Practitioners in supply chain jobs are advised that efforts to protect against cyber-attacks by seeking full control of the supply chain to prevent them is counterproductive. With reliance on third-party software applications growing in recent years for most companies operating in the globalised economy, reasonable anxiety has taken hold. Cyber-attacks are growing in sophistication and frequency, leading many professionals, from CPOs to supply chain interims, to permanent practitioners, to conclude that the only way to minimise risk is to get complete control of the supply chain. But cybersecurity expert, Joe Saunders, believes that this is misguided, leading to commercially undesirable practices, such as attempts to dictate price and requirements – efforts that often end up with lucrative opportunities left sitting on the table as suppliers fail to conform.
The alternative, Saunders believes, is to accept that cyber-threats can never be eliminated. A recent report by KPMG found that 80% of the attacks originate within the supply chain. A ‘bad actor’ in the chain gains access to a software company’s distribution system and manages to insert malicious code into legitimate software. When customers update their versions, the malware is activated, infecting their systems.
But such attacks can be guarded against more effectively. Saunders writes: “By mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation, organisations can close the gap on some vulnerabilities and prevent malware attacks from propagating without the burden and cost of trying to maintain full control.” Full visibility of the supply chain, in other words, works better than complete control of it. This involves a comprehensive strategy, involving risk assessments, trials, and exploring alternative security measures, including emerging new ‘cyberhardening’ technology, which protects across the entire supply chain.
The underlying assumption, Saunders suggests, is to assume that the supply is already compromised, and to proactively protect against the potential damage, rather than fearing that it might become so.
To find your next supply chain job click here