How secure is your supply chain? Do you even know what security risks your suppliers are creating? And how does that change the risk profile of your own organization?
These questions are no longer just the preserve of supply chain managers, they’ve become critical to the security of the entire enterprise. Why? Because supply chains are becoming more complex and more integrated than ever. And the number of potential risks and vulnerabilities is growing exponentially.
To meet customer and market expectations, companies are reconfiguring their supply chains for greater resilience, transparency, and speed. The familiar linear supply chains of the past are being transformed into more flexible, more digital, more connected supply chain networks. It’s not just about plants, warehouses and logistics anymore, you now also have myriad connections with cloud providers, SaaS platforms, IT providers, benefits providers, and many others. What’s more, these suppliers are being integrated much more closely than previously. In many cases, they’ve been allowed to plug directly into enterprise systems to speed up data sharing.
You're only as secure as the weakest link in your supply chain
The result is that the modern enterprise has so many more points of connection with the outside world and sees so much more data flowing through those connections than in the past. That’s essential for business agility and speed. But it massively increases the risk profile, both in the size of the potential cybersecurity attack surface, and in the flow of products and components through supply chains.
Any weaknesses in supplier systems become weaknesses in your systems. Just think about the fact that each supplier probably has its own equally integrated and complex supply chain to manage as well, and you get a sense of the scale of the potential vulnerability.
We’re not just talking about a theoretical risk either. We know that as much as 40 percent of cybersecurity attacks are now occurring indirectly through the supply chain, or via cloud or managed providers. There are countless examples out there. Take AVIVORE, a sophisticated adversary that has attacked organizations in aerospace and defense. Despite those organizations having strong cybersecurity measures in place, AVIVORE gained access by targeting high-tech engineering businesses that sat within their supply chains.
<<< Start >>>
As much as forty percent of cybersecurity attacks are now occurring indirectly though the supply chain.
<<< End >>>
There are other factors to consider here too. Think about the potential impact on brand perception if a business can provide assurance to its customers about the security of products across its entire supply network (or how customers will react if it can’t). What’s more, in some sectors cybersecurity maturity is becoming a de facto standard or even a regulatory requirement of doing business. That’s true in parts of telecommunications and defense already, and other sectors are highly likely to follow.
Time to think holistically about security
So what do enterprises need to do to shore up supply chain security? Our new point of view explores the issues and potential solutions. The central recommendation is to take a holistic approach, making security – both in a physical and a cyber sense – a core part of your supply chain strategy and embedding security principles all the way across your supply chain network.
Of course, the question is how to turn this aspiration into reality. Our point of view recommends creating a single coordinating program office for supply chain security (and potentially a dedicated supply chain security risk officer too). This is important because the scale and complexity of supply chain security can often seem too big and overwhelming for any one part of the organization to get a handle on properly.
By creating a ‘center of gravity’ in a single team, the enterprise is better placed to bring all the relevant data together and get vastly better visibility of the security posture of all the nodes in the supply chain. That in turn means you understand the threats and weaknesses holistically, and expose risks that were previously hidden in fragmented data.
It also helps ensure you stay on your toes as an organization. The threats will keep evolving. But so will the enterprise. So you need to continuously account for the impact of new M&A, new operating models, and other changes, both within the enterprise and within suppliers.
Advanced technology is clearly a big part of the solution. Accenture’s latest supply chain pulse research shows that 84 percent of organizations now spend more than a fifth of their cybersecurity budgets on technologies like machine learning or robotic process automation. That’s more than double the proportion that said the same three years ago.
The main takeaway is that in today’s hyper-connected world the points of security vulnerability for connected enterprises will keep growing and keep changing. That’s why supply chain security is now an urgent priority for the C-suite agenda.