ICAEW.com works better with JavaScript enabled.

How to assess the risks within your supply chains

Author: ICAEW Insights

Published: 11 Oct 2022

Advances in digitisation are great for businesses, but they’re also helping organisations to review their supply chains and identify the potential risks from cyber attacks.

As more organisations go digital, the surface area for cyber attacks on global supply chains increases. Supply chain digitisation has been around for at least a decade, but its acceleration as a result of COVID-19 has also turbocharged supply chain cyber risks. 

The benefits of supply chain digitisation are clear for organisations. It can enhance the speed, visibility and flexibility of their intertwined supply chains. But this interconnectedness also offers modern-day criminals prime opportunities to attack and disrupt. 

The number of known malware attacks rose 11% in the first half of this year to 2.8bn, according to the 2022 SonicWall Cyber Threat Report, marking the first rise in global malware volume in more than three years. This amounts to an average of 8,240 malware attempts per customer. 

Chiefly, the financial sector was actively targeted, but cybercrime affects all industries. Today, there are no safe industries or countries as a result of geopolitical forces accelerating the reshaping of global cyber frontlines. 

Sean Sutton, Partner, UK cyber business, PwC, says: “The focus now on the resilience of supply chains is heightened because of geopolitical issues. That’s raised the question for many organisations around how resilient their supply chain is.”

This year’s IBM Security X-Force Threat Intelligence Index also shows how in 2021 ransomware actors attempted to “fracture” the backbone of global supply chains with attacks on manufacturing, which became that year’s most attacked industry (23%), dethroning financial services and insurance after a long reign.

Nowadays, supply chains are global and complex, interconnecting many organisations, suppliers and jurisdictions. Therefore, effectively protecting a supply chain can be difficult because vulnerabilities are often inherent, or introduced and exploited at any point. 

Sutton says there are a number of areas within a supply chain where a cyber incident could cause a problem, such as a direct attack on production facilities that would impact an organisation’s operational technology resulting in a plant shutdown. But external factors such as an attack on a supplier over which an organisation has little or no control can also substantially affect a company’s operations.

Some organisations are beginning to secure greater visibility over how external factors could disrupt their supply chains in a way that's more data driven, Sutton says. This allows business leaders to model certain scenarios and plan accordingly or accept the risks posed. But this ability is only at the fingertips of those highly digitised companies that have real-time data available to map out risk scenarios.

“Over the last few years organisations have been putting in systems that can provide that level of data and visibility, but it's probably not the norm. There's a way to go for organisations to digitise more of their supply chain and in doing so get better at pulling the data out of their supply chains to model scenarios,” Sutton says.

According to the 2016 Security Breaches Survey, very few UK businesses set minimum security standards for their suppliers. Things are progressing, however. The National Cyber Strategy 2022 found that in the past 12 months just over half of businesses (54%) are identifying cyber security risks and implementing a range of actions, where security monitoring tools (35%) were the most common. 

Qualitative interviews, however, found that limited board understanding meant the risk was often passed on to outsourced cyber providers, insurance companies or an internal cyber colleague.

The research also found that most businesses outsource their IT and cyber security to an external supplier, ostensibly because they want greater expertise and resources for cyber security. But only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.

Esther Mallowah, Head of Tech Policy, ICAEW, says: “It is interesting to note that the 2022 cyber breaches survey highlighted that of the 10 key components in the government guidance on protecting an organisation, supply chain security surveyed the least favourably. This could reflect an inclination among businesses to leave responsibility for the cyber security of vendor-supplied products and services to suppliers. Businesses need to recognise and act on their roles and responsibilities for assessing and verifying the cyber security arrangements of their suppliers, and in working with them to effectively secure the supply chain.”

As part of the government’s National Cyber Strategy 2022, it is promoting approaches that build security into new technologies, making them “secure by design”. This will require greater investment from organisations, but also tighter regulation and legislation on behalf of the government to encourage more diverse, secure and resilient technology supply chains. 

In short, effective cyber security will depend on an active partnership between government, security agencies such as the enhanced National Cyber Security Centre (NSCS) and the private sector.

The NSCS suggests organisations approach supply chain cyber risk in a 12-step plan broken down into four key stages. They are: understand the risks; establish control; check your arrangements and continuously improve

Mallowah says: “One of the first things businesses need to do to secure their supply chain is to understand its composition and the risks associated with each supplier. This can be challenging as suppliers involved in the development and delivery of products and services may not always be visible to end customers. Supply chains can be complex and diverse, and customers may not know which parties are involved (including whether sub-contractors are used), or their level of cyber security. 

“When thinking about suppliers that can impact cyber security, consideration should not be limited to those that provide technology products and services, but it should include, for example, those to whom business processes are outsourced and who have access to organisational or client systems and data.”

It’s unlikely the world will ever eliminate cyber risk in supply chains. But understanding the threats, knowing what remedial action can be taken and continuously monitoring risk appetite and profile will ensure companies minimise the ever-prevalent threat. Government efforts to disrupt the cyber criminals will also need to be dramatically increased, however, to tackle the evolving threat.

Cybercrime Awareness Month 2022

ICAEW marks the global Cyber Security Awareness month with a series of webinars, videos, podcast, a panel discussion and other resources addressing cybercrime and how to protect your business. We will focus on the latest trend as well as supply chain risks and concerns.

Payment online

Recommended content

ICAEW Community
Manufacturing polaroid
Manufacturing

Connect to finance professionals in manufacturing to network and share insight and technical expertise via ICAEW’s Manufacturing Community.

Find out more
ICAEW Community
Woman making online purchase
Retail

Curated content for finance professionals in all retail-related sectors.

Find out more
Insights Special
A container ship at sea
Trade: clean growth and tech

Clean growth and the application of major emerging technologies to existing sectors are two key characteristics of trade in 2022. Add to these levelling up supported by foreign direct investment, and there are exciting future prospects for business and the prosperity of communities globally.

Find out more
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250