Chief supply chain officers: Do you know where your weakest link is? Manish Chandra, Kevin Richards, and Kris Timmermans As businesses digitalize, cyber attackers are lurking in the shadows of the supply chain, attacking weaker links to get to their ultimate goal. In today’s ecosystem-based business world, as partners become the global glue that help companies create not just products, but customer platforms, cyber attackers gain advantage. Every digital door opened provides them an entry point. The more customized the product or solution, the more customer-specific information hackers stand to gain for identity theft and other purposes. With 85 percent of organizations reporting they have already adopted supply chain digital capabilities or will do so in the next year,1 risk is high. With a single breach, attackers can potentially access not just one company’s sensitive information, but multiple companies’ data and more. At worst, they can disrupt service with cyber vandalism, costing companies exponentially in dollars and reputation damage. Ransom schemes, in which systems are held hostage until payment is made to the attackers, are becoming all too commonplace. And cyber criminals are fast targeting the weakest links, generally small to mid-sized suppliers with system exposures. Doing so allows them to infiltrate the behemoths who are generally the real target. Adding a layer of complexity, supply chain operations now encompass more than just plants, warehouses and trucks. The digital links between companies and their HVAC vendor, data aggregator— you name it—now connect the entire ecosystem in a cyber risk chain. More than 60% of cyberattacks originate from entities that are part of the extended supply chain, or by external parties exploiting security vulnerabilities within the supply chain.2 In the cyber realm, your company is just as vulnerable as the weakest link in your chain. Suppliers’ vulnerabilities become your firm’s risk. No industry is above the fray, as recent well-publicized breaches in a host of fields, from utilities and medical, to retail and communication, have shown us. 2 | Chief supply chain officers: Do you know where your weakest link is? 60% More than 60% of cyberattacks originate from entities that are part of the extended supply chain, or by external parties exploiting security vulnerabilities within the supply chain. A cyber breach: Not “if” but “when” In 2015, a major U.S. government office revealed a breach of 22 million records, including sensitive data tied to numerous federal employees, contractors and military personnel. The attack seems to have originated with stolen credentials from a backgroundcheck provider. A large drugstore chain and warehouse club notified customers that hackers had exposed data potentially spanning customer names, phone numbers, email addresses, user names, passwords and in some cases, credit card information. The leak was not the result of any weakness in the retailers’ systems, but rather a weakness in a partner’s online digital system. Customer outrage remained the same; it did not discriminate between the brands and their supplier. A German steel mill was the victim of a phishing cyberattack. Criminals used an email that appears to be from an individual or business known to the recipient, but is actually from hackers who want financial, personal or login information. The opening of the links in the email provided hackers with login information that granted them access to the plant’s network and control systems, resulting in failure of parts of the plant and the inability to properly shut down a blast furnace, causing massive damage to the equipment. The list continues to grow; you read the same headlines. A telling 70 percent of companies have experienced a cyberattack already.3 We no longer speak in terms of complete fortification from cyber breaches; as hackers become more persistent and sophisticated, breaches will occur. Instead, we counsel clients to formulate a plan that includes proper controls to detect and contain any breach rapidly. Supply chain operations are fast becoming among the most externally networked operations in any company. If your supply chain and cybersecurity executives have not shared a conference table recently, now would be a good time to foster that meeting. A resilient supply chain starts with a strong cybersecurity strategy, one that includes an immediate course of action to stem any breach. 3 | Chief supply chain officers: Do you know where your weakest link is? 70% 70 percent of companies have experienced a cyberattack already. Whose back is that monkey on? A good number of supply chain executives see cybersecurity as “IT’s problem.” It is not. Anything that can bring a business to its knees in a matter of seconds is unequivocally a business problem. One that IT will need to help solve, but one that should be driven by the high-level executives whose names will appear in every damaging article written after a breach. Cybersecurity within the supply chain should be a board-level concern. In 50 percent of the companies Accenture surveyed, supply chain risk management and cyber security operations are still not fully aligned.4 In only 11 percent of companies is the chief supply chain officer taking responsibility for cyber supply chain risk; this, despite our finding that the primary obstacle to effective cyber security is a lack of internal alignment among supply chain functions.5 Moving forward, the business, supply chain, IT and information security will have to be aligned for several reasons. First, cybersecurity comes to the fore in product development, manufacturing and supply chain as device-to-device communication takes hold, providing a multitude of potential breach points. Software development provides a second area to monitor, as secure development life cycles will be essential to prevent the insertion of backdoors in software which attackers can use at a later date. Tampering and insertion of malware at the supplier’s end is also a real threat. As real-time data reaches exponential proportions, protecting that data vault becomes not just a technology concern, but also a business imperative. Self-driving cars, uncaged collaborative robots and power grids are just a few examples of why cybersecurity is now a life or death matter. Technology advances will continue to wreak havoc with supply chain security, even as they improve business operations. As the Internet of Things (IoT) and 3D printing become part of the everyday fabric of manufacturing and supply chain operations, cybersecurity issues take center stage. 