Securing supply chains: Navigating risks in the evolving threat landscape

Across the interconnected global economy, complex supply chains ensure the seamless flow of goods and services across every industry. However, as cyber threats continue to evolve, organizations throughout this ecosystem are, often unknowingly, being exposed to more and more security risks as a direct result of being part of the chain. This creates a range of critical challenges for organizations whose very existence is dependent on the reliability and integrity of their supply chains at all their various levels.

Understanding the various stages of contemporary supply chains -- from material sourcing to manufacturing, transportation, warehousing, and distribution -- is essential for identifying potential vulnerabilities, with each stage susceptible to different types of risks.

During manufacturing, for example, machinery, systems, and production processes can potentially be compromised by malware or insider threats. The 2017 attack on Mondelez, maker of Cadbury, Ritz Crackers and Oreos, among many other food and beverage brands, locked 1,700 servers and 24,000 laptops and left the business with a $100 million+ bill for downtime, lost profits and remediation costs. As such, it remains among the most high-profile manufacturing breaches revealed to date.

Further along the chain, transportation and logistics businesses face risks related to delays and route optimization, while warehousing might struggle with inventory mismanagement if they find themselves on the receiving end of a successful attack. For instance, the operations of Expeditors, a multibillion-dollar logistics giant, were impacted last year following a cyber-attack. The company is reported to have "shut down most of their operating systems globally" following the incident and that several days later, it was "still struggling to recover."

Worryingly, the risks facing increasingly complex and digitally dependent modern supply chains are also compounded by an evolving threat landscape. With the rise in cyber-attacks, data breaches, intellectual property theft, and application integrity challenges, supply chains are under continual scrutiny by threat actors who are looking for the easiest way into a chain that leads them to their ultimate target. As a result, the increasing sophistication of these attacks and complexity of supply chains meeting 'just in time' demand mean organizations must work even harder to stay ahead of the risks, and assure that it is not only their business that they are protecting, but also ensuring their supply chain members are protecting consumer data, minimizing risk, and maintaining trust.

Delivering proactive protection

One of the ways many businesses choose to address their cyber security postures is by outsourcing to a specialist partner. In fact, the latest UK Government Cyber Security Breaches Survey reports that just under four in 10 businesses (36 percent) have an external cyber security provider. Despite the benefits this approach can deliver, from a supply chain perspective, the problem is even greater -- just over one in 10 businesses say they review the risks posed by their immediate suppliers.

The implications of this are serious, not least because the relative lack of assessment and control can lead to an increased average cost in case of supply chain compromise, which, according to IBM’s Cost of Data Breach report, stood at $4.46 million in 2022.

To address these risks, organizations must work with their partners and focus in-house teams on delivering a proactive and holistic security strategy encompassing continuous monitoring, risk-based resource allocation, and employee education. This involves implementing proven technologies and processes, including multi-factor authentication, timely patch management, and cultivating a culture of security awareness throughout the supply chain. These should be supplemented by comprehensive incident response planning and periodic evaluations of security protocols to ensure security teams can remain on the front foot at all times.

In addition, adhering to international standards and assuring that members of the supply chain meet minimum, proven levels of certification such as Cyber Essentials Plus or ISO 27001 can enhance credibility and maximize the impact of security measures. But ultimately, building a collaborative approach with suppliers and stakeholders is crucial to minimizing risk and, in the event of a breach, mitigating potential impact and ensuring operations can be recovered with minimal disruption and financial cost. This includes conducting regular audits, security assessments and due diligence while establishing multi-tier collaborations, which involve not just immediate suppliers but also sub-suppliers. This approach can deliver insights into security postures and risks across the overall supply chain.

Looking further ahead, the opportunities and challenges will continue to develop. As emerging technologies such as the Internet of Things (IoT) are rapidly integrated into supply chain operations, the potential for new attack vectors also grows. Integrating these technologies into supply chain operations must also be accompanied by sound governance and risk management frameworks.

In response, the rise of AI-powered security technologies and the use of threat intelligence can help teams leverage their analytical prowess to boost predictive analysis and threat detection. This, of course, represents something of a double-edged sword as threat actors are already drawing on the increasingly powerful capabilities delivered by generative AI systems to increase the effectiveness of their attack strategies, while hiding even deeper underground to reduce discovery of their intentions and actions.

Ultimately, the importance of organizations throughout the various local and international supply chains means they will remain targets for disruptive attacks. As the old adage goes, the supply chain is only as strong as its weakest link, and it is that weak link that will be targeted to compromise the whole chain. However, organizations that focus on maintaining a proactive approach to their end to end security strategy will put themselves in the best position to protect their systems and ensure business performance isn’t compromised by potentially avoidable breaches.

Image credit: Chan2545/depositphotos.com

Robert Sugrue is Cyber Security Director at Six Degrees.