In the 21st century, cybersecurity threats are a growing, technologically-advanced risk to global supply chains. Unfortunately, many supply chain managers continue to react to these threats in 20th-century ways.
“Managing Cyber Risks in Global Supply Chains: The Four Fundamentals,” the latest white paper from the Global Supply Chain Institute (GSCI) in the Haslam College of Business at the University of Tennessee, Knoxville, is designed to help supply chain managers bring their supply chain cybersecurity into the 21st century. The paper focuses on best practices to reduce cyber risk across the end-to-end, integrated supply chain. Global Supply Chain Fellow Mike Burnette, editor of the paper, is confident its findings will boost supply chain and business leaders’ cybersecurity measures.
“Most cyber security papers focus on individual responsibility like protecting business assets through robust management of information,” he said. “The four fundamentals paper focuses on the critical work necessary to deliver the highest total value in the supply system.”
Based on interviews with cyber experts from more than 30 organizations, the paper outlines four essentials for securing the supply chain:
- Understanding the nature of cyber risks in the supply chain
- Developing a strategy and culture for managing cyber risks
- Integrating with key partners to manage cyber risks in the supply chain
- Deciding where (and how much) to invest in protecting the supply chain
Co-author Dan Pellathy, an assistant professor of management at Grand Valley State University, says that these fundamentals interlock with one another – if a company is lacking in one of the fundamentals, the supply chain will be vulnerable to cyber-attacks. That’s why best-in-class supply chain companies approach cybersecurity in a holistic manner, considering the entire organization and its partners when developing strategies.
“One key finding from our research was that too many supply chain leaders don’t think critically about cyber risks,” Pellathy said. “They assume that if his or her PC is working, no cyber risk exists. Further, they think cybersecurity is IT’s responsibility. Cybersecurity is everyone’s responsibility. Leading companies recognize this and make cyber security a top priority for all parties.”
Ayman Omar, associate professor of information technology and analytics at American University and co-author of the paper, offers a telling example of how cybersecurity is interconnected throughout the supply chain.
“Third parties working in the supply chain cause more than 60 percent of its cybersecurity concerns,” he said. “Your supply chain is only as secure as its weakest link. That is why supply chain cybersecurity cannot be assumed by just one department or organization.”
In addition to articulating cybersecurity’s four fundamentals and showing how each builds upon the other, the paper offers numerous examples of both cyber weaknesses and sound cybersecurity strategies, with strategic ideas, an extensive list of cybersecurity best practices, a seven-step checklist to achieve cybersecurity, a case study, and a guide to critical system risk management.
“As the leading provider of information technology solutions to the United States government and with a supply base of more than 10,000 providers, Leidos has a deep appreciation and commitment to ensuring the integrity of the supply chain associated with the defense and citizen critical missions we support,” Bob Gemmill, Leidos’s vice president of strategic sourcing said. “The Haslam College of Business is globally recognized as a top supply chain research school, and that is why we were eager to collaborate and sponsor their research on supply chain cyber security.”
The third white paper in the Global Supply Chain Institute’s “Supply Chain Technology” series, “Managing Cyber Risks in Global Supply Chains: The Four Fundamentals” is sponsored by Leidos. Burnette and Haslam professor Ted Stank served as contributing editors.
Michelle Painter (email@example.com)
Scott McNutt (865-974-3589, firstname.lastname@example.org)