Supply Chains Offer Hackers a Profitable Target

Cybersecurity should be a topic that keeps us procurement and supply chain folks up at night. It’s tempting to leave it in the hands of the information technology people, but the reality is that with the growing realization that the supply chain is a critical linchpin in most organizations—and for electronics manufacturers in particular—bad actors are going to be focusing on the supply chain as a lucrative target with increasing frequency.

There’s also going to be a domino effect: investors will be worried about cybersecurity and auditing for it, and organizations will also have to push the concern down through multiple layers in the supply chain to ensure that a downstream event doesn’t stall business with transportation, logistics, vendor, or supplier partners.

Measuring the market

The market figures bear this out. Research and Markets, in a January 2023 report, forecasts that the global supply chain security market will grow from an estimated $2.0 billion in 2022 to $3.5 billion by 2027 at a compound annual growth rate (CAGR) of 11 percent.¹ These figures factor in the hiring of professional security analysts and other professional services, including support and maintenance, training, and education. Although smaller organizations may have trouble budgeting for cybersecurity, the overall impact on organizations of any size are significant: increased transparency and reduced risk in a market where attacks are on the rise.

In fact, the 2022 Verizon Data Breach Report,² which has tracked cybersecurity incidents since 2008, noted that the supply chain was responsible for 62 percent of the 7,013 identified system intrusion incidents—including social, malware, and hacking attacks. The vast majority of these attacks (93 percent) were financially motivated, and almost a third included confirmed data disclosure.

Figure 1: Motives over time in manufacturing industry incidents. More than in the past, hackers are looking for financial gain by launching attacks in the manufacturing sector. Increasingly, denial of service (DoS) attacks are the most common incident. While DoS attacks initially peaked in the 2018 report (over 40% of incidents), it’s been increasing since 2019 and now account for approximately 70% of incidents. (Image source: Verizon)

Staying safe

Staying ahead of cybercriminals clearly isn’t easy—but most organizations are planning to invest in the effort. According to a recent Gartner report, this often translates to auditing partners, including suppliers, contract manufacturers, and logistics partners,. In fact, 65 percent of those surveyed mentioned auditing, while many also pointed to risk management tools for their IT vendors (40 percent) or supply chain (39 percent).³ The vast majority of organizations say they will increase spending on supply chain cybersecurity, with 63 percent saying that investment will be substantial or significant (Figure 2).

Figure 2: Year-Over-Year Changes in Supply Chain Cybersecurity Spending. Nine out of ten organizations intend to increase supply chain security spending in the coming year—and only two percent plan to decrease their focus. The goal for these organizations is to automate the manual approach of assessments, audits, and validations as much as possible—to increase the affordability and effectiveness of their efforts. (Image source: Gartner)

Gartner identified the extended use of automation and tools as key drivers in this trend. “Leaders we spoke to expressed a desire to move from response and recovery after a known threat to continuous and predictive threat monitoring,” the report said. “They also want to take cyber-risk mitigation deeper into their supply chain operations.”

Hard to hire

Spending on cybersecurity, though, is only part of the problem. Currently, there is a huge gap between the demand and supply of cybersecurity workers. Last October, the White House put the shortfall at 700,000 workers.⁴ In the U.S., the current administration says that it is prioritizing cybersecurity, especially in relation to increasing the cyber workforce, cyber training and education, and digital awareness. Globally, the problem is even more daunting. The (ISC)² Cybersecurity Workforce Study puts the worldwide workforce gap figure at 3.4 million people.⁵ In addition to the automation mentioned above (which lets organizations get more done with fewer people), there are some strategies that may help close the gap:

• Being an employer of choice by providing flexible working conditions
• Investing in more training and certifications for existing employees
• Use outsourcing and service providers to do some activities

Cybersecurity incidents make headlines and tarnish organizational brands, in addition to costing millions. As the profile and importance of supply chain activities continue to rise, thinking carefully about a broad and deep cybersecurity strategy will be essential. Automation and technology will be critical tools—and strategic hiring and training of employees will also help create supply chain safety.

References:

1: https://www.globenewswire.com/news-release/2023/01/19/2591533/0/en/Supply-Chain-Security-Global-Market-Report-2022-Increasing-Demand-for-Enhanced-Security-of-Supply-Chain-Transactions-Bolsters-Growth.html

2: https://www.verizon.com/business/resources/reports/dbir/

3: https://www.gartner.com/en/supply-chain/trends/supply-chain-cybersecurity

4: https://www.whitehouse.gov/oncd/briefing-room/2022/10/03/office-of-the-national-cyber-director-requests-your-insight-and-expertise-on-cyber-workforce-training-and-education/

5: https://www.isc2.org/Research/Workforce-Study