Are we burying our heads in the sand?

Cyber perils are the biggest concerns for companies around the world, but are businesses doing enough to protect their supply chains from these threats? This doesn’t seem to be the case…  

Supply chain disruptions were rife over the past two years, yet these didn’t top the Allianz Risk Barometer – an annual survey from Allianz Global Corporate and Speciality (AGCS). The survey incorporates the views of 2 650 experts across 89 countries and territories, including CEOs, risk managers, brokers, and insurance experts.

Globally, cyber incidents top the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), while business interruption (BI) drops to a close second (42%), and natural catastrophes rank third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while pandemic outbreak drops to fourth (22%).

Although BI ranks as the second most concerning risk globally (including in South Africa), it ranks first in Ghana, Kenya, Morocco, and Namibia. In a year marked by widespread disruption, the extent of vulnerabilities in modern supply chains and production networks is more obvious than ever.

Pandemic-related delays compounded other supply chain issues, such as the Suez Canal blockage and the global shortage of semiconductors after plant closures in Taiwan, Japan, and Texas due to weather events and fires.

“The pandemic has exposed the extent of interconnectivity in modern supply chains and how multiple unrelated events can come together to create widespread disruption. For the first time, the resilience of supply chains has been tested to breaking point on a global scale,” says Philip Beblo, global property industry lead at AGCS.

Despite these threats, another report – from global cybersecurity and digital privacy company Kaspersky* – found that both enterprises and SMEs are showing a worrying level of complacency when it comes to protecting the resilience of their supply chains. During November and December 2021, 240 c-suite, middle, and senior managers across both SMEs and enterprises were surveyed. All of these managers were also sole or joint decision makers for cybersecurity, IT, and information security. In the UK, 150 interviews were conducted (100 in SMEs and 50 in enterprises), while 90 interviews were conducted across Belgium, the Netherlands, and Luxembourg (75 in SMEs and 15 in enterprises).

Even though almost three-quarters (72%) of these companies state that cybersecurity threats are their number one concern, only 33% have the necessary internal resources and knowledge to respond to a cybersecurity incident. On top of this, just 35% are certain they have taken every possible step to mitigate third-party risks in their organisation. The findings reveal that companies deprioritising cybersecurity are doing so in favour of other real-time challenges, such as the truck driver shortages and other logistical issues caused by the pandemic.

“At TT Club we are constantly assessing the risk profile of the global supply chain and alerting the industry to our concerns, hence our support of this unique report,” says Mike Yarwood, TT Club managing director of loss prevention. “One should not underestimate cybercriminals. They are agile, focused, and highly sophisticated, presenting a significant threat to businesses in the global supply chain. As we emerge from the Covid-19 pandemic, TT would encourage a re-evaluation of cyber-risk policies and urge operators to satisfy themselves that sufficient resources are allocated to addressing this threat. Resilience in the face of cyber-risk is critical.” 

A supply chain attack targets an organisation by infiltrating or attacking a business from its chain of suppliers. If even one of these entities has low cybersecurity threat protection – or is avoiding some specific cybersecurity hygiene protocols – it could become the entry point into a much wider network of suppliers. The risk can vary greatly and adds to a company’s threat surface complexity.

A vulnerability in one organisation can significantly impact somewhere else in the supply chain, whether via compromised personal identity or payment credentials. If a supply chain’s weak link is exploited, a business can be brought to its knees, yet Kaspersky’s report reveals that just 20% of businesses have a third-party risk management solution in place and only 18% have cyber/business resilience insurance.

“The pandemic, Brexit, and supply chain crises have complicated the cyberthreat landscape, making it crucial that organisations take steps to defend against evolving threats under new circumstances. Cyberattacks and data breaches can be highly injurious to any business in terms of damage to reputation, costs of remediation, lost business, and other expenses,” says David Emm, principal security researcher at Kaspersky. “Companies must ensure they only share data with reliable third parties and extend their existing security requirements to suppliers. We urge businesses large and small to scrutinise their suppliers’ credentials as part of the standard due diligence and contracting process, or risk sleepwalking into a cybersecurity disaster.”

With cyber incidents having been identified as the major risk that they are, no company can afford to bury its head in the sand in this day and age. It is pointless to only identify risks – steps must then be taken to prepare for and prevent these risks, and remedy them if and when they occur.

* The Kaspersky report, entitled Supply Chain Cybersecurity – Potential Threats and Rising to the Challenge – was produced in association with TT Club, an established market-leading provider of mutual insurance and related risk management services to the international transport and logistics industry.