threat of more, and more-devastating, cyber attacks.”[4] Martin Giles (@martingiles) reports a new “rogue code” dubbed Triton, could be the deadliest malware ever unleashed. According to Giles, “[Triton] can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.”[5] To reinforce the case that hackers are getting more aggressive, Jusko points to a 2018 talk given by cyber security expert Roel Schouwenberg, director of intelligence and research at Celsus Advisory Group. “Cybersecurity does not exist in a vacuum, he noted. It is connected to everything, including geopolitics. Moreover, it is clear the Internet is becoming ‘militarized,’ he said. … And, Schouwenberg said, cyber attacks are becoming all about the supply chain. ‘[It] means you are both a target for attack and a vehicle for attack.’” Supply Chain Risk Managers need to pay particular attention to that last assertion.

When working together, how safe are your partners to work with and how safe are you?

Because digital supply chains are all about connectivity and data sharing, risk managers must worry about vulnerabilities at partner enterprises as well as internal vulnerabilities.

Are your supply partners safe to work with? Kelly Sheridan (@kellymsheridan) reports, “Nearly 60% of organizations have suffered data breaches resulting from a third party, as suppliers pose a growing risk to enterprise security. … Third party breaches are significant and in the US at least, they are growing.”[6] Sheridan reports a survey conducted by The Ponemon Institute and commissioned by Opus found, “Companies struggle to keep an inventory of all their suppliers due to a lack of centralized control (69%) and the complexity of these relationships. Only 15% know how their information is accessed and processed by the companies they work with, and only 28% receive notifications when their information is shared with a third party, researchers report. Many don’t know what to do. Only 37% say they have sufficient resources to manage third-party relationships; 35% say their third-party risk management program is ‘highly effective.’ When it comes to supply chain risk, many businesses are in the dark. Researchers note 22% of respondents could not determine whether they’d had a third-party breach in the year prior.” Although it may be difficult, at a minimum, companies need an inventory of their supply partners. Sheridan cautions, however, “Keeping meticulous track of the third parties you work with doesn’t guarantee security. Almost 60% of companies with an inventory don’t know if their safeguards are strong enough to prevent a breach and less than 50% evaluate the security practices of their vendors. Sixty percent don’t have the resources to verify vendors’ security posture; the same amount don’t require third parties to complete questionnaires or conduct security assessments.” It’s a case of buyer beware.

Are you safe to work with? Companies can’t always point fingers elsewhere when a data breach occurs. David K. Williams (@DavidKWilliams), founder and chairman of DKW Ventures, writes, “There’s an emerging category of business — supply chain risk management — of which many companies aren’t yet aware. For the largest companies, this is a jugular area.”[7] There is no faster way to slice the jugular than with a cyber attack. Companies need to ensure their cyber security practices are in top shape before they start criticizing their supply partners. Like most other areas of business, cyber security requires attention be given to people, processes, and technology. At the very least, Schouwenberg recommends companies take the following steps:

• Look at security holistically.
• Identify key assets and lock down access.
• Talk to your suppliers and vendors.
• Consider whether your product/service could be attack vehicles.

Even the best systems might falter under the relentless attacks of hackers; however, that is no excuse for complacency. The consequences of suffering a breach can be so devastating companies need to demonstrate equal resolve in meeting the threat.

Concluding thoughts

Schouwenberg notes, “The stakes are increasing. … Size doesn’t matter. Be aware that everyone can be a target, or a vehicle to get to a target.” Although it’s no surprise cyber risks are rising in digital supply chains, supply chain professionals seem to be constantly surprised when a breach happens to them. If ransomware attacks, loss of consumer confidence, and risk of losing intellectual property aren’t sufficient motivation for increasing cyber security, consider the fact enormous fines are possible if companies violate provisions of the GDPR and that companies are open to lawsuits (including class action lawsuits) if they violate provisions of the California law. With all the warning signs companies have been given, there is no excuse for being surprised.

Footnotes
[1] Alarice Rajagopal, “Cyber Attacks Top List Of Risks Impacting Supply Chain,” Cyber Security Hub, 7 February 2019.
[2] Ibid. (See also, “How Can You Drive Opportunity If You Cannot Manage Risk?” Supply Chain Insights, 2018).
[3] JP Morris, “Supply Chain Risk: Insights on the Issues and a Look at Hacking Threats,” Spend Matters, 7 February 2019.
[4] Jill Jusko, “Cyber Attackers Are Growing More Aggressive. Are You Prepared?” IndustryWeek, 11 May 2018.
[5] Martin Giles, “Triton is the world’s most murderous malware, and it’s spreading,” MIT Technology Review, 5 March 2019.
[6] Kelly Sheridan, “Who’s the Weakest Link in Your Supply Chain?” Dark Reading, 27 November 2018.
[7] David K. Williams, “Is Your Company Safe To Work With? Here’s How To Be Sure.” Forbes, 9 January 2019.