As more organisations go digital, the surface area for cyber attacks on global supply chains increases. Supply chain digitisation has been around for at least a decade, but its acceleration as a result of COVID-19 has also turbocharged supply chain cyber risks. 

The benefits of supply chain digitisation are clear for organisations. It can enhance the speed, visibility and flexibility of their intertwined supply chains. But this interconnectedness also offers modern-day criminals prime opportunities to attack and disrupt. 

The number of known malware attacks rose 11% in the first half of this year to 2.8bn, according to the 2022 SonicWall Cyber Threat Report, marking the first rise in global malware volume in more than three years. This amounts to an average of 8,240 malware attempts per customer. 

Chiefly, the financial sector was actively targeted, but cybercrime affects all industries. Today, there are no safe industries or countries as a result of geopolitical forces accelerating the reshaping of global cyber frontlines. 

Sean Sutton, Partner, UK cyber business, PwC, says: “The focus now on the resilience of supply chains is heightened because of geopolitical issues. That’s raised the question for many organisations around how resilient their supply chain is.”

This year’s IBM Security X-Force Threat Intelligence Index also shows how in 2021 ransomware actors attempted to “fracture” the backbone of global supply chains with attacks on manufacturing, which became that year’s most attacked industry (23%), dethroning financial services and insurance after a long reign.

Nowadays, supply chains are global and complex, interconnecting many organisations, suppliers and jurisdictions. Therefore, effectively protecting a supply chain can be difficult because vulnerabilities are often inherent, or introduced and exploited at any point. 

Sutton says there are a number of areas within a supply chain where a cyber incident could cause a problem, such as a direct attack on production facilities that would impact an organisation’s operational technology resulting in a plant shutdown. But external factors such as an attack on a supplier over which an organisation has little or no control can also substantially affect a company’s operations.

Some organisations are beginning to secure greater visibility over how external factors could disrupt their supply chains in a way that's more data driven, Sutton says. This allows business leaders to model certain scenarios and plan accordingly or accept the risks posed. But this ability is only at the fingertips of those highly digitised companies that have real-time data available to map out risk scenarios.

“Over the last few years organisations have been putting in systems that can provide that level of data and visibility, but it's probably not the norm. There's a way to go for organisations to digitise more of their supply chain and in doing so get better at pulling the data out of their supply chains to model scenarios,” Sutton says.

According to the 2016 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers. Things are progressing, however. The National Cyber Strategy 2022 found that in the past 12 months just over half of businesses (54%) are identifying cyber security risks and implementing a range of actions, where security monitoring tools (35%) were the most common. 

Qualitative interviews, however, found that limited board understanding meant the risk was often passed on to outsourced cyber providers, insurance companies or an internal cyber colleague.

The research also found that most businesses outsource their IT and cyber security to an external supplier, ostensibly because they want greater expertise and resources for cyber security. But only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Esther Mallowah, Head of Tech Policy, ICAEW, says: “It is interesting to note that the 2022 cyber breaches survey highlighted that of the 10 key components in the government guidance on protecting an organisation, supply chain security surveyed the least favourably. This could reflect an inclination among businesses to leave responsibility for the cyber security of vendor-supplied products and services to suppliers. Businesses need to recognise and act on their roles and responsibilities for assessing and verifying the cyber security arrangements of their suppliers, and in working with them to effectively secure the supply chain.”

As part of the government’s National Cyber Strategy 2022, it is promoting approaches that build security into new technologies, making them “secure by design”. This will require greater investment from organisations, but also tighter regulation and legislation on behalf of the government to encourage more diverse, secure and resilient technology supply chains. 

In short, effective cyber security will depend on an active partnership between government, security agencies such as the enhanced National Cyber Security Centre (NSCS) and the private sector.

The NSCS suggests organisations approach supply chain cyber risk in a 12-step plan broken down into four key stages. They are: understand the risks; establish control; check your arrangements and continuously improve. 

Mallowah says: “One of the first things businesses need to do to secure their supply chain is to understand its composition and the risks associated with each supplier. This can be challenging as suppliers involved in the development and delivery of products and services may not always be visible to end customers. Supply chains can be complex and diverse, and customers may not know which parties are involved (including whether sub-contractors are used), or their level of cyber security. 

“When thinking about suppliers that can impact cyber security, consideration should not be limited to those that provide technology products and services, but it should include, for example, those to whom business processes are outsourced and who have access to organisational or client systems and data.”

It’s unlikely the world will ever eliminate cyber risk in supply chains. But understanding the threats, knowing what remedial action can be taken and continuously monitoring risk appetite and profile will ensure companies minimise the ever-prevalent threat. Government efforts to disrupt the cyber criminals will also need to be dramatically increased, however, to tackle the evolving threat.