Supply Chain Cybersecurity Rule One: Take a Hard Look at Your Suppliers

SK Jeong, a University of Tennessee professor and digital supply chain researcher, says building a cybersecurity fortress is not enough. He says that companies remain vulnerable to cyber attacks through their suppliers regardless of their own defense level. Supply chain cybersecurity “must be integrated into the supplier selection process.”

As Jeong sees it, the COVID-19 epidemic spurred a rapid development of business digitization and connectivity, a process that had already begun. The result was increased productivity, but at a cost: more cyberattacks through the supply chain.

Organizations ignoring the problem or thinking the possibility of addressing it was remote were jolted into awareness with the SolarWinds incident in 2020. Thousands of companies were affected when SolarWinds unintentionally delivered malware through an update of one of its software products.

Integrating supply chain cybersecurity into the supplier selection process could result in some difficult choices. Suppliers that were good business partners because of their speed and cost-efficiency may be deficient in cybersecurity, and some smaller companies may lose out. 

Jeong also recommends that supply chain managers adopt specific “frameworks” developed by government agencies and industry groups. Examples are the so-called “software bill of materials,” discussed in a release from the Cybersecurity and Infrastructure Security Agency linked to Jeong’s article and a Cybersecurity Supply Chain Risk Management Framework from the National Institute of Standards and Technology.

Jeong writes that supply managers must take a lead role in cybersecurity, “orchestrating their supply chains in the same way they do when facing other key business issues.”