Cyber attacks to digital supply chains are on a sharp rise. An attack can bring a business to its knees in a matter of seconds and cost millions. Do you know where your weakest link is?
Our technological powers increase, but the side effects and potential hazards also escalate. This is what writer and futurist Alvin Toffler predicted already in 1971. Digital supply chains are a fitting example.
In a recent Accenture study, industry professionals named cyber security as their number one supply chain concern. No wonder. 60 percent of cyber attacks stem from the supply chain and 70 percent of companies have already experienced one.
IBM's X-Force 2016 Cyber Security Intelligence Index reveals that the number of cyber security breaches is growing by 64 percent every year. And they are expensive. A data breach costs an average 6.5 million U.S. dollars. A recent cyber attack cost shipping company Maersk 300 million.
Numerous vulnerable points
But in half of the companies Accenture surveyed, there was no alignment between supply chain and cyber security operations. According to cyber security and privacy company F-Secure's expert Erka Koivunen, this is understandable.
Digitalization has blurred the line between how information is secured and how physical environments are secured. The term information security does not capture the physical and the information worlds that are increasingly merging.
'Companies have realised that it's not about logistics anymore, it is about cyber security', states Chief Information Security Officer Koivunen. Koivunen notes that the software industry has dealt with cyber security issues for the past 30 years.
But for others the learning curve has been steep. External manufacturers with access to the company's latest designs, telemetry data from truck fleet, a maintenance service provider with access to vendor portal or an IoT machine that recognises, connects and sends data all pose a risk to cyber attack.
Industries experiencing the highest incident rates. Source IBM X-Force 2016 Cyber Security Intelligence Index.
Not just an IT problem
Cyber attacks vary in nature. Threats can be borne of simple human error or emerge from an advanced targeted attack. According to Koivunen, the end user and even many of the vendors have limited understanding of what the software in the box actually does or where all the hardware components in a product originate from.
Malicious insertion can happen at any level. Luckily technology can also help to prevent cyber attacks. 'A disposable RFID tag can be enough of a proof that the item is the same one that was sent from a factory on the other side of the world and that it has been in trusted hands during its journey', says Koivunen.
According to Koivunen, effective cyber security is a people, process, and technology issue. It should be a board-level concern.
Every digital supply chain has its own weak links. It is a matter of creating a third party security management framework that resists attempts to bypass procedures and alerts when integrity of supply chain is violated. Software vendors do this already with software signing, threat modeling and vulnerability assessments.
Choose your partners wisely
Cyber security highlights business partners' responsibility and professionalism. Trust and control are crucially important. 'Companies should choose their partners carefully. One must not rely on face value', warns Koivunen.
Complete attack prevention may be impossible but bringing your ecosystem into lockstep with cyber security measures will help to keep the possible breaches small and business running.
5 steps towards cyber resilient digital supply chain
1. Identify weak links: do a comprehensive supply chain cybersecurity assessment.
2. Prioritize what to protect: allocate resources to protect the most valuable information.
3. Align strategies: risk management & cyber security strategies need to be aligned both internally and externally.
4. Build collaboration on cybersecurity into contractual agreements with third parties.
5. Operationalize the strategy: monitor, alert, respond & recover.
Sourches: Accenture, MITRE, F-Secure, KPMG, Digital Supply Chain Insititute.