End-to-End Cyber Risk Management and Investment: Part Four

Editor’s Note: This is the fourth installment of a six-part series on “Building a Cyber Secure Supply Chain.” Dan Pellathy is Assistant Professor of Operations & Supply Chain Management at the Seidman College of Business, Grand Valley State University.University of Tennessee, Knoxville’s Global Supply Chain Institute (GSCI) research reveals most supply chain professionals don’t have a strong grasp of the cybersecurity fundamentals necessary for protecting their supply chains from risks. First and foremost of these fundamentals is understanding the nature of supply chain cyber risk.

The massive rise in remote work due to COVID-19 has prompted nearly 70 percent of enterprises to anticipate larger investments in cyber security. Unfortunately, our research suggests that despite these investments, without a strategy for end-to-end supply chain cyber security companies will remain vulnerable to attacks.

Past is Prologue: Supply Chain Integration is Still the Key

To succeed in an increasingly fragmented business environment, managers need to have a holistic view of the supply chain to make trade-offs that create value for all stakeholders. Lack of integration leads to a host of operational issues and ultimately diminished returns, both in the physical and cyber dimensions of the supply chain.

Despite the very real difficulty, the benchmark companies we spoke with make integration the foundation of everything they do in the supply chain, including cyber security, because it’s essential to an organization’s long-term growth. They invest in mapping their values streams from design to source, make, deliver, sell and service. As a result, they can fully articulate how products, cash and information are managed across physical and cyber environments.

Benchmark companies bring this visibility to their cyber security initiatives, providing supply chain partners with a clear understanding of the value put at risk by cyber threats. This makes partners far more likely to observe and help improve risk mitigation measures – such as data segmentation or strict access protocols – rather than work around them. Supply chain partners are also far more likely to share critical data, so advanced analytics can be used to spot vulnerabilities before they turn into costly security failures.

Investing in Supply Chain Cyber Security

Most of the time, managers take a functional (or at best organizational) perspective when making cyber security investments, ignoring the capabilities and incentives of their supply chain partners. That’s a serious problem. Research suggests that over 60 percent of data breaches are linked to third-party vendors.

Consider a large retailer that invests heavily to protect customer data, fearing a breach would badly damage reputation and trust. If that same retailer shares the data with suppliers who are much less concerned about a breach, the company allows backdoor access to their data and systems. Companies need to start thinking about cyber security investments outside the four walls of their organizations.

A first step is working with supply chain partners to identify cyber threats. As we noted in Part 2 of this series, the differences between targeted and opportunistic attackers, and the level of exposure to each, have significant implications for investments in supply chain cyber security. Companies that face targeted attacks are often focus solely on protecting internal systems, which risks shifting an attacker’s attention to more vulnerable members of the supply chain. Companies that face opportunistic attacks tend to systematically underinvest in cyber security. Managers wrangle over the direct costs of protection but overlook the significant indirect benefits that come from a more secure supply chain. In this case, companies need to work with supply chain partners to help calibrate their decision making and better coordinate resources across stakeholders.

Putting Supply Chain Cyber Security Best Practices into Action

Defining and creating value for all stakeholders is the single biggest challenge to improving supply chain cyber security. Companies need to build visibility into end-to-end processes to determine how much supply chain value is put at risk by various kinds of strategic and opportunistic cyber threats. They then need to engage supply chain partners to help optimize the allocation of resources and mitigate any unintended consequences. Initiatives should focus on segmenting out critical systems, reducing network complexity, standardizing platforms and protocols, securing transition points, and then driving toward speed and scale. Although difficult, it is absolutely critical that firms develop integrated mechanisms for managing cyber security if they hope to capture the upside of digital transformation while limiting the downside of cyber risks.

Find a full explanation of each of the four fundamentals, along with 11 best practices in the GSCI white paper, “Managing Cyber Risks in Global Supply Chains: The Four Fundamentals,” sponsored by Leidos available for free download at https://haslam.utk.edu/gsci/publications.

SC
MR