Why integrating cybersecurity at every level of supply chain management is essential for SMEs
As businesses became increasingly digitalized, cyberattacks gained terrain and grew into a major risk. These assaults generate important losses in corporate value. Major companies have increased their cybersecurity safeguards recognizing the danger they face. Nevertheless, establishing a so-called cybersecurity fortress does not completely avert attacks.​ Rather than directly assaulting adequately safeguarded target firms, cybercriminals frequently utilize suppliers with inferior security to obtain access and hurt their main targets. For SMEs, the risk of cyberattacks is both higher since budgets for security risks are often limited and cybersecurity takes a back seat but also with deeper impact and lasting effects.
What does a supply chain cyberattack look like?
A supply chain cyberattack is aimed at third-party suppliers that provide products or technology essentials to the entire supply chain with the objective of destabilizing the business ecosystem. A major threat nowadays is represented by the software supply chain since, most companies do not build software systems from zero but rely on generic elements like third-party APIs, freely available software, and exclusive source code from software providers or existing in-house software.
​
A supply chain cyberattack targeting a piece of software or software systems usually introduces harmful code that affects users, whereas an attack targeting hardware impacts equipment and components that can further be used to harm organizations. Regardless of the manner, supply chain security breaches may be disastrous to a firm and its consumers.
​
SMEs are affected by supply chain cyberattacks in many ways. On the one hand, they are perceived by attackers as the weaker link in the supply chain compared to the larger companies. Cyberattackers, therefore, anticipate the SMEs to have a limited awareness of the danger and to spend less money on protection. They will attempt to exploit weaknesses in the supplier's security systems to strike their primary target, which is often the larger players, while still significantly harming the SMEs.​​​
​Examples of supply chain cyberattacks:
-
SolarWinds
The 2020 SolarWinds supply chain cyberattack is a well-known example. SolarWinds provides Orion system, an IT network solution for monitoring, analyzing, and managing organizational IT infrastructures. Government-backed hackers penetrated the program, introducing harmful malware during a planned upgrade. Clients, including US federal agencies, local and state governments, and significant enterprises, were hacked when the update was installed. The hack impacted approximately 18,000 SolarWinds clients.
​
2. SiSense
SiSense, a business intelligence company operating in New York, Tel Aviv, and London that monitors third-party internet services, discovered a vulnerability in the security of its software supply chain in April 2024, affecting critical infrastructure firms. Crucial information and credentials of hundreds of SiSense clients were compromised.
​
The US cyber defense agency, CISA, actively collaborated with SiSense to minimize the impact of the cyberattack and urged the BI company’s clients to change their credentials and other personal data, as well as examine and report on potential malware threats.
​
3. Okta
Okta, a supplier of identity and authentication security solutions, announced in October 2023 that hackers got access to confidential client data by acquiring login for its client assistance platform. The cybercriminal could examine files posted by certain Okta users in recent assistance incidents. The frequent data thefts faced by extensively utilized organizations like Okta, which are recognized for their critical skills, have increased their desirability as top targets for threat actors. As a result of their vulnerability in the third-party supply chain, Okta's clients become victims as well.
​
The need to incorporate cybersecurity into supply chain risk management
Gartner research revealed that cybercriminals are going after software development platforms and freely available assets to infiltrate software supply chains. Gartner expects that by 2025, software cyberattacks on supply chains will triple compared to 2021, reaching 45% of organizations globally. The Gartner report highlights an increasing risk of cyberattacks aimed at software supply chains, with hackers aiming to attack established networks. This heightened risk necessitates strong safety measures in the development and operations area.
​
With cyberattacks on the rise in the upcoming years, a massive transformation is expected in terms of regulations, public, and private IT procurement, which calls for a financial commitment to regulations, risk-focused cybersecurity strategy, operational procedure development, new equipment, staff, and training across the organization.
​
How can SMEs improve the cybersecurity of their supply chain?
1. Identify, track and prioritize the supply chain risk matrix.
The initial phase of adopting supply chain security is to identify all potential hazards. It is necessary to recognize the supply chain and its crucial elements by recording vendors and evaluating their level of safety.
This is how to carry out the evaluation:
-
Classify suppliers according to their level of risk.
-
Prioritize each third party based on its vulnerability, and ability to obtain your data and get access to your systems and influence your SME.
