Supply Chain Cybersecurity: Not Secure Enough

In May 2022, in this very blog, my colleague Stan Aronow asked a critically important question: “How secure is your supply chain?”  After five months of new research, we are ready to answer the question.

“Not secure enough.”

Cyber attacks continue to present an ongoing, ever-changing threat to businesses across all sectors. In 2021, ransomware become an increasingly popular attack approach. According to cybersecurity research from NCC Group’s Annual Threat Monitor report, ransomware attacks almost doubled in 2021, rising 92.7% year-on-year.

In Gartner’s recent quarterly Emerging Risk Report (subscription required), cyber risk — in the form of new ransomware models — jumped to a top-ranked impact for businesses and operations. And, of course, ransomware is only one of many other types of tools cyber criminals have at their disposal. Ransomware attacks and other types of cyberthreats can have, and have had, crippling effects on supply chains.

But as important and ubiquitous as this topic is, it is fraught with complexity and confