Supply Chain and Sustainable Cybersecurity

Published in

Magda On Cyber

5 min readJan 9, 2023

Co-Written with Wen Sin LIM

The growing frequency with which news of supply chain attacks make the headlines is enough to make any business owner break out in cold sweat. And yet malicious attacks are not the only disruptive event we have to contend with — supply chains are just as vulnerable to wars, natural disasters, power outages and virus outbreaks. Case in point, a fire in a chip making factory in Japan wreaked havoc on auto industry production schedules, forcing companies to cut production, jacking up the prices of cars worldwide.

As disruptions to the global supply chain become more commonplace, it is imperative to build efficiency, security, and resilience into entire supply chains.

Why should you care about supply chain attacks?

No man or woman (or organisation) is an island.

As a business, you are likely both supplier (to your clients), and client (to your supplier), and your client is probably both supplier (to its clients), and client (to you and other businesses) as well. All these organisations that are involved — from start to finish — in getting a product or service to the customer form one supply chain. If a participant from this one supply chain is involved in getting more than one product or service to a different customer, a branch forms from the original supply chain. As more branches develop, what you end up with is a massive network of highly interconnected and interdependent elements. That is the complexity we are dealing with when we question the relevance of a disruption of another’s business to us.

Given the state of modern supply chains, when a malicious actor launches a cyber attack, they are often not affecting just the one victim but its entire network of customers, partners, clients, suppliers and vendors as well. The Kaseya ransomware attack in July 2021 which saw downstream impacts on the 40,000 organisations that it provided IT solutions to, further substantiates this point — that a localised disruption to one seemingly small part of a supply chain can have considerable impacts on all others sharing the same network and that it is archaic to think that ensuring only your own security is sufficient to protect your business.

There must now be a different approach to cybersecurity. Our current approach is unsustainable.
— Ken Xie, Founder, CEO & Chairman of the Board, Fortinet

What can you do differently?

With the understanding that it has become virtually impossible for any one person or organisation to remain unaffected whenever disruptions occur, it becomes imperative then to refocus our efforts on strengthening the security of our ecosystem (as opposed to that of individual organisations) in order to achieve collective security.

For the purpose of adopting an ecosystem-driven approach to security, organisations cannot continue to operate with limited visibility of the supply chains of which they are a part. The problem that we see repeating itself over and over again is that organisations do not even have a list of the third-party providers that they are working with, much less an inkling of which ones present potential single points of failure in their supply chain.

Operating in this manner is untenable as those that fail to understand the physical, financial, political, and social risks they face will fail to prepare for the fallout when those risks materialise, and their inability to react in a timely fashion will inevitably cause them to incur more than their fair share of losses.

Hence, vetting the parties that you work with and building visibility both of and beyond your direct clients and suppliers is a crucial first step in the right direction.

Once we have visibility of who or what the weak links in our supply chains are, we can begin mitigating risks — all without burning out people or burning through resources — simply by being selective with whom we work. Refusing to have business dealings with those that do not care to implement cybersecurity controls or take action to mitigate the risks they face rids you of a potential risk element that could otherwise endanger you and your money-making potential in the long run. With one less vulnerability, you would already have begun to build a healthier ecosystem.

How is strengthening the security of your ecosystem sustainable?

Strengthening the security of your ecosystem’s suppliers can be a sustainable approach for several reasons. First, improving the security of your suppliers can help protect the integrity and confidentiality of your company’s data, which can help reduce the risk of data breaches and other cyber attacks. This can help protect the long-term viability of your business, as data breaches can have significant financial and reputational consequences.

Second, strengthening the security of your suppliers can help protect your customers’ data as well. If one of your suppliers experiences a data breach, it could potentially compromise the data of your customers, which could harm your reputation and lead to customer churn. By ensuring that your suppliers have strong security measures in place, you can help protect your customers’ data and maintain their trust.

Finally, improving the security of your suppliers can help create a more secure and stable supply chain overall. This can lead to more efficient and reliable operations, which can ultimately help your business save time and money in the long run. By investing in the security of your suppliers, you can create a sustainable and resilient ecosystem that can better withstand the challenges of the modern business environment.

In conclusion, over time, with risk monitoring and consistent efforts to hold one another accountable, your supply chain will build resilience, with each valued stakeholder developing resistance towards associating themselves with risk actors, thereby eliminating threats from your ecosystem as well. This is the crux of our sustainable approach to supply chain security.