Cybersecurity is not just an IT issue. There are potentially major weaknesses in the supply chain that must be addressed, or supply chain leaders put their companies at significant risk. A supply chain vulnerable to cyberattacks can lead to critical operational disruptions, significant damage to brand and reputation, product safety issues, loss or theft of intellectual property, and substantially increased costs above and beyond fines and fees. Over the past several years, attacks have targeted supply chains across multiple industries and impacted the operations of the supply chain and the products they produce.
Honda. ASUS. Merck. Norsk Hydro. Maersk. Mondelez. FedEx. ASCO Industries. These are just some of the stories we know about. There are likely others that have gone less publicized.
There is good evidence that supply chain cyberattacks are on the rise. It is probably impossible to quantify the exact rate of increase of supply chain cyberattacks. But they are happening and whether they directly target the supply chain, or the supply chain becomes collateral damage due to a more enterprise-wide outage, supply chain leaders are worried.
How worried? We know from our latest Future of Supply Chain study that “Data Security/IT incidents” was the top threat cited by nearly 300 supply chain leaders when compared to all other risks, with 44% responding they are “very concerned.”
Fortunately, there is more detailed direction on how supply chain leaders can address their cyberattack concerns. The NIST Cybersecurity Framework (CSF) was updated to v1.1 in 2018 to include “managing cybersecurity within the Supply Chain.” This update now gives supply chain leaders a chance to work together with their IT and Security & Risk counterparts by providing a common language and a blueprint in the protection of their data, products, and connected assets and operations.
At the same time, while the NIST CSF update offers direction on the “how” of protection, we are starting to understand more deeply the “what” that supply chain is trying to protect. We now have significant quantitative data that tells us that leaders are working to mitigate the risks. Given the complexity and fragmentation of the threat vectors, we see a definite deployment curve in risk mitigation approaches. When asked what steps they were taking to protect their supply chain from cyber attack, these same leaders mentioned above responded that they were taking action across a variety of technological, functional, and governance-related fronts. While this data is encouraging in that we see supply chain advancing in the effort, at the same time the vast majority of these approaches are currently in use by less than half of the respondents we surveyed. We are encouraged by the progress the profession is making, but as the data shows there is still a lot of work to be done.
Our latest research Deploy Effective Supply Chain Strategies to Fortify Cybersecurity (Available to Gartner Supply Chain clients) explores these topics in more detail; highlighting why we believe these attacks are on the rise and offering a series of Best Practices for each of the NIST CSF stages -from Identify through Recover -that supply chain leaders can use as they combat the multitude of potential threats.
Cybersecurity is an issue for all tech-enabled business processes and capabilities. Supply chain, however, stands alone in the number of “hand-offs” from raw material to delivery of product or service or patient care. All the functional areas of an integrated, end-to-end supply chain — plan, source, make, deliver and customer service — are potential touch points where cyber threats could occur. As are the connections across the extended supply chain with suppliers and customers and patients. And while there are great benefits of course to automation and digitalization of processes and products, taken all together this will ensure that the supply chain cyber risk frontier will continue to expand.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.