Report: Cyber Risk Must Be A Collective Responsibility In The Digital Supply Chain

By David Bolton on December 12, 2019

Cyber threats may be an unintended consequence of our connected society, but companies who don’t see digital supply chain management as a collective issue are leaving themselves open to quality pain points.

A recently released cyber risk management report by global insurer Marsh & McLennan said that there is often dissonance between companies and their supply chain partners as to which side poses the greater disruptive threat. According to Marsh’s 2019 Global Cyber Risk Perception Survey, cyber risk is seen as an ongoing concern for organizations of all sizes, with the introduction of emerging technology and the digitization of supply chains cited as reasons for increased investment in digital risk management.

Cyber risk and security concerns are firmly entrenched as organizational priorities, the report said, with 79 percent of respondents to Marsh’s survey of 1,500 business leaders ranking these issues as a top-five concern. At the same time, companies are less confident that their integrated supply chain partners (among others) share the same sense of digital responsibility.

“Cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector,” the report said. “The hard truth organizations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.”

Mitigating supply chain management risk

Around 39 percent of respondents said that they thought their supply chains posed a significant cyber risk to the organization, with 43 percent of people reporting “no confidence” in their own ability to prevent or mitigate a digital threat from a third-party. Large companies – deemed by Marsh to be those with revenues of $5 billion or more – were even less confident; 61 percent said they faced a high degree of risk from their supplier integration, as opposed to 28 percent of small to midsize companies who felt the same.

The dissonance comes from how much of a reverse threat companies think they pose to their supply chains. Just under 20 percent of large firms said they saw themselves as a problem to suppliers, with 14 percent of small companies – those with revenue of less than $25 million – pointing the finger at themselves. This perception gap is extremely telling, the report said, and companies need to address the fact that supplier chain management is often a two-way street.

“In a world of hyper-connected supply chains, there is a critical need for trust among partners; a lack of trust risks impeding business performance and innovation,” the report noted. “Every organization needs to understand, have confidence in, and play a role in the integrity and security of the components and software of its digital supply chains. The concept of ‘technological social responsibility’ — the recognition and acknowledgement by each organization of its role and cybersecurity obligations within the supply chain — is on the agenda for many industry leaders.”

The survey also revealed disparity between the cybersecurity measures that companies apply to themselves and what they expect of their suppliers.

Around 56 percent of companies expect suppliers to integrate cyber risk awareness training for their workforce, yet 71 percent of respondents said that this was an internal requirement for all internal employees. On a very basic level, this could mean that trust in the supply chain is diminished, especially if organizations believe that their suppliers are less prepared to deal with or manage cyber risk than they are.

“Midsize firms tended to report the strongest levels of confidence in managing suppliers of various types,” noted the authors of the report. “For example, 71 percent of firms with between $100 million and $1 billion in annual revenue stated that they were “fairly” or “highly confident” in their ability to mitigate risks arising from outsourced business process providers, compared with 60 percent in all other size categories. This may suggest that midsize firms are small enough to know their supply chain partners’ risks, yet large enough to have the resources to adequately assess them.”

A collective approach to innovation

Over the last 20 years, technology has transformed the global business environment. And while disruption is an overused trope within the private sector, there is little doubt that integration of new solutions to identified problems will continue for the foreseeable future.

The caveat is that companies need to understand that cyber security and, importantly, resilience to threats or potential disruption will require a comprehensive and collective approach.

Companies are more than aware that they need to integrate emerging technology into their internal and external ecosystems but opening the doors to innovation has naturally meant a rise in the level of malicious activity. On the flip side, 50 percent of respondents said that cyber risk was rarely a barrier to adoption of new technology, but only five percent of companies reportedly evaluate risk throughout that technology’s life cycle.

For example, around 79 percent of respondents to Marsh’s survey ranked cyber risk as a top five priority for 2020 – a 17 percent increase from a similar risk management study in 2017 – but confidence in the company’s ability to effectively manage a potential problem had reportedly declined, with only 11 percent of people reporting a high degree of confidence in their cybersecurity investments. In addition, 43 percent of respondents said that they had no confidence in their companies’ ability to prevent cyber threats from at least one of their third-party partners.

In fact, the increased adoption of elements such as connected devices (the Industrial Internet of Things), cloud computing, process automation, blockchain, AI and other enterprise-specific digital products has meant that companies are potentially exposed to malicious acts across their entire ecosystem. A full 77 percent out of the 1,500 respondents to Marsh’s annual survey said that their companies had already adopted at least one of these emerging technologies, with the consensus being that the benefits to the business outweigh the risks.

For instance, a recent report by PwC, cited by Supply Chain Dive, said that 93 percent of manufacturing executives strongly believe that the IIoT will be a benefit to their ecosystem, with around 70 percent of respondents already using or planning to use connected devices in their supply chains within the next two years. And while these investments will encourage supply chains to achieve goals such as inventory tracking, effective quality management, product defect reduction or even predictive maintenance, there is always an inherent cyber risk.

“As these devices can affect the physical world and potentially provoke physical harm, it is essential that they be secured and protected from attacks,” said Rob Mesirow, a PwC partner and leader of its Connected Solutions/IoT practice, in an interview with the news source. “Recent attacks of consumer webcams and smart thermostats have raised attention and lead most consumer manufactures to deploy software updates to secure these devices; however, the risks remain.”

Strategic supply chain quality management

As we noted above, companies need to manage cyber risk as a collective issue and recognize that this risk is better served by a unilateral set of security standards and procedures that can be implemented across numerous networks. In addition, there needs to be a defined level of trust between both the company or brand and its suppliers.

Thanks to a daily news cycle that brings data breaches and malicious acts to a global audience, the likelihood that any company with an online or connected presence is unaware of the potential disruption that a cyberattack can bring to internal and external working practices is slim. What is critical is that companies understand exactly where the threats can come from and take the requisite steps to ensure that they have effectively covered all their bases.

“Many enterprises globally could benefit by applying strategic risk management principles to their cyber risk approach, supported by more expertise, resources and management attention as they build cyber resilience,” the Marsh report concluded. “Especially in an “Internet of Everything” era with digitally dependent supply chains and innovative technology, yesterday’s practices and mindsets are not enough, and may actually inhibit innovation. Optimizing security from the “castle” – the self-enclosed organization – to the wider community is harder, but inevitable. It requires a shift from solely focusing on enterprise security to embracing responsibility for network security across the entire supply chain.”

ETQ has been a leader in quality management software since 1992, and is trusted by over 550 global customers. With more than one million end users in a variety of industry sectors, ETQ’s mantra that quality creates limitless possibilities drives our SaaS solution forward, providing companies with the insights that they need to succeed in a competitive marketplace.

To find more about how ETQ can help move you along your quality journey, contact us today to request a demo.