Supply chains connect companies, industries and countries. They are the backbone of global trade and economic growth. But increasingly, they become an attractive target for attackers. 

In this ISTARI Perspective, the former CISO at McKinsey teams up with former director of UK intelligence agency GCHQ to describe the problem and three steps companies can take to improve cyber resilience in their supply chains – and stop the domino effect. 

  • Cyberattacks on supply chains can quickly escalate in unpredictable ways.
  • The problem of cyber risk in supply chains is not new; it’s been a decade since the infamous breach of retailer Target through an air conditioning vendor. 
  • But it’s a problem that is growing: ISTARI recently asked a room full of CISOs about their experience with the potential domino effect that arises from supply chain cyber risk. Almost half had experienced a cyberattack that originated from their supply chain, and three quarters responded that their company’s supply chain had been indirectly disrupted or impacted by a cyberattack on one of their suppliers.
  • Supply chains face three types of cyber risk:
    • A core supplier suffers a cyberattack that disrupts the flow of goods or services
    • A company suffers a breach through one of its suppliers: attackers move laterally across supply chains to get a foothold in other company’s networks
    • An organisation suffers a breach because of a vulnerability embedded in a third-party software company.

Companies can do three things to improve the cyber resilience in their supply chain:

  1. Set clear ownership: One individual or team should be incentivised to assess and reduce supply chain risk and be allocated with sufficient resources
  2. Assess and prioritise suppliers: Instead of categorising suppliers by contract size, prioritise suppliers based on risk factors
  3. Fix the past – and anticipate the future: Fixing legal and regulatory problems allows you to look forward and implement real-time cyber risk identification and management of the supply chain.

Why does this matter for businesses? 

Many companies regard building cyber resilience in their supply chains an insurmountable task.

But starting to build cyber resilience in the supply chain isn’t impossible – it’s a strategic necessity. 


Read the full article