Introduction
Finished products that reach the clients take a long process from the raw materials to distribution, creating a network. This web of interconnected activities is known as supply chain management, consisting of the arrangement, planning, realization, and control of product’s flow until they reach the final customer (Lamba et al., 2017). It helps in the sourcing of raw materials, the production, and distribution of items. As a result, supply chain management focuses on transportation, location, production, warehouse inventory, information, and supplies. Understanding each of these areas improves service delivery, optimizes the product development cycle, and reduces operating costs.
One of the current trends in supply chain management is using the Internet and information systems to boost efficiency. Technologies in the supply chain enable the companies to manage and control different networks. According to Lamba et al. (2017), organizations begin with email and workflow automation before merging and synchronizing the entire supply network. Consequently, the flow of products is regulated using real-time data obtained from demand and supply networks. There are many benefits, such as increased efficiency and responsiveness derived from information systems in managing the supply chain (Gunasekaran et al., 2017). Technology improves the competitive advantage, and it has led to considerable investments in integrating the Internet with the supply chain.
The use of technology in the supply chain introduced new forms of risks to the production and distribution of products. The Internet enables companies to collaborate with multiple diverse partners worldwide, adding other layers of vulnerabilities and complexities. Many of the challenges experienced in supply chain management emanate from difficulties in third parties’ auditing, software errors, lack of security controls, and other security threats (Pandey et al., 2020). Digitization of the supply chain exposed the systems to cybersecurity risks addressed in this paper.
Supply Chain Risks
The use of technology in the supply chain has increased cyber risks, particularly because of the growth of third-party vendors in a distribution network. According to Burrell et al. (2020), more than 60% of the report cybersecurity breaches in the supply chain occurred through an attack on third-party vendors or suppliers. A compromised system can be used to attack other systems in the same chain, which is how attackers gain access to large supply networks. For instance, investigations on major attacks such as Home Depot, Target, Costco, and Fiat Chrysler revealed that their systems were breached through service providers and third-party suppliers (Burrell et al., 2020). In such cases, the cyber hackers install malware, computer viruses, or ransomware on targeted organization’s hardware and software, which are used to access data on purchases, shipping details, and customer’s information.
Humans also play a crucial role in the control and management of information systems in the supply chain. Therefore, their actions or inactions expose certain vulnerabilities, which contribute to supply chain risks. Inaccurate evaluations, poor decisions, and misjudgments affect the operations of supply chain systems, increasing the security risks (Birkel & Hartmann, 2020). Distribution networks are complex and require employees who understand the internal pathways to make accurate decisions. Additionally, Burrell et al. (2020) indicated that data breaches are high because of human behaviors, actions, personal motivation, and organizational culture. For instance, providing employees access to critical and confidential data is a form of information security threat because they might use such details to their advantage. Human’s unethical actions promote cybersecurity risks within the supply chain management.
The other cyber risk in the supply chain exists because of the reliance on web and proxy servers to execute some functionalities. Internet hackers scan these proxy servers to identify existing weaknesses that they might use to penetrate protected systems. Lamba et al. (2017) listed some threats such as potentially unwanted applications, for example, browser extensions Trojans and vulnerabilities, fraudulent advertising and web spams, clickjacking, and redirections. Spyware is installed in a computer, compromising its security. Such devices are used to steal business information concerning distribution routes and warehouse addresses, where malicious individuals might attack physically. Additionally, Lamba et al. (2017) noted that web cloud services adopted by supply chain companies are an easy target by hackers. Therefore, adopting web technologies in distribution networks adds Internet-based vulnerabilities and risks to the supply chain.
Hardware components of the technologies implemented in supply chain management are also exposed to certain risks. Devices such as switches, routers, computers, printers, and servers have a physical presence. This means there are certain environmental threats, such as natural disasters and fires, which disrupt the smooth operations of the supply chain networks (Ghadge et al., 2019). Additionally, people might intentionally or unintentionally damage or steal physical infrastructure components that facilitate efficient operations of distribution systems. Failure to regularly update devices such as firewalls and network infrastructure might lead to security risks and breakdown. A hacker can easily attack a compromised physical system, thereby gaining unauthorized access to sensitive data about network layout and customers’ information.
There are other direct cyber-attacks on supply chain systems affecting hardware and software components. One is password sniffing and cracked applications, which allow hackers to gain access to the companies’ confidential information, systems or conduct other malicious activities (Pandey et al., 2020). Spoofing is another form of security risk, where the attacker masks the original source of a message or fake website. In such a case, authorized users might unknowingly communicate with an attacker divulging an organizations’ details. The hackers could also gain access to multiple devices in a supply chain network and overload them with unnecessary requests leading to denial of services attacks (DoS) (Pandey et al., 2020). DoS causes the unavailability of critical services, including the collapse of an entire distribution network.
