Boards struggle to resolve cyber risk in digital supply chains


The accelerated digitisation of supply chains poses a greater degree of risk than ever before, and while three-quarters of organisations say this is a source of concern for them, boards are still struggling to resolve the problem.

This is according to the British Standards Institution’s annual Supply chain risk insights report, which this year is broadly themed around transitioning beyond the turbulence of 2022 and towards a more sustainable future.

“2022 saw volatility in global supply chains that many would never have expected in their lifetime,” said BSI chief executive Susan Taylor Martin. “Successive crises, including a global pandemic followed by a war in Europe, have resulted in continued uncertainty on many fronts and have demonstrated to governments the benefit of ensuring a robust global supply chain.

“Given the turbulence of the past twelve months, 2023 will be an important watershed for many organisations – with those that successfully manage their supply chain risks being more likely to thrive.”

The report sets out how global supply chains are struggling to keep up with market uncertainty in the face of industrial action, transport and energy cost increases, geopolitical uncertainty, climate breakdown, and digital risk and cyber incidents. These factors are all combining to create what the BSI described as a complex, fast-moving and higher-risk environment, in which the reliability of supply chains can no longer be guaranteed to the degree possible just a few years ago.

Like many others, the BSI tracked a notable increase in high-profile supply chain cyber attacks in 2022, and noted their growing sophistication as well. Mark Brown, global managing director for digital trust consulting services at the BSI, said that threat actors clearly understand attacking supply chains is a winning strategy.

“The perpetrators know they are likely to be paid a ransom given the impact it has not just on a single company, but on a whole ecosystem of companies within a supply chain, making it more likely that the attacked company will pay the ransom to recover as quickly as possible,” he said.

Marianna Sanford, intelligence analyst at the BSI’s Connect Screen supply chain risk intelligence and supplier management unit, said this meant that organisations needed to pay special attention to cyber security.

“Organisations are increasingly highlighting cyber vulnerability and ransomware as the most important emerging trend to look out for in the short, medium and long term, and they believe they will have to prepare for this by investing in their IT department and digital skills across the business,” she said. “With the advances in new technology comes added vulnerabilities, especially with the rising number of connected objects.”

According to the report, this need means boards must now make an urgent decision over whether to leave cyber security practice to their suppliers, or to extend their own capabilities and requirements into their supply chains. It cautions that neither option is necessarily a firm guarantee of resiliency – both have their benefits and drawbacks – but that it cannot be ignored any longer.

In light of the elevation of supply chain risk, the report sets out three key technology priorities for boards in 2023:

  • Accept that you can neither completely control your supply chain nor foresee every risk, as such it is important to map it and the external services on which you depend;
  • Examine opportunities that arise through using technology to gain insight into the supply chain, moving away from annual or quarterly reporting towards continuous assessment, and considering solutions such as data analysis, the IoT, cloud services, information security and predictive analysis;
  • And visualise the digital supply chain from a data perspective – one simple way of doing this could be to divide your annual revenue by the number of hours in a year (8,760) which will help you understand if the cost of implementing a risk management solution is less than a given amount of downtime.



Source link