Cybersecurity risk is one of those vulnerabilities that has been on the radar, but it has not been the most critical threat for the logistics and supply chain sector. With the ever-growing importance of automated and digital tools, however, the industry has finally awoken to its importance. But does it still take a back seat? Who is responsible for the success of a cybersecurity program, and what happens when things do not go according to plan? We spoke to Alex Toews, Director of Product Management at Fusion Risk Management about how the supply chain industry is rapidly embracing cybersecurity.
‘Everyone is responsible for cybersecurity, and there needs to be a communicated and built-in culture to protect organisations from cyberattacks,’ starts Alex. He admits that the topic has been difficult for many people to wrap their heads around, with some thinking that they do not have the subject matter expertise to understand all the potential risks. Cybersecurity should be approached like any risk that needs to be controlled and managed.
Organisations need to think about it the same way they look at operational or compliance risk and build protective mechanisms and continuously educate their workforce. Due to its nature cybersecurity needs to be part of every functional area within a company, as all corners are equally exposed.
Understanding the risk
Cyber risks have many faces. ‘In 2023 cybersecurity can be plainly understood as the risks that your organisation is exposed to through the use of technology,” Alex explains. Risks are constantly evolving and oftentimes we are not aware of those which are emerging. Alex is adamant that all organisations should see themselves as technology organisations. ‘By entering the digital domain, you should knowingly accept the fact that you are exposing yourself to cyber risk.’
Risks in the supply chain are nothing new and managers are typically well-versed in managing the known threats and vulnerabilities. The same should be true for known and controllable cyber risks. Companies use multiple tools to procure, operate, and deliver their goods and services.
These tools can be constantly exposed to malicious attacks in the digital world. Risks also can come from suppliers and third parties that operate outside an organisation’s four walls.
‘The way you approach cybersecurity will depend on the role you are playing in the management of your end-to-end supply chain,’ Alex continues. Procurement would be a critical function for protecting the organisation, as it is often the area that identifies, negotiates, and binds organisations to third parties.
Alex talks about some simple protective measures that need to be taken by individuals: things like not writing down your passwords, avoiding suspicious digital messages, and not sharing information with unknown entities.
While these measures sound quite obvious, they are often not taken seriously by employees who do not consider themselves a critical entryway for malicious actors. Organisations need to consistently train their employees and show them examples of phishing emails and other malicious content.
You should also put protocols in place to measure how well you are educating your employees and what the results are. There needs to be a clear expectation that cybersecurity is an essential part of everyone’s day-to-day responsibilities and an understanding of the potential consequences of failing to make it so.
Setting up training is not enough and you need to enable direct action when education and knowledge sharing aren’t making an impact.
Once something happens, it is useful to have protocols in place that will help you measure the impact of the breach, swiftly stop the bleeding, and investigate root causes once the situation is contained. Organisations must make sure they have a well-developed cybersecurity program to ensure they understand the likelihood of cyber risks and are mitigating the impact in line with their risk appetite. ✷