SMEs are the Weakest Link in Supply Chain Cyber Security
Monday, 30 September 2019
Posted by: SAPICS
Small to medium enterprises are at greatest risk from cyber security threats, and their vulnerability in turn poses a danger to the major corporations that they do business with.
This is the contention of Steven A. Melnyk, Professor of Supply Chain Management at Michigan State University in the United States, who recently shared his insights with South African supply chain professionals at the inaugural SAPICS Spring Conference. This event was hosted by SAPICS, The Professional Body for Supply Chain Management.
“Blockchain is vastly overrated; supply chain cyber security is under rated; and we are not spending enough time on small to medium enterprises. We need to grow them; but they are a challenge in terms of cyber security,” he stated.
“The problem with small to medium sized enterprises is that they are in the unique position of having disproportionate access to important information. They are often mission critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cybersecurity arrangements in terms of size, resources and expertise. They open up large clients to leapfrog cyber security attacks.”
Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent, he revealed. “The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices under the current variable costs. This supplier also patented the firm’s innovations.”
General Electric suffered a cyber security breach in which hackers got the business’s target prices, while Macey’s and the Bank of America have also been targeted. “Every significant breach has occurred through the supply chain,” Melnyk told SAPICS Spring Conference delegates. He said that 69% of firms have experienced an attempted cybersecurity breach or incurred a significant loss of data as a result of one. “Companies spend an estimated USD84 billion USD to defend against breaches that cost them about USD2 trillion. The average cost of a cyber breach is USD7.9 million and the average time to contain a breach is 276 days.”
The growth of the digital economy and digital supply chain is contributing to the growing cyber security threat, with four billion people predicted to be connected to the Internet daily in 2020.
Melnyk said that companies must consider the threat of collateral damage when assessing their cyber security risk. “In June 2017, Russia launched the ‘NotPetya’ attack against Ukraine. Its targets were banks, energy providers, governments, airports and hospitals, and its goal was to wipe data from computers. Companies including Merck, FedEx, Maersk and Mondelez suffered significant collateral damage,” he revealed. The attack cost pharmaceutical company Merck USD870 million, incurred as a result of collateral damage through its connection to hospitals. Melnyk says that Maersk was reportedly so ill prepared for the threat that the firm’s IT people were running down corridors telling employees not to turn on their computers.
He urged supply chain professionals to consider cyber security prevention, detection and recovery measures, and to understand how contamination might occur. “It is time to act now. Cyber security is not an IT issue, it is a supply chain issue. Cyber attacks are on the rise.”
Melnyk said that the current global cost of ransomware damages is more than USD5 billion, and by 2021, it will exceed USD6 trillion. “Blockchain offers some protection, but it is not enough. If you want to develop a competitive edge in South Africa, offer your customers secure supply chains,” he concluded.