6 minute read 16 Sep 2021
Cybersecurity risk

How Irish CISOs can secure supply chains from growing cyber threats

By Alan Dickson

EY Ireland Consulting Partner; Procurement and Supply Chain

Head of Supply Chain in Ireland. Sports fanatic. Father of 3 children

6 minute read 16 Sep 2021

Supply chain vulnerabilities have been exposed a lot more in the past year and a half. There is a need to reimagine supply chain strategies.

In brief
  •  Irish CISOs can build more cyber resilience in supply chains by enabling rapid access to contemporaneous supply chain data that help understand challenges.
  •  Stability of potential vendors and their related cyber infrastructure need to be established to mitigate risk.
  •  Cyber leaders can ensure supply chain stability by adding security to products to ensure there is no tampering or cloning.

If there is one part of the cyber threat landscape that has evolved significantly in the past year and a half and in need of greater resilience, it is the supply chain. The COVID-19 outbreak bared the vulnerabilities of supply chains. It led Ireland’s Chief Information Security Officers (CISOs) and heads of supply chain to reimagine supply chain strategies from a cyber risk perspective to prevent similar disruptions in future.

The EY Ireland Global Information Security Survey (GISS) 2021 finds that the supply chain presents considerable danger as a fourth or fifth party may be several times removed from the organisation, but it could still pose a cybersecurity risk. However, more than two-thirds (70%) of the Irish respondents say they are confident they can ensure their entire supply chain is water-tight in its ability to defend and recover against threat actors.

Alan Dickson, EY Ireland Director, Consulting and Procurement and Supply Chain, talks about the need to develop a robust third-party risk management process and diversify supplier network.

Q. What are the imminent cybersecurity risks to Ireland’s supply chain in the coming six months to a year?

A. Multiple well documented and discussed risks will continue to feature. From a cybersecurity perspective, disruption to various processes involved in the movement of goods in Ireland is especially a concern, given the introduction of new regulatory systems when dealing with the UK. These include customs formalities including customs declarations, routine customs checks, payment of customs duties.

Q. The EY Ireland Global Information Security Survey (GISS) 2021 finds that about 70% of Irish CISOs are overconfident in their abilities to secure the supply chain versus the 33% international respondents. What make the Irish CISOs more confident than their global peers?

A. The overconfidence of Irish CISOs in the ability to secure the supply chain stems from Ireland having a strong pedigree in the adoption of digital technologies which has been fostered through factors such as business agility, a highly educated workforce, and adaptive attitudes to issues such as globalisation. This has been complemented by the prevalence of big tech firms having a positive developmental impact on the skillset within the workforce.

However, this overconfidence may decline due to the increase in disruptive cyberattacks seen over the past 12 to 18 months

Q. What are the three key steps Irish CISOs can take to build more cyber resilience into both the hardware and software side of supply chains?

A. An issue in your supply chain can impact you in terms of production, getting product out to customers, etc. That is why you cannot look at it within the confines of your own organisation anymore because there is an ecosystem and you are accountable for all of that.

Here are the three key steps Irish CISOs can take to build more cyber resilience:

Q. How different should the risk approach be for Irish supply chains compared to the organisation’s overall risk management plan?

A. The supply chain cyber risk approach should be part of the organisation’s overall risk management plan. An organisation’s supply chain is integral to its operations and, therefore, the risk approach must be holistic. This is of particular relevance in Ireland, where many constituent components are imported. In any business, a shutdown or operational delay will have a downstream impact on contractual commitments. Liquidated damages form a standard part of many contracts. So aside from reputational impact, there is a tangible financial penalty for non-conformity to contractual terms.

Q. As increased cloud technology adoption and virtual servers lead to more breaches, what steps need to be taken from a technology perspective to make the Irish supply chains more secure?
Q. What should be the key elements of a robust vendor or third-party risk management plan to build more cyber resilience into Irish supply chains?

A. Vendor due diligence is of paramount importance to manage third-party risk. This will provide valuable insight into beneficial ownership, debt, projected growth, and product quality. Screening for sanctions and negative news media, among other aspects, must also be considered. This allows supply chain owners to make informed decisions on partnering with a vendor. Stability of potential vendors and their associated cyber infrastructure must be established to mitigate this risk vector.

Another key area of focus is sustainability. Sustainability within the context of supply chain speaks to the integration of ethical and environmentally conscious practices. This gives a firm grounding through end-to-end supply chain transparency, helping Irish supply chains understand constituent materials and sources. This, in turn, highlights potential areas of failure and therefore risk. Irish supply chains must begin to manage suppliers over the whole lifecycle of a product or service.

Q. What controls can be put in place to plug zero-day vulnerabilities in Ireland’s supply chains?
Q. Whose responsibility in organisations should it be to secure supply chains? How can Irish CISOs help build a more collaborative approach?

A. The supply chain is an integral part of the organisation’s operations and disruption will create a negative customer experience. Thus, it is the responsibility of all members of the organisation to utilise their training and best practice in this regard. Positive steps to establish supply chain stability may include:

Typically, the supply chain team or warehousing team are expected to manage the supply chain in isolation. However, all channels by which the organisation obtains data on the supply chains must be considered when securing the supply chain.

Summary

Irish CISOs can help drive a more collaborative approach by enabling ongoing, iterative education and training. Software breaches are increasing both in volume and in damage caused. So, the best defence is to ensure the organisation is educated in detection methods and has fostered a supportive culture in deterrence of cyberattacks.

About this article

By Alan Dickson

EY Ireland Consulting Partner; Procurement and Supply Chain

Head of Supply Chain in Ireland. Sports fanatic. Father of 3 children