-
Implement surveys and inspections on the spot to evaluate supply chain security.
-
Determine the most vulnerable sections of the supply chain and augment these vendors or request that they enhance their cybersecurity.
-
Evaluate the security of both hardware and software components offered to your organization.
-
Determine whether procedures in the supply chain constitute a hazard to sensitive data and systems and implement adequate safety precautions.
Risks can be visualized by creating a tree-like diagram that depicts every relationship between the SME and the components of the supply chain. This approach is designed to assist the wider context of supply chain risks and follow relationships. Some examples have been provided below:
Figure 1. Generic SME supply chain (Source: Thakkar et al., 2007)
Figure 2. Decision tree for a lean supply chain waste elimination (Source: Liu et al., 2012)
2. Develop a comprehensive supply chain cybersecurity strategy.
​​As cyber assaults become more prevalent, supply chain executives must collaborate with risk management and security specialists to better understand these risks. All managers should collaborate to address supply chain safety issues. To decrease weaknesses, flaws must be identified in both the tangible transfer of goods (handling, packaging, and distribution operations) and the digital flow of information and software (virtual streams between interconnected networks and devices).
​
Before evaluating how attackers can interrupt corporate operations or industrial output, you should evaluate the reasons for prospective assaults. SMEs also need to determine the most essential organizational assets, such as confidential information, client data, and intellectual property, to ensure a functional program that can prioritize the crucial areas that need to be protected.​
3. Implement cybersecurity control assessments.
Based on the information collected through the methods above, SMEs can implement a framework that can help gauge the level of maturity of cybersecurity measures and compare it with the leading industry players. Gartner proposes the Top-Level Controls Maturity below, using a 1-5 maturity scale for the SME under assessment and its selected peer, and five key indicators including Identify (ID), Protect (PR), Detect (DE), Respond (RS), Recover (RC). An example of how this assessment looks like when it is implemented in the case of a theoretical SME has been included below:
Figure 3. Top-Level Controls Maturity (Source: Gartner, 2024)
The assessment may be utilised as an interactive educational activity to establish a standard for monitoring progress throughout time, successfully convey benchmarked results to the board, and increase trust in the SME's security position.
​
Ongoing supply chain cybersecurity should identify proof of harmful activity, get full transparency, and identify holes in the organization's capacity to recognize these actions. Cybersecurity managers may do this by implementing a centralized tracking system that gives insight into vulnerabilities and aids in the identification of complicated attack networks.
​
Conclusion
​
In summary, cyberattacks pose a significant risk to businesses, causing significant corporate value losses. SMEs face higher risks due to limited budgets and lasting effects. Supply chain cyberattacks target third-party suppliers, destabilizing the business ecosystem, particularly SMEs, who are perceived as weaker links in the supply chain.
​
Hackers are increasingly adept at identifying supply chain vulnerabilities in targeted companies, resulting in significant lost value, as demonstrated by companies like SolarWinds, SiSense, and Okta.
As cyberattacks are expected to grow threefold by 2025 compared to 2021, there is a need for significant changes in regulations, IT procurement, risk-focused cybersecurity strategies, operational procedures, equipment, staff, and training across organizations.
​
This article recommends several measures to help SMEs improve their supply chain cybersecurity, including identifying, tracking, and prioritising supply chain risk in a matrix, developing a comprehensive supply chain cybersecurity strategy that involves all supply chain executives and requires them to address the security issues identified, and implementing cybersecurity control assessments that are regularly deployed to remain on top of the market dynamics.
​
References
​
Gartner. 2024. Mitigate Enterprise Software Supply Chain Security Risks. January 9th. Available at: https://www.gartner.com/en/documents/5089331.
​
Liu, S., Leat, M., Moizer, J., Megicks, P., and Kasturiratne, D. 2012. A decision-focused knowledge management framework to support collaborative decision making for lean supply chain management. International Journal of Production Research, 51(7): 2123.
​
Thakkar, J.J., Kanda, A., and Deshmukh, S.G. 2007. Evaluation of buyer-supplier relationships using an integrated mathematical approach of interpretive structural modeling (ISM) and graph theoretic matrix: The case study of Indian automotive SMEs. Journal of Manufacturing Technology Management, 19(1): 92-124.