Cybersecurity risk could soon become buying criteria for CSCOs

Nearly half (46%) of all cyber breaches impact businesses with fewer than 1,000 employees, according to StrongDM, which manage infrastructure for possible vulnerabilities. The firm added that 61% of small and midsized businesses were the target of a cyberattack in 2021.

When it comes to other types of attacks, such as ransomware attacks, SMBs are prime targets. More than 80% of such attacks were against companies with fewer than 1,000 employees, and of those with fewer than 100 employees, 37% were victimized in 2021.

Why are these numbers relevant to the supply chain? Because, simply put, supply chain businesses are not immune, and with 98% of businesses employing fewer than 500 employees, they are increasingly the target of thieves.

Cyber security becoming a must

Now, a recent survey from Gartner finds just how important cybersecurity has become for these businesses. According to the research firm, 60% of supply chain organizations plan to use cybersecurity risk as a “significant determinant” in conducting third-party transactions and business engagements by 2025.

This means chief supply chain officers (CSCOs) need to be on top of the latest threats in a quickly changing environment.

“Our survey data has shown an aggressive stance among CSCOs who are looking to invest in growth through multiple new technologies,” said Brian Schultz, senior director analyst in Gartner’s Supply Chain Practice. “However, each new technology introduces new partners, vendors and service providers into the digital supply chain. The implication for cybersecurity risk is an ever-growing number of new pathways to potential attacks from malicious parties.”

The results, which will be explained in further detail at the Gartner Supply Chain Symposium/XPO in Orlando, Florida, on May 9, are based on a survey of 499 supply chain leaders between October and December 2022.

A digitized supply chain adds new challenges

As the supply chain becomes more digitized, vulnerabilities are presenting new challenges. With thieves more likely to target small businesses without sophisticated cyber security protocols in place, the challenges are amplified for these businesses.

According to Schultz, CSCOs will need to revamp their third-party risk assessments of outside partners as part of a larger cybersecurity program with clear standards developed in collaboration with risk owners across the C-Suite, including the CIO, CISO and internal audit. The standards in the plan should specifically address:

• Up-to-date third-party cybersecurity standards

• Mechanisms for enforcement of these standards in contractual language via executed and amended contracts

• The development of an audit program to enforce the supply chain cybersecurity plan

“A supply chain cybersecurity program will play a significant role in future buying decisions and third-party risk mitigation,” said Schultz. “In addition, regular audit data from a supply chain cybersecurity program can serve as key performance indicators that can be reported to the board, auditors and business partners.”

Companies are not meeting minimum standards

A separate report by British cyber security business Risk Ledger identified concerns it said can lead to cyberattacks. These include 17% of businesses that do not enforce multi-factor authentication on remotely accessibly services, 23% that do not use “privileged access management” controls to securely manage the use of privileged accounts, and 20% that do not use a password manager.

“Companies rarely run security assurance against more than 10% of their immediate third-party suppliers, while visibility into the risks existing further down the chain remains almost non-existent,” explained Haydn Brooks, Risk Ledger CEO. “To improve this situation, better data and insights into the most prevalent weaknesses in the wider supplier ecosystem are needed, so that remedial efforts can become more focused.”

Other results from the Gartner survey indicated that one-third of respondents will utilize industry cloud platforms by 2026 and rapid growth of composable application architecture will occur during that time as well.

“CSCOs are under pressure to reduce costs, mitigate external disruptions and keep up with a rapidly changing technology landscape,” said Schultz. “In evaluating new technologies to drive growth and manage costs, a revamped approach to third-party risk assessment will be necessary to inform buying decisions, as a successful cyberattack on the supply chain is almost unique in its position to undo nearly all of the key objectives of CSCOs this year.”

SC
MR