Woman working on tablet in office

Supply chain cybersecurity is critical—especially during COVID-19

By: Andréa Nadeau, Harry Sharma

Our lives have been altered in more ways than we can describe. Thankfully, one aspect that hasn’t changed is our ability to access necessities. Even as self-isolation and physical distancing become part of our everyday vocabulary and behaviour, Canadians are still able to buy groceries, fill prescriptions, and use technologies to connect and stay productive.

This privilege has been made possible by global supply chains remaining intact. Information and communication technologies’ supply chains are well-known for their global footprints. For example, Apple designs its iPhones primarily in the U.S., but they are manufactured mainly in China, using suppliers from Korea, India, and many other countries.

Typically, when a supply chain reaches a certain size, it acquires multiple tiers of suppliers. This stems from requirements around scalability, cost efficiencies, and timeliness. Suppliers who deal directly with the vendor are referred to as Tier 1. A company that sells to a Tier 1 supplier is referred to as Tier 2, and Tier 2 companies generally have suppliers of their own. The problem is, large enterprises often lose a direct line of sight on their supply chain’s security and operations beyond Tier 2 suppliers.

Many multinational companies require their Tier 1 and 2 suppliers to adopt digital technologies for quality and production tracking purposes. These two tiers are linked directly to ensuring end-customer satisfaction, and are therefore of utmost importance. In some cases, regulatory requirements have also expedited technology adoption along supply chains.

New technologies bring considerable advantages to firms that use supply chains. At the same time, they can make supply chains vulnerable to malicious actors who are looking to either benefit financially or deliver harm to an adversary. Malicious actors can be state-sponsored agents, organized criminals, or a “lone wolf.”

With many organizations focused on enabling remote workers and optimizing e-commerce platforms at present, lags can develop in the proper maintenance and upgrading of core systems. Unfortunately, malicious actors can exploit this type of situation. We have already seen it happen in the past few weeks.

During the COVID-19 pandemic, supply chains involving the healthcare system, law enforcement, and the financial system are particularly critical. They must be protected, and have built-in resilience against cyber attacks. After all, a supply chain is only as strong as its weakest link—and that link could be a Tier 2 supplier based outside of Canada that lacks the technical know-how to protect its digital systems.

Many Tier 2 and 3 suppliers are smaller businesses that may have limited resources to protect themselves from cyber attacks. In the U.S., nearly one in five small companies experienced a cyber attack or data breach in the last two years. Nearly a quarter of them filed for bankruptcy, and 10 per cent went of business permanently. Such an occurrence could damage our critical supply chains.

To address these challenges, The Conference Board of Canada is proposing the development of a Canadian framework that identifies minimum levels of organizational capabilities—whether managerial, operational, or technical—that should accompany its digital transformation level. For example, if a firm is part of a critical supply chain, it can access a guide on developing its internal capabilities to meet the heightened level of complexity when digitizing their internal and external processes.

To further strengthen our critical supply chains, organizations at the top must map out their supply chain for business continuity scenarios in the event of a threat. They must also adopt a standard set of rules that apply to all firms along their supply chain—including regular, enforceable digital security and audit rules to prevent lapses in downstream suppliers. And all firms must also adhere to a standard set of definitions for security protocols.

Lastly, we must continuously evolve our cyber and privacy breach reporting practices, policies, and controls. We must continue to upgrade protections for organizations and destigmatize the sharing of information on cyber incidents. This will encourage early reporting of cyber incidents, which in turn protects the broader ecosystem from further damage.

Our supply chains are vital. We must pay more attention to the cybersecurity protocols protecting them. Businesses, regulators, and governments need to work together to build  practical measures against the next pandemic or malicious mass cyber attack. Canadian lives depend on it.