Recently, a Chinese surveillance balloon, which had been floating for days over the United States, was shot down by the U.S. military over concerns that the aircraft was an “audacious attempt by Beijing to collect intelligence about sensitive American military sites,” reports The Washington Post. For its part, the Chinese government claimed the balloon was blown off course while collecting weather data. In another Post article, cybersecurity expert Tim Starks points out, “While details about the balloon's spying capabilities remain unknown, experts say they probably pale in comparison to the amount of information China has collected via cyberespionage against the United States over the years.”
Of course, the United States isn’t the only nation to be threatened by this type of incident. Over the past few years, Chinese-government backed hacking groups attacked hospital computer systems in Europe; sent phishing emails to government employees in Australia; and targeted several entities in Malaysia with reconnaissance malware, to name just a few.
China isn’t alone in its attempts to steal sensitive information. The Russian government and other state-supported actors have infiltrated countless security firewalls to seize information, disrupt democratic processes and sow discontent across the globe — including in Ukraine, where Russia has also been raging a ground war for more than a year.
According to the latest PwC Pulse Survey about global risk, which surveyed 3,500 business leaders, a catastrophic cyberattack is the top scenario in 2023 resilience plans. The majority of the surveyed C-suite executives are increasing their overall spending on risk management technology, and 75% believe having technology systems that do not work together is a significant risk-management challenge.
These challenges can feel even more acute in supply chain. “Managing cybersecurity supply chain risk requires ensuring the integrity, security, quality and resilience of the supply chain and its products and services,” per the National Institute of Standards and Technology. The organization defines a cyberattack as including “theft of intellectual property, insertion of counterfeits, unauthorized production, tampering, theft of hardware, insertion of malicious software and hardware, data leaks, information system breaches, as well as poor development and manufacturing practices.”
Addressing cybersecurity risk requires significant investment and buy-in from stakeholders and executives. Unfortunately, too few of them understand the necessity of security practices — or the implications; many others believe cybersecurity is an “IT problem.” But the fact is, safety is everyone’s responsibility.
Amy Augustine, CSCP, senior director, network supply chain at USCellular, says preparedness is the crucial first step. “You need to have a cyber security plan in place. Supply chains are the heart and lungs of any organization. If your supply chain is hacked or information stolen, it will come to a screeching halt.” Because there are so many moving parts up and down the supply chain, there are that many more opportunities to be infiltrated.
Last year, Toyota experienced just such an infiltration. A cyberattack on its supplier of plastic parts and electric components forced the automobile manufacturer to shut down factory operations, losing around 13,000 cars of output.
The fact that supply chains are becoming ever-more digital makes incidents more likely and preparation more urgent. “The more virtually connected the world becomes, the more cybersecurity threats we face,” says Jit Hinchman, CSCP, founder of Supply Chain Adviser. The digital supply chains expand the network connection. More devices open more gateways that can unintentionally open opportunities for unauthorized users to access data through landline and wireless communication channels. Once a supply chain is compromised, that means its security can no longer protect or safeguard the ecosystem.”
Turn data security into an asset
Companies today are “awash in data,” per authors Nada R. Sanders, Ph.D., and Morgan Swink, Ph.D., in an ASCM research report about digital supply chain. There’s so much to collect, and it’s so easy to acquire: customer information, including names, addresses and credit card numbers; transaction records; shipping schedules; and much more.
To make sense of it all, Augustine suggests managers ask themselves a few key questions: “What is important to your supply chain? To your executives? To your stakeholders? Different data will be important to different people. Supply chain leaders need to understand what is important to these sets of people to allow for the correct measures, [key performance indicators] and metrics to be reported out.”
Cyber artificial intelligence (AI) company Darktrace recently published the IDC InfoBrief "Building the Case for a Virtuous Cycle in Cybersecurity." It confirms the need for organizations to leverage AI to achieve cyber readiness: “Supply chain managers must implement AI and [machine learning] techniques to track irregularities in the data and in processes. And they must learn to trust it [and identify] subtle changes in the behaviors of entities within a network ... The strength of security analytics is that it can both prioritize and pinpoint the threats that matter most.”
Meanwhile, once that information is sorted and organized, it needs to be kept safe. “It is vital that you have supply chain resources that have the ability to tell a story with data and identify possible risks or anomalies in the data,” Augustine warns. “This in turn allows the supply chain teams to solve for [risks] before they become an issue.”
Further, cybersafety gets a boost when any number of small things are improved, the Darktrace paper notes: “Attack surface management, constant inventory management, vulnerability prioritization, security posture assessment, and breach attack simulation all reduce risk.”
Make strategic change
To prevent disruption, Augustine recommends the following steps:
- Work closely with your IT department and cybersecurity teams.
- Identify where your risks might come from, develop response plans and test the plans out.
- Test different scenarios and make sure plans work in a timely manner.
- Ensure suppliers and suppliers’ suppliers have these same plans in place. When you’re trading supply chain data, you need to make sure partners are integrated into your security plans. One bad actor will ruin a reputation, so understanding both upstream and downstream impacts and risks is a must.
Recently, Keith Turpin, chief information security officer at the Friedkin Group, hosted the Cybersecurity Risks Every Resilient Supply Chain Must Manage webinar in collaboration with ASCM. Watch the recording to explore key challenges, discover proven methods for continuity planning, and help your supply chain avoid threats and vulnerabilities. Further, cybersecurity is one of ASCM’s Top 10 Supply Chain Trends in 2023. Read the report to learn more and help your networks thrive in the coming year and beyond.