The rising number of cyber attacks targeting supply chains has prompted a closer examination of the underlying factors and strategies for mitigation. A report from French reinsurer SCOR indicates a significant 430% increase in such attacks in 2021. This escalation is attributed to the growing complexity, digital integration, and interdependence of supply chains, which makes disruptions to IT infrastructures increasingly impactful.
Nick Wagstaff, Principal Consultant at supply chain solutions provider Proxima, notes that every technological component in a supply chain presents a potential vulnerability. He cites the SolarWinds incident as a stark example of how a breach in a single part of the supply chain can have widespread repercussions. Wagstaff identifies phishing as a predominant risk, especially in the era of hybrid working where systems are accessed through less secure means, leading to more sophisticated and frequent attacks. He also mentions the emerging threat of brandjacking, where malware is disguised in fake websites mimicking reputable brands. Wagstaff explains that supply chain software often relies on reused code or components, including open-source software. This complexity, combined with ongoing redevelopment, can create vulnerabilities. Additionally, the shift to remote work during lockdowns led to new vulnerabilities as corporate cyber defenses were adjusted or bypassed to maintain business operations.
Despite heightened awareness of these risks, Wagstaff observes that companies may focus on bolstering obvious defenses like network firewalls while neglecting other potential weak points. For example, a breach in a warehouse management system could cripple a company’s ability to process inventory, underscoring the need for comprehensive protection across all supply chain elements.
In addressing corporate shortcomings, Wagstaff points out that while new software typically undergoes rigorous safety checks, continuous review and updating of existing supply chain solutions are often overlooked. Delaying software updates can leave openings for cyber attacks. Wagstaff advocates for proactive prevention measures, acknowledging that while costly, they are crucial for long-term security.
He recommends several strategies for businesses:
- Invest adequately in IT departments and software to identify and guard against threats.
- Appoint a Chief Information Security Officer (CISO) with sufficient resources and authority.
- Regularly update cybersecurity tools, avoiding long-term commitments to quickly outdated products.
- Partner with software vendors or resellers that have a strong cybersecurity focus and track record.
- Ensure suppliers adhere to stringent cybersecurity measures and conduct regular audits.
Ian Pay, Head of Data Analytics and Tech at ICAEW, stresses the importance of including cyber risks in due diligence processes with suppliers. He emphasizes that suppliers’ cybersecurity measures are crucial, as businesses are responsible for protecting customer data even when it’s managed by third parties. The legal and reputational ramifications of a data breach in the supply chain can be significant.
Pay also points out that in the context of supply chains, phishing often aims to redirect funds. Therefore, maintaining accurate supplier data and establishing protocols for change request verification is essential in managing cybersecurity risks. As businesses embrace the interconnectedness of modern supply chains, Pay reminds us that protecting internal systems remains just as relevant when these systems are managed by external parties.
