Supply Chain Technology Gains Lead to Security Concerns

Various technologies, including artificial intelligence (AI), big data, analytics, and blockchain, are dramatically changing how the supply chain works. It’s faster, more accurate, and more predictive than ever before. It’s all good. Or is it? With these advances comes at least one major pothole: increased cybersecurity risk. A connected supply chain provides skilled cyber criminals with more attack vectors and a richer reward, potentially across multiple organizations. This makes supply chains an irresistible target.

Cyberattacks are inevitable

As supply chain cyberattacks become increasingly common, organizations must expect an attack and plan how to respond rather than work only to prevent the attack. In short, cyberattacks are a matter of “when” rather than “if.”

Gartner, in its 2022 “Thriving Amid Heightened Complexities Supply Chain Survey,”¹ found that 31% of those polled reported that at some point in the past two years, they had experienced a cyberattack that affected supply chain operations. The market research firm predicts that this figure will rise 45% by 2025.² While human error remains a common attack vector, through anything from phishing attacks via email to getting someone to pick up and plug in an infected thumb drive, ransomware and other extortion-related threats are on the rise as well, up 180% over last year, according to Verizon’s 2024 Data Breach Investigations Report (DBIR)³ (Figure 1).

Figure 1 : Human beings remain the most vulnerable access point, and ransomware and extortion are becoming increasingly common. (Image source: Verizon DBIR)

These sorts of breaches are costly in terms of time and money. The average cost of an industry security breach rose to $16.2 million per organization, with a median time to incident containment of 86 days, according to the 2023 Cost of Insider Risks Global Report by the Ponemon Institute.⁴ Compare that to the prior year's statistics of $15.4 million and 85 days. These statistics don’t even consider the cost to an organization’s brand.

Cyberattacks regularly appear in the headlines, and the high-tech and manufacturing sectors are significant targets. Last year, manufacturing organizations were the most highly targeted by cybercriminals (Figure 2). With recent technology developments, cybersecurity is now crucial to an organization’s success. Realizing this, companies have been gradually increasing their cybersecurity investments. In 2025, the budget worldwide is forecast to total $212 billion, an increase of 15.1% over 2024.⁵

Figure 2 : Last year, manufacturing organizations were the most highly targeted by cybercriminals. (Image source: Statistica)

Security best practices

In this vibrant and changing environment, procurement departments must prioritize cybersecurity measures in ways that include internal employees, customers, and vendors across the supply chain. Within the organization, cybersecurity must stay top-of-mind and be considered during regular risk assessments. It's essential to foster cyber awareness and invest in cybersecurity resilience. Some best practices include:

• Data encryption: Encrypt all data types using the Advanced Encryption Standard (AES). The U.S. government has chosen this symmetric block cipher to protect classified information.
• Secure employee credentials and access: Humans are fallible, so enforce training and regular reminders. Staff, a company’s first line of defense, must be able to spot phishing emails and suspicious links and protect their logins.
• Train for real life: Make employees aware of real scenarios along with information about how those cyberattacks impacted a company and its partners. Provide regular updates about new attacks: vibrant information is more readily retained.
• Undergo penetration testing: Hire an expert to scan for vulnerabilities and address them before they are exploited. Update weak passwords, and secure databases, endpoints, and networks.
• Plan for problems: Create and maintain a straightforward and workable incident response plan with deployable remediation actions. Test it regularly.

The path for partners

Equally important to prioritizing in-house cybersecurity is ensuring the information security strategies of partners, both tier one and below, are in place. Develop an information security checklist and make sure your partners comply. Also, encourage them to push these good practices deeper into the supply chain. The CSA Cloud Controls Matrix offers 197 control objectives in 17 domains that cover critical aspects of cloud security and compliance.⁶ Your partners, if they are vulnerable, are vectors for attacks that may let a bad actor into your organization.

Security is like a game of leapfrog. As soon as the good guys create a new way to secure systems and data, the bad guys figure out a way to break into it. With the increasing use of advanced technology, vigilance and adherence to best practices are crucial to staying safe.

References

1: https://www.scmr.com/article/tackling_hidden_risks_in_the_supply_chain_insights_for_procurement_leaders - :~:text=According to Gartner’s 2022 Thriving Amid Heightened Complexities Supply Chain Survey, 31%25

2: https://aratum.com/perspective/emerging-threats-in-supply-chain-cybersecurity-in-2024/#:~:text=The%20Most%20Compelling%20Cybersecurity%20Stats%20of%202022%20%7C%20Alert%20Logic

3: https://www.verizon.com/business/resources/reports/dbir/

4: https://ponemonsullivanreport.com/2023/10/cost-of-insider-risks-global-report-2023/

5: https://www.gartner.com/en/newsroom/press-releases/2024-08-28-gartner-forecasts-global-information-security-spending-to-grow-15-percent-in-2025

6: https://cloudsecurityalliance.org/research/cloud-controls-matrix