Editor's Note: This story is part of a spotlight series on supply chain risk management. To see all of the stories in this series, please click here.
Cybersecurity is a critical issue facing supply chains, and as cyberattacks become more frequent and intense, companies that ignore cybersecurity — especially within their supply chains — will compromise both their operations as well as the inherent trust necessary to protect their bottom lines. As the recent example with Maersk indicates, not only can a cyberattack shut down operations, but it can also cost a company millions of dollars as it loses business, devotes extra resources to get systems back online, and then upgrade their security measures so that they won’t be hacked again.
To avoid falling into the same trap as Maersk, education on the sophistication of cybercrime is critical as is and taking appropriate action: as recent examples show, cyberattacks aren’t just annoying minor setbacks anymore — they’re now causing serious damage to business operations and costing companies millions of dollars.
In a 2016 cybercrime report, Cyber Ventures predicted cybercrime will cost the world “in excess” of $6 trillion by 2021, and cybercrime costs will exceed $5 billion by the end of this year, up from $325 million in 2015. But there are several challenges companies need to overcome in order to effectively protect themselves.
Educate your suppliers on cyber risk
According to Alphus Hinds, Head of Cyber Risk and Security at the Tungsten Network, a global electronic invoicing firm, said education is a huge problem when it comes to cybercrime: companies just aren’t keeping up to date on what they need to know to protect themselves from security breaches.
Hinds said the first thing companies can do to mitigate cyber risk is simply to educate themselves on cybercrime and risk. According to Hinds, many companies don’t approach cyber risk appropriately simply because they don’t understand its impact.
“One of the weaknesses is, it’s not a boardroom discussion,” Hinds told Supply Chain Dive. “People put it on the back burner, but it’s coming to the forefront now because it’s affecting the bottom line.”
One way to address the lack of education, Hinds said, is to have a set of competency standards with which every stage of a supply chain must comply. Supply chains are especially at risk for cyber attacks because there are so many moving parts.
One of the weaknesses is, cybersecurity is not a boardroom discussion.
Head of Cyber Risk and Security at the Tungsten Network
“In the UK, we have cyber credentials for smaller companies to benchmark where they are,” said Hinds, who is based in the UK. “It’s part of their due diligence for large companies to make sure their suppliers are secure.”
Hinds said that UK companies even give their suppliers cybersecurity questionnaires before signing a contract to make sure potential suppliers won’t become fatally weak links in supply chains. But sometimes it’s difficult to discuss cybersecurity with suppliers based in foreign countries, as different countries have different laws and definitions regarding cyber crime.
“One of the hardest parts is attribution, who committed the crime and where he committed it from, and it’s very difficult to pinpoint, and this extenuates to what type of crime is being committed, because it could be from your bedroom, or it could be organized, or it could be a national attack,” Hinds said. “So then the question becomes, is this an act or war or not an act of war, should there be retaliation?”
Hinds’ recommendation is, “Education, education, education.” Once companies begin to properly educate themselves on cyber risk and crime, Hinds believes then they will start taking proper security measures.
Hold suppliers to accountability standards
But Adnan Amjad, a partner with Deloitte Risk and Financial Advisory, said education only goes so far, because another challenge facing companies is cybersecurity accountability within their supply chains.
If suppliers and smaller companies within a larger company’s supply chain can’t be held accountable for their cybersecurity methods, then it doesn’t matter how much they know about it, the company’s supply chain is still at risk.
“You have to have a process in place to verify that these controls are in place,” Amjad said. “They don’t have a mechanism to validate it.”
Some companies are already tackling the issue of accountability by hiring third-party risk management, Amjad said, but one simple way to verify that your suppliers are competently protecting themselves against cyber crime is to ask them directly if they’re using certain protective systems.
It’s part of their due diligence for large companies to make sure their suppliers are secure.
Head of Cyber Risk and Security at the Tungsten Network
“The NIST framework is very popular across sectors and it has security guidelines, and I think starting with that and saying, ‘are you following the NIST framework,’ and people can easily answer whether they follow that standard or not, and then making sure the entity you’re working with understands that there will be a process,” Amjad told Supply Chain Dive.
Another potential hiccup is allocating responsibility for cybersecurity within supply chains. Sometimes it seems easier for an IT employee to head up cybersecurity, but Amjad said the best case scenario is to find someone who understands how a company’s supply chain works while managing cybersecurity measures.
“I don’t think people have solved that riddle, but it needs to be somebody, there needs to be accountability,” Amjad said. “What’s not necessarily clear is who is supposed to be in charge of making sure safety controls are in place in all stages of operation and supply chain. I think it needs to be controlled by the business, but the expertise pulled from the IT and supply chain organizations.”
Updating old security systems should be a top priority
A third challenge for companies is finding a way to update old security systems that no longer adequately handle cyber threats. As Maersk’s example showed, an outdated security system is as equally dangerous as having no security system at all.
One new way companies can better protect their supply chains from cyberattacks and also streamline their supply chain processes is by installing a blockchain system. Right now blockchain is considered virtually unhackable, so if a company builds smart contract applications on top of blockchains to secure transactions and track goods within its supply chain, it will be much more secure — and efficient — than the average company.
A smart contract is an application written in code that executes certain conditions of a contract between two people. Alex Manders, a blockchain researcher with technology and advisory firm ISG, told Supply Chain Dive that smart contracts can eliminate the need for physical, written contracts between parties, and also ensure that contracts are properly fulfilled — because they’re written in computer code.
The shipping industry and supply chains are looking more seriously at blockchains.
Blockchain Researcher, ISG
“I think that’s why the shipping industry and supply chains are looking more seriously at blockchains,” Manders said. “Think about every contract written within a supply chain for the transmission of goods, and all the accounting treatments and legal disputes and all the manual intermediary functions that have to occur, now think about automating every single legal contract and accounting treatment with a line of code — that’s a smart contract.”
Protecting one’s supply chain from cyber risk, therefore, takes much more than just restarting your security systems with the latest upgrade. For some companies, it may mean coding a blockchain. For other companies, it means brainstorming accountability options to make sure the supply chain is secure and enforcing certain cybersecurity standards at every level of the supply chain. Other companies, as Hinds asserts, need to focus on educating themselves on the risks and start discussing cyber risks at the boardroom level — because the risks are that grave.
Eventually, transferring transactions from pen-and-paper and Microsoft Word documents and Excel spreadsheets into coded smart contracts may be the most secure way to protect a supply chain from security breaches.
Manders believes blockchain may soon be used by most companies, simply because it is so efficient and secure. Because cybercrime is no longer a risk a company can take without sales and operations being severely affected, blockchain may be the most suitable solution for many companies.
“The security systems around a blockchain are immutable,” Manders said.