4 Supply Chain Security Threats and How to Handle Them
According to a new ISACA survey, supply chain security threats have soared over the last two years, presenting challenges to enterprises and consumers alike.
A quarter of those surveyed said their supply chain experienced an attack in the last year. As a result of that and well-publicized supply chain delays due to a host of issues, security is at the forefront of supply chain security leaders’ minds today.
Thirty percent of respondents say that their organization’s leaders do not sufficiently understand supply chain risks. Only 44% have high confidence in the security of their organization’s supply chain, and the same percentage has high confidence in the access controls throughout their supply chain.
“Our supply chains have always been vulnerable, but the COVID-19 pandemic further revealed the extent to which they are at risk from a number of factors, including security threats,” said Rob Clyde, former board chair of ISACA, when announcing the survey results. “It is crucial for enterprises to take the time to understand this evolving risk landscape, as well as to examine the security gaps that may exist within their organization that need to be prioritized and addressed.”
What Is Supply Chain Security?
Supply chain security refers to risk management of chain supply and operations, which may include, but is not limited to external suppliers, vendors, logistics and transportation with the goal of identifying, assessing and mitigating threats to disruption or risks related to coordination with external parties. This includes both physical security for products and processes, and cybersecurity for software and services. Guidelines and best practices vary by industry.
Danny Ramon, intelligence and response manager at Overhaul, offers a slightly different definition: “Supply chain security is knowing where your freight is, and in what condition — at all times. It also means knowing what context your shipments are traveling in, whether they will be impacted by labor disputes, capacity constraints, weather, infrastructure issues, civil unrest or specific criminal threats anywhere along its journey so that you are sure your freight will arrive intact and undamaged at its intended destination.”
Though the definitions differ somewhat, they all agree that supply chain security includes several parts that must be addressed to ensure that products move safely and securely from the origination point to their destination.
Supply Chain Security Risks
Supply chain security risks arise primarily from a handful of supply chain security threats.
Cybersecurity threats are generally not accidental but malicious in nature and can stem from ransomware by cybercriminals looking to make a quick profit by holding a well-researched, vulnerable, essential target for money, an act of sabotage by a competitor or an act of war by an adversary, particularly at times of heightened tensions or conflict.
“The supply chain has become increasingly attractive to cyber criminals in recent years due to the significant economical and reputational impact of disruptions, making these types of attacks more lucrative to hackers,” added Joe Schloesser, a vice president at ISN. “Going forward, I expect to see a rise in the number of cryptocurrency-related attacks, as well as more large-scale data breaches and higher ransom demands post-attack.”
While cybercriminals increase the sophistication of their attacks and exploit human-based errors, businesses will need to implement more thorough technological solutions to protect their supply chains, Schloesser added. “Currently, there’s a lack of proper due diligence when it comes to monitoring security plans. However, I anticipate seeing more businesses turn to the solutions of the cloud and managed service providers to better protect their environments. I foresee more businesses leveraging inventory management technology throughout the shipping, tracking and transportation processes in order to communicate more sensitive information and create a secure environment through the supply chain.”
Lack of Visibility
Direct threats to supply chain security include lack of visibility and businesses not having a handle on their inventory, said Melanie Nuce, senior vice president for innovation and partnership at GS1 US. “Inventory management is important because it directly impacts the bottom line and is key to generating maximum profits. Too little inventory, and a business can’t keep up with sales. Too much inventory, and overhead expenses increase. Having an accurate handle on inventory enables a business to become more resilient and know what they can sell, when they can sell it and for how much, helping avoid/mitigate out-of-stock scenarios.”
When sellers do not have a complete view of their inventory, they don’t have a clear picture of what they can sell, which can create unhappy customers and negatively affect the business, Nuce added. For example, 03/04/2022 represents March 4 in the U.S. but April 3 in the U.K.
Physical threats are perhaps the most challenging and overt supply chain security risks that can occur at various points, according to Robert Dodge, CEO of Prosegur Global Risk. “Threats such as product/inventory theft which can be both from internal employees or external organized crime elements, counterfeit products and smuggling are global challenges that have illegally infiltrated legitimate supply chains globally. Piracy is one of the oldest threats to supply chains and continues to be active in certain regions of the world.”
While a company’s own security can be pristine, it has supply chain security risk due to the involvement of third-party vendors, said Richard Gardner, CEO of Modulus.
“It is necessary to run third-party risk assessments in order to understand the risk profile attached to vendors, Gardner said. “This includes mandating penetration testing of vendor infrastructure. Beyond that, the best way to defend against supply chain attacks is to plan for a breach before it happens. This includes encrypting data, especially data that is exposed to integration with third parties.”
Besides those above, other common supply chain security risks include deliberate or accidental process disruptions, intellectual property theft, noncompliance with regulatory security standards, and supplier fraud.
While there is no silver bullet to handle all of these supply chain security threats, real-time, granular visibility into your supply chain can mitigate a large share of risk, according to Ramon. “Coupled with properly implemented best practices and contextual intelligence, you can harden your supply chain to the point that thieves are likely to move on to softer targets.”