Due Diligence
Movements of products through supply chain networks involve multiple processes and thousands of people before it reaches the consumer. In such cases, goods might be contaminated from any point, and it becomes a challenge for a company to tell the source. However, doing due diligence is considered the first step in protecting the targeted clients. According to Van Den Brink et al. (2019), due diligence is defined as an on-going, reactive and pro-active process used by companies to assure compliance with human rights and avoid conflicts. Organizations use due diligence to ensure responsible sourcing of resources, production, and prevention of illegal products. Suppliers and third-party vendors are investigated prior to engaging in a contract to minimize supply chain risks.
There are social and human factors considered when companies operate expansive supply chain networks. One of the recent business aspects includes outsourcing labor to developing countries and distributing them to developed nations (Hofmann et al., 2018). This habit has dispersed societal problems and human rights violations, which occur when institutions fail to monitor their supply chains. For instance, Foxconn, one of the Apple suppliers, was found in violation of labor rights laws (Hofmann et al., 2018). Other social conflicts emerge based on the location where minerals are accessed. Hofmann et al. (2018) listed some conflict minerals such as tungsten, gold, tantalum, and tin, which cause human conflicts in the Democratic Republic of Congo. Further, security risks emanating from third-party attacks affect large retailers, as was the case with Target and Home Depot (Norman et al., 2020). Such risks occur because the organizations involved failed to conduct due diligence. Therefore, all stakeholders involved in the supply chain network should consider asking the following questions. How do you protect your information systems against unethical employees? How often do you train the employees on safeguarding systems against cyber-attacks? What measures have you taken to protect consumers against counterfeit products?
The political aspect of supply chain management considers various regulatory frameworks and policies created to protect companies and consumers. Firms are required to track and manage sources of conflicts within their supply chains. For instance, the EUTR (European Timber Regulation) indicates that EU firms should do due diligence in ensuring imported timber is not sourced illegally (Düdder & Ross, 2017). In this scenario, digital tracking technology is suggested to ensure computational performance, privacy, and security are adhered to throughout the supply chain. Additionally, countries have undertaken specific measures to safeguard supply chains. In Poland, entities are governed by the General Data Protection Regulation and National Cybersecurity System that direct companies to use a risk-based approach (Smit et al., 2020). It is up to the organizations to conduct systematic incident risk analysis and apply appropriate measures, failure to which they are legally liable for security breaches.
Understanding the global nature of supply chain management also helps in enhancing due diligence. All companies, vendors, and suppliers involved should focus on implementing security strategies aimed at eliminating vulnerabilities. From the political and economic perspective, organizations should ask the following questions. What cybersecurity policies have you implemented? How regularly are systems updated? Which risk detection and prevention strategies are you using? Do you comply with regulatory policies? What risk mitigation techniques assure data privacy and systems protection?
Best Practices
Security begins with the identification of risks and vulnerabilities within different phases of the supply chain network. Humans were identified as a weak link to the cyber safety of distribution channels. The employees might be careless with their passwords or undertake activities that expose infrastructure to external cyber-attacks. Therefore, in this case, best practice includes teaching all the workers the importance of adhering to security policies in the company. Staff members should focus on being proactive by engaging with cyber applications to learn how to react should an attack occur (Ghadge et al., 2019). Such activities could help in assuring the safety of personal data and supply chain systems against internal attackers.
As noted earlier, suppliers, companies, and vendors from different places create a worldwide supply chain network. Consequently, there needs to be inter-organizational coordination in enhancing security throughout the distribution channel. Ghadge et al. (2019) noted that the lack of set standards and guidelines makes it difficult to create robust cyber defenses. As a result, researchers indicate there is a need to create a transparent culture where organizations are honest on measures taken to ensure safety within the supply chain. Additionally, companies should come together to develop sophisticated protection techniques that protect network infrastructures and computing devices across the board.
Studies also noted that vulnerabilities that exist within the supply network expose companies to cyber-attacks. One remedy suggested by Sobb et al. (2020) includes implementing risk analysis frameworks, whose purpose is to assess and mitigate risks across end-to-end processes. The analytical strategies should consider all potential threats and classify risks as excessive or moderate, and suggest what actions to take in each instance. In doing so, a company can help devise new paradigms to handle cyber risks as they occur or minimize the impacts of cyber breaches. Risk mitigation strategies require collaboration and training employees to understand and respond to security threats and vulnerabilities.