3D printing of patented designs occurs through code and file sharing between devices. No longer can product designs be kept under actual lock and key; instead, they will exist in the virtual realm and have to be safeguarded there. As 3D printing allows for on-demand 4 | Chief supply chain officers: Do you know where your weakest link is? 50% 50 percent of the companies have not fully aligned supply chain risk management and cyber security operations. In only 11 percent of companies is the chief supply chain officer taking responsibility for cyber supply chain risk. manufacturing in localized hubs, intellectual property in the form of these files will exist throughout a supply chain. Security must exist in all of those same places and every nook and cranny in between. The new supply chain means securing physical and cyber assets throughout your ecosystem Today’s supply chain has evolved beyond traditional manufacturing and distribution to include an array of ever expanding organizations–all digitally connected and all with cybersecurity exposures. From external specialty manufacturers with access to your latest designs, to GPS data from your truck fleet, to a maintenance service provider with access to your vendor portal, your supply chain is vulnerable to attack by cyber criminals. Here are just a few questions to consider: D oes your manufacturing partner have access to your formulas and designs? W ho has access to your shipping manifests and delivery routes? Do you know the background of your truck drivers? D oes your temporary staffing firm share accounts and passwords to your portal? H as anyone checked how well any of these companies are protecting your data? The answers to these questions might frighten you – and these are just a few of the questions you should be asking yourself and your suppliers and vendors. 5 | Chief supply chain officers: Do you know where your weakest link is? Assume you have a weak link No company has an airtight cybersecurity plan for its supply chain. The landscape and technology have been moving too rapidly for teams to catch up. Assume you have a weak link. Is it your firm? A partner two nodes removed? In an ecosystem model, one breach can yield a wealth of opportunity for hackers. In 98 percent of companies, the supply chain is integrated with suppliers/vendors leveraging digital technologies.6 Even GPS systems can now be your weak link. One of cyber criminals’ latest tactics is hacking into a company’s GPS data to determine where trucks are headed. From break-ins while drivers are out of vehicle, to in-vehicle hijackings, old-fashioned theft now comes with a high-tech twist. So, even if your team adequately fortifies your firm’s virtual walls, it is not enough. All ecosystem partners should be subject to a rigorous security audit, verifying their vigilance regularly. Otherwise, an entire ecosystem can be felled because of one company’s lack of due diligence. Preparing for the “when”: Fortifying your ecosystem 1 Chief supply chain officers should take the following steps, at a minimum, to begin to build a strong cyber defense: 1. Identify the weak links in your supply chain. Understand your cyber risk profile across your entire value chain by performing a comprehensive supply chain cybersecurity assessment. This will help to identify the key cyber risks and weak links across the supply chain. 2. E stablish a “business-driven” supply chain cyber security model that incorporates strategic governance. Develop a threat-centric operating model which leverages risk management principles. This will bring a focus on priority supply chain operations and maximize the effectiveness of your cyber security strategy. Chief supply chain officers need to take accountability for managing supply chain cyber risks in this business-driven model. Supply chain cyber risk management should also be made a part of an enterprise risk management strategy to establish board-level visibility. 6 | Chief supply chain officers: Do you know where your weakest link is? 2 3. A lign supply chain risk management strategy with cyber security strategy. Organizations need to align supply chain risk management and cyber security internally as well as externally. Internally, measures should be in place to enhance cross functional coordination, supply chain cyber security strategy and operations span all appropriate areas of the business. Externally, organizations should implement a robust cyber risk management strategy for the extended supply chain ecosystem. Focus on managing cyber security of your key supply chain partners through contractual arrangements and/or integration with your organization’s cyber security practices. 3 4. O perationalize a cyber-attack-resilient supply chain. Operationalize your supply chain cyber security strategy and proactively respond to attacks by establishing mechanisms to: • R ecover: Devise business continuity plans to ensure quick recovery of capabilities after a cyber breach. While complete attack prevention may be out of realistic reach for most large organizations, bringing your ecosystem—your virtual supply chain—into lockstep with cybersecurity measures will go a long way toward keeping breaches small and your company from becoming a cautionary tale. 7 | Chief supply chain officers: Do you know where your weakest link is? ct nd spo Re • R espond: Formulate a robust response plan to facilitate a rapid chain of protective measure in case of a breach. 4 Det e • D etect: Utilize data-driven intelligent technologies that monitor operations to provide proactive, real-time alerts of potentially harmful cyber events. R eco ver Join the conversation @AccentureStrat Follow us on LinkedIn Contact the Authors Manish Chandra, Mumbai, India [email protected] Kevin Richards, Chicago, USA [email protected] Kris Timmermans, Brussels, Belgium [email protected] Other Contributors Sandeep Panchal, Mumbai, India [email protected] Sanjith Ss, Mumbai, India [email protected] Notes 1. igital Operations survey, Accenture D Strategy, 2015. 2. S upply Chain Cyber Security survey, Accenture Strategy, 2016. 3. Ibid 4. Ibid 5. Ibid 6. Ibid Copyright © 2016 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. About Accenture Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With approximately 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com. About Accenture Strategy Accenture Strategy operates at the intersection of business and technology. We bring together our capabilities in business, technology, operations and function strategy to help our clients envision and execute industryspecific strategies that support enterprise wide transformation. Our focus on issues related to digital disruption, competitiveness, global operating models, talent and leadership help drive both efficiencies and growth. For more information, follow @AccentureStrat or visit www.accenture.com/strategy. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this document and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.
© Copyright 2026 Paperzz