Managing Cyber Risks In Global Supply Chains: Part II

What is Cyber Risk?

Cyber risk refers to activity occurring in a cyberspace environment with potential for loss or damage to information, technology, and/or operations. It’s important to note that every cyberspace environment incorporates both the technology and the people using it. Cyber risks arise where either component malfunctions. Cyber attackers are often a source but so is simple mismanagement of information and technologies.

Sources of Supply Chain Cyber Risk

Most managers understand cyber risks from external attacks such as malware, fraud, denial of service, ransomware, and phishing. The various sources of cyber risks from mismanagement are murkier. Our conversations with 30 company leaders and cybersecurity experts suggest organizations can begin identifying their sources of supply chain cyber risk by asking three simple questions: Who? How? What?

Who Introduces Risk? Individuals within a company’s end-to-end supply chain often introduce risk with no malicious intentions, such as individuals accidentally sharing sensitive data. Cloud computing also opens up new risks related to user access, regulatory compliance, data location and availability, and disaster recovery. None of these risks come from bad actors.

Cyber attackers are out there, however, and companies need to know what kinds of attackers they face. Targeted attackers and opportunistic attackers have distinct motives that lead them to use different tactics to achieve their goals. The differences between these attackers, and the level of exposure to each, have significant implications for investments in supply chain cybersecurity.

How Can Information Get Out? Examining how attackers get in – or how information can get out can also reveal the sources of cyber risk. Most organizations focus on securing their management information systems, but overlook weak links or easy backdoor entry points in their supply chain partners. Supply chain partners (suppliers, distributors, retailers) have the potential to expose a wide range of customer and product information. We found, for example, that cybersecurity is particularly a challenge for manufacturers using emerging technologies, where design weaknesses have yet to be fully identified or production controls put in place.

Creating a detailed map of their end-to-end supply chain allows companies to develop a holistic view of critical vulnerabilities that considers both the technological and human components of the cyber environment. As cyber risks increase at supply chain interfaces, companies need to work with external partners to establish clear roles and responsibilities throughout systems that link suppliers, customers, internal supply chain functions, and other business interfaces.

What is at Risk? We found that supply chain cybersecurity risk centers around four main types of processes managing:

• Information about demand
• Physical flows of goods
• Financial flows
• Order management.

Within these overarching processes, more specific functional sub-processes often rely on systems particularly vulnerable to cyber risks. Our research suggests that the devices and networks used to manage these processes are especially vulnerable to cyber attacks like password sniffing/cracking software, spoofing attacks, and direct hacking.

Physical assets throughout the supply chain can also be at risk. For example, attackers may access products through a technology or software component. Unprotected RFIDs can be vulnerable to eavesdropping, unauthorized tracking, insertion of fraudulent tags and readers, and other types of tampering. Outsourcing physical and digital components of the cyber environment can also be a significant source of risk.

After identifying your supply chain’s cyber risks, the next step is quantifying their probabilities and expected losses. Statistical techniques such as Monte Carlo simulation can help establish a range of expected losses over a given timeframe and help you make informed cybersecurity investments. This process must be undertaken with the close involvement of supply chain partners, and supply chain managers need to remember that cyber risk management is never static. It is a continuous process based on the dynamic nature of the cyberspace environment.

Find a full explanation of each of the four fundamentals, along with 11 best practices in the GSCI white paper, “Managing Cyber Risks in Global Supply Chains: The Four Fundamentals,” available for free download at https://haslam.utk.edu/gsci/publications.

SC
MR