In-house collaboration between workers of all levels and departments can also enhance supply chain security. According to Boyens et al. (2020), organizations should establish supply chain risk councils made of executives, information technology, legal, operation, and other critical leaders to review and develop risk mitigation plans proactively. The council is created to ensure that organization is at the forefront in setting security priorities and discussing best practices relevant to maintaining the safety of supply networks. The benefit of such a group is ensuring companies have a strong decision-making process, which would help in dealing with emerging security issues. The board could also be important in devising clear governance and standard-based policies to guide internal employees and external players such as third-party vendors and suppliers (Boyens et al., 2020). For instance, the committee should define roles for each stakeholder involved in the supply chain in ensuring cybersecurity at all levels. Suppliers who strictly adhere to security protocols should be given priority, while those who fail to meet the guidelines are dropped. Finally, the board can identify an alternative source of key components to ensure an uninterrupted business flow.
Another best practice is governmental involvement by creating necessary measures to protect organizations and consumers. The government is equipped with sophisticated intelligence mechanisms and agencies that can help ensure the safety of supply chains. According to Ghadge et al. (2019), over 50 countries have created national cybersecurity strategies intended to help companies identify and protect against supply network risks. An example is the EU Cybersecurity Strategy, which proposes integrating protection mechanisms in every element of the supply chain to bolster collective resilience against cyber threats. Regional and local government involvement creates an operational capacity to identify, prevent, and respond against cyber-attacks.
Summary and Conclusion
The supply chain involves many global stakeholders, making it difficult to deal with arising risks. The introduction of technology in supply chain networks further led to more security risks for companies to solve. As noted in the paper, a threat in one sector of the supply network affects the whole distribution channel. An example is how Target’s and Apple’s supply networks were compromised because of vulnerabilities in third-parties. Supply chain risks violation of social and human rights, which means that it is a problem that needs to be addressed globally.
Some of the suggested best practices include inter-organizational coordination, cybersecurity policies, risk analysis, training of the employees, and governmental involvement. Each of the above practices helps in identification, prevention, and increased responsiveness against cyber threats. In conclusion, the paper recommends the formation of cybersecurity supply chain council whose aims include creating cyber policies and advising companies on the appropriate measures to protect against hackers.
References
Birkel, H. S., & Hartmann, E. (2020). Internet of Things–the future of managing supply chain risks. Supply Chain Management, 25(5), 535−548. Web.
Boyens, J., Paulsen, C., Bartol, N., Winkler, K., & Gimbi, J. (2020). Key practices in cyber supply chain risk management: Observations from industry. National Institute of Standards and Technology. Web.
Burrell, D. N., Bhargava, N., Harmon, M., Wright, J., Springs, D., & Dawson, M. (2020). Supply chain and logistics management and an open door policy concerning cyber security introduction. International Journal of Management, 9(1), 1−10. Web.
Düdder, B., & Ross, O. (2017). Timber tracking: Reducing complexity of due diligence by using blockchain technology. Web.
Ghadge, A., Weiß, M., Caldwell, N. D., & Wilding, R. (2019). Managing cyber risk in supply chains: A review and research agenda. Supply Chain Management, 25(2), 223−240. Web.
Gunasekaran, A., Subramanian, N., & Papadopoulos, T. (2017). Information technology for competitive advantage within logistics and supply chains: A review. Transportation Research Part E: Logistics and Transportation Review, 99, 14−33. Web.
Hofmann, H., Schleper, M. C., & Blome, C. (2018). Conflict minerals and supply chain due diligence: An exploratory study of multi-tier supply chains. Journal of Business Ethics, 147(1), 115−141. Web.
Lamba, A., Singh, S., Balvinder, S., Dutta, N., & Rela, S. (2017). Analyzing and fixing cyber security threats for supply chain management. International Journal for Technological Research in Engineering, 4(5), 5678−5681. Web.
Pandey, S., Singh, R. K., Gunasekaran, A., & Kaushik, A. (2020). Cyber security risks in globalized supply chains: Conceptual framework. Journal of Global Operations and Strategic Sourcing, 13(1), 103−128. Web.
Smit, L., Bright, C., McCorquodale, R., Bauer, M., Deringer, H., Baeza-Breinbauer, D., Torres-Cortés, F., Alleweldt, F., Kara, S., Salinier, C., & Heasman, L. (2020). Study on due diligence requirements through the supply chain. European Comission. Web.
Sobb, T., Turnbull, B., & Moustafa, N. (2020). Supply chain 4.0: A survey of cyber security challenges, solutions and future directions. Electronics, 9(11), 1−31. Web.
Van Den Brink, S., Kleijn, R., Tukker, A., & Huisman, J. (2019). Approaches to responsible sourcing in mineral supply chains. Resources, Conservation and Recycling, 145, 389−398. Web.