Supply Chains - A Key Vulnerability
A recent study Resilience360 and the Business Continuity Institute (called "COVID-19: The Future of Supply Chains") illustrates a number of business trends that are emerging as a result of the pandemic. Some key numbers include:
- Only 49.2% of organisations surveyed had a contingency plan in place that sufficiently enabled them to manage their supply chains effectively.
- 53.2% of organisations plan to write new, more comprehensive pandemic plans, with 32.3% planning they will cover their supply chains.
Now these figures do not surprise me - few organisations would have put a pandemic high up their list of likely risks back in 2019. Why would they have? However, many could have predicted other events that would have led to massive disruption in supply or demand from different regions - for example shipping disruption to and from China, or in the UK the potential planning done for a disruptive no-deal Brexit - those scenarios could have been predicted and planned for.
Those partial plans could well have been adapted and applied. And organisations that had those plans would at least have had a starting point for their response.
Parallels with Cyber Security
Planning for incident response is much the same - and there are clear parallels. You may not be able to predict exactly what would happen and why (otherwise you would stop the attacks cold, wouldn't you?) for every type of imaginable risk.
But you could forsee several major categories of risk - ransomware, malware affecting SCADA systems, Web Application Hacks, Man in the Middle Attacks, CEO Fraud etc.. the list truly does go on. These risks may not manifest themselves, and you plan and work to make sure they do not.
However you really need to plan for and prepare for the worst. The crucial few minutes and hours after you have detected an intrusion or infection can make the difference. If you have to spend that time doing consultations, making initial plans and talking to legal, procurement teams etc. then you are likely to cost your organisation dear.
Supply Chains and Cyber Security
It is also worth remembering that in the modern economy, most organisations rely on extended and often complex supply chains. Failures or disruptions in one part of the supply chain can have major impacts further up or down the supply chain.
The Resilience360 / BCI study found that over 73% of organisations had some or a significant detrimental effect from supply chain disruption.
How much of that was predictable and manageable? We can't tell from this study. But ask yourself:
- Do you know or have you done any effective due diligence into the cyber security of your supply chains?
- How would you deal with your suppliers and customers in the event of breaches?
- How would you expect them to deal with you?
Effective Third Party Assurance with your supply chain partners should be treated as being vital to any due diligence process.
The pandemic has caused many organizations to carry out due diligence deeper in their supply chains going forward: Although organizations had largely carried out good levels of due diligence (such as determining suppliers’ location and obtaining business continuity plans) amongst their tier 1 supplier base, such due diligence started to tail off beyond tier 2