Is your supply chain ready for upstream and downstream cybersecurity?

When considering cybersecurity risk, is it truly enough for supply chain managers to focus solely on their own organization? The answer, according to a study by Amer Jazairy, Mazen Brho, Ila Manuj, and Thomas Goldby, is a clear no. Supply chain managers are being called upon to expand their focus both upstream and downstream. As cyberattacks increase in frequency and severity, the ripple effects often reach far beyond a single firm, impacting the entire network of partners and customers, which is why existing risk management models need to evolve to capture these unique threats.

Drawing insights from survey responses of 388 manufacturing supply chain managers in the U.S., the study highlighted several key takeaways that are especially relevant in today’s interconnected environment. Cybersecurity now spans the entire supply chain. It’s not just an IT problem or confined within company walls. Because modern supply chains are so interlinked, one weak point anywhere along the chain can open the door for threat actors to target more prominent businesses. Incidents like the SolarWinds and Maersk attacks are powerful reminders of how vulnerabilities in one organization can have cascading consequences for partners and customers alike. Supply chain managers must approach cybersecurity as a shared responsibility, one that is both upstream and downstream, touching every tier.

Many companies still pour their energy into defending their own digital perimeters, often overlooking the risks that come from suppliers and customers. However, there’s good news: placing greater importance on internal cyber integration lays a stronger foundation for effective collaboration across the network. Bringing together teams from procurement, logistics, IT, and other key functions facilitates coordinated detection and response. This unified internal stance makes reaching out to suppliers and customers easier and more effective, transforming isolated policies into a shared defense system.

What stands out most is that greater cyber integration with customers, rather than suppliers, leads to stronger resilience and robustness when facing cyberattacks. According to Dr. Jazairy of Texas A&M University at Galveston, “our research shows that internal cyber efforts can ripple outward—but it’s collaboration with customers that’s most closely linked to improved cyber resilience in the supply chain.”

Working closely with customers on cybersecurity—such as using secure data exchange, encrypted portals, or developing shared protocols for dealing with breaches—helps strengthen the entire chain. While supplier collaboration brings some benefits, the research found it did not have a direct impact on resilience or robustness. Instead, downstream integration with customers should be a top focus for anyone looking to build a truly secure supply chain. One reason for this could be that cybersecurity efforts with customers—such as secure data portals and shared protocols—are more formalized and directly tied to reputational and legal risks, prompting stronger collaboration. In contrast, supplier integration may fall short because of limited upstream cyber maturity, coordination challenges across varying readiness levels, and the tendency of firms to switch non-compliant suppliers before any deep cybersecurity alignment is achieved.

It’s also crucial for managers to adopt frameworks like NIST’s cybersecurity standards, but not just in the IT silo. Adapting these guidelines—identify, protect, detect, respond, recover—across all touchpoints in the supply chain helps frame cybersecurity as a company-wide, even network-wide, initiative. By customizing these principles to fit your unique network of partners and clients, cybersecurity becomes much more than a box to check.

One major lesson here is that internal alignment for cybersecurity is the backbone of external preparedness. When there is consistent coordination across functions like procurement, logistics, and IT inside your organization, you are much better prepared to build meaningful partnerships and protocols with outside partners downstream. If everyone is on the same page internally, connecting those dots externally moves from theory to reality.

In summary, customer integration matters more than supplier integration for boosting supply chain strength, particularly in the face of cyber threats —at least based on how the patterns played out in this study. Focusing on customer data protection, encryption, and secure communication portals directly improves cyber resilience and robustness. Supply chain managers should also tailor the NIST framework to their network’s needs, treating cybersecurity as a strategic priority rather than just an IT concern. And, critically, both resilience—the ability to recover and adapt—and robustness—the ability to keep operating even during an attack—must be targeted together, with coordinated effort both inside the organization and with your business partners, especially downstream ones.

About the author:

Christopher Dalton is a recent graduate of the University of Tennessee Knoxville’s Supply Chain Management program.

SC
MR