Many factors have come together to increase the likelihood of a cyberattack on your supply chain. As the number of attack vectors has risen dramatically, cyber criminals, belligerent governments, and other threat actors have been targeting supply chains more actively. These cyber threats are becoming more severe when supply chains are already in crisis — a May 2022 report published by Accenture found that supply chain disruptions have led to a loss of €112 billion (0.9 percent of GDP) in the eurozone alone. Depending on the effects of the war in Ukraine, these losses could climb to €920 billion (7.7 percent of GDP) next year.
Worse, the sweeping digital transformation that’s giving the supply chain sector the tools to deal better with a disruptive norm is providing cybercriminals with ever-increasing opportunities to infiltrate companies. This is why supply chain cybersecurity platforms have to keep up with evolving cyberthreats and ensure that all attack vectors are covered at all times. There’s no better resource for building this type of resilience than a cyber-aware workforce, including every employee.
Cybersecurity is necessary for supply chain resilience
According to a McKinsey survey of supply chain executives, 93 percent say they’re taking steps to make their supply chains more resilient. And yet, Gartner reports that just 21 percent of supply chain leaders believe their networks are “highly resilient.”
Companies can improve this status quo by ensuring that every link of the supply chain is protected from cyber threats, which means implementing a comprehensive cybersecurity awareness solution across the company — and working with partners to do the same.
Because today’s supply chains are highly interconnected, a threat to one partner (a third-party vendor, for instance) constitutes a threat to the entire supply chain. This is one of the reasons 90 percent of supply chain professionals say visibility technology is a high priority — companies need to know what’s going on across the supply chain at all times, and this is particularly important when it comes to the state of their cybersecurity.
Supply chains face more cyber risks than ever
A recent report from NCC Group found that supply chain cyberattacks increased by 51 percent between July and December 2021, while less than a third of cybersecurity decision-makers said they were “very confident” that they could respond to one of these attacks quickly and effectively. Companies are clearly aware that this is an unacceptable level of risk
— respondents said they were planning to increase their cybersecurity budgets by an average of 10 percent in 2022. According to the 2022 Verizon Data Breach Investigations Report (DBIR), supply chain attacks “increased dramatically” over the preceding year. “From very well publicized critical infrastructure attacks to massive supply chain breaches,” the report states, “the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months.”
The global integration of supply chains has introduced an extremely high level of third-party risk. As the National Institute of Standards and Technology (NIST) explains, among the top supply chain risks are “Third-party service providers or vendors — from janitorial services to software engineering — with physical or virtual access to information systems, software code, or IP.” NIST also cites “third party data storage or data aggregators” as potential attack vectors. One of the reasons 90 percent of supply chain leaders say they’re pursuing regionalization over the next three years is the fact that they’re concerned about third-party risks posed by geographically distributed partners. DBIR researchers emphasize the “interconnected nature of real-world environments when discussing supply chain and third-party breaches.”
Cybersecurity should be an integral part of any supply chain’s risk management strategy, but this strategy can’t be constrained within the four walls of your company. It isn’t just vital to generate stakeholder support for the development of a robust cybersecurity platform among your own employees. You have to do the same with your partners. As the DBIR observes, “one key supply chain breach can lead to wide ranging consequences.” However, over one-third of companies say they don’t regularly monitor their suppliers’ cybersecurity arrangements.
How cybersecurity awareness can protect supply chains
One of the most persistent trends in cybersecurity is the role of human beings in keeping organizations safe. The 2022 DBIR reports that 82 percent of breaches involve a human element: “Whether it is the use of stolen credentials, phishing, misuse, or simply an error,” the researchers write, “people continue to play a very large role in incidents and breaches alike.” There are constant reminders of the importance of cybersecurity awareness in preventing major supply chain attacks. Consider these examples:
- NotPetya infiltrated the shipping giant Maersk’s systems through a single infected computer. As a Wired article about the attack explained, a “finance executive for Maersk’s Ukraine operation had asked IT administrators to install the accounting software M.E.Doc [the vehicle for the NotPetya malware] on a single computer. That gave NotPetya the only foothold it needed.”
- Hackers breached Colonial Pipeline with a single compromised password. According to the DBIR, the use of stolen credentials and ransomware were the top two “action varieties in third-party incidents.”
- SolarWinds blamed a “compromise of credentials and/or access through a third-party application” for the major cyberattack it suffered in late 2020.
In all these cases — which represent several of the largest cyberattacks in history — human behavior had a direct impact on cybercriminals’ ability to infiltrate secure systems. While this is a reminder that employee negligence and error are among the most significant cybersecurity liabilities for companies in the supply chain sector, it also demonstrates that their most effective cybersecurity asset is employee awareness. With this fact in mind, consider how companies can empower employees to defend supply chains around the world.
Establish a proactive cybersecurity awareness program. When so many cyberattacks are the result of human behavior, it’s clear that educating employees should be at the top of any company’s list of cybersecurity priorities. Companies often realize this fact too late — 90%, for instance, say they provided employees with cybersecurity awareness training after a ransomware attack. There’s no reason you should wait to educate employees about cyber threats once you’ve already suffered the immense financial and reputational consequences of a cyberattack.
Ensure that your cybersecurity awareness content is engaging and relevant. The biggest mistake companies make when they try to educate their employees about cyber threats is failing to recognize how busy adults learn. It’s necessary to keep employees engaged with compelling, narrative-driven content about the latest cyber threats, leverage effective learning techniques like gamification, and give them brief (but consistent) episodes and exercises that won’t overload learners with unnecessary information. Cybersecurity awareness content should focus on the specific threats employees face, such as third-party risk in the supply chain sector.
Give employees the resources and information they need. Recall the three major supply chain cyberattacks cited above. NotPetya infected the entire Maersk system because one employee downloaded malware onto a single device. This demonstrates the importance of training content that teaches employees how to identify various forms of malware. The attack was also a reminder that physical device security is crucial — especially in an era of remote work, when more employees will be using coffee shops and airport terminals as makeshift offices. Compromised credentials were implicated in the Colonial Pipeline and SolarWinds attacks, and the 2022 DBIR reports that the use of stolen credentials is the top action variety in breaches. Companies can cite these facts to emphasize the importance of using tools like password managers and VPNs, while highlighting the dangers of sharing credentials or failing to update them.
These are just a few of the ways companies can build cybersecurity awareness into their supply chains. While the supply chain sector will face even more relentless and destructive cyberattacks in the coming years, business leaders have never been more aware of this threat. If you’re a supply chain leader, now is the time to make cyber resilience a core priority at every level of your organization. When employees learn how to identify and prevent supply chain cyberattacks, they won’t just keep the company safe — they’ll help the entire economy avoid the calamitous disruptions we’ve experienced over the past several years.
Shaun McAlmont is chief executive officer of Ninjio.