Managing Cyber Risks In Global Supply Chains: The Four Fundamentals

Editor’s Note: This if the first of a six-part series on “Building a Cyber Secure Supply Chain.” Dan Pellathy is Assistant Professor of Operations & Supply Chain Management at the Seidman College of Business, Grand Valley State University. Mike Burnette is a Distinguished Fellow, Global Supply Chain Institute

Over the last 10 years, supply chains have increasingly turned to digitalization, automation, and technological integration in an effort to cut costs while responding to fast-changing customer markets. The competitive necessity of adopting these technologies is undeniable — but so are the risks.

Technological advances expose supply chains to cyber risks that can have a major impact on everything from operations to brand perception and consumer trust. In their rush to meet the challenge of supporting profit targets while moving into new markets, most business and supply chain leaders have overlooked these risks.

Cybersecurity is now one of the top challenges facing supply chain and business leaders. All too often, leaders have the attitude that “IT handles cyber”. As long as the business and supply chain systems seem to be running, then all is going well. Nothing could be further from the truth. Leaders need to educate themselves and start getting serious about cybersecurity.

Supply Chain Cybersecurity Fundamentals

Data suggest that over 60 percent of cybersecurity issues occur in third parties working in supply chains. Despite these risks, companies continue to view cybersecurity as something that happens within the confines of their four walls. A company-centered approach to cybersecurity systematically exposes critical operations and valuable data to attack and can actually increase an organization’s vulnerability.

To that end, new applied research from the University of Tennessee, Knoxville’s Global Supply Chain Institute (GSCI) offers four fundamentals for tackling cybersecurity in the supply chain:

• Understanding the nature of cyber risks in the supply chain
• Developing a culture of cyber risk management
• Integrating with key partners to manage cyber risks in the supply chain
• Deciding where (and how much) to invest in protecting the supply chain

We interviewed 30 company leaders and cybersecurity experts to identify these fundamentals and provide supply chain managers with a starting point for building a cyber secure supply chain.

Benchmark Supply Chain Cyber Strategy

Benchmark companies we interviewed recognize cybersecurity is an ongoing business concern that requires the participation of their end-to-end supply chain. These companies have robust systems for assessing and improving the cybersecurity capabilities of suppliers, contract manufacturers, and 3PLs. They do not emphasize punitive measures based on compliance with onerous protocols. Rather, they take a development approach that emphasizes increasing the maturity of partners’ cyber risk management programs.

Cyber risks increase at supply chain interfaces. Benchmark companies work with external partners to establish clear roles and responsibilities throughout the systems that link suppliers, customers, internal supply chain functions, and other business interfaces. Clarity of ownership drives accountability in cybersecurity maintainance and drives visibility into who has access to systems and why and how access has been granted. These measures rest on top of a cyber risk management culture that is supported from the top.

In short, benchmark companies understand that cybersecurity needs to be the work of the entire organization in collaboration with supply chain partners. This kind of end-to-end cyber strategy ensures that different internal and external groups are working together to solve problems and deliver common goals. Moreover, it protects investments in cybersecurity by ensuring that resources are put toward protecting the most vulnerable points of the supply chain as a whole.

Cybersecurity is only as strong as the weakest link in the supply chain. Fortunately, supply chain professionals possess many of the capabilities needed to take an end-to-end approach to cybersecurity, including goal setting, action planning, problem solving, and collaborative decision-making. They now need to put these capabilities into action by developing and executing on cybersecurity strategy that supports the value created goals of their supply chain. In the articles that follow, we’ll dive into each of the four supply chain cybersecurity fundamentals and outline best practices and a checklist for creating better supply chain cybersecurity.

Find a full explanation of each best fundamental, along with 11 best practices in the GSCI white paper, “Managing Cyber Risks in Global Supply Chains: The Four Fundamentals,” available for free download at https://haslam.utk.edu/gsci/publications.

SC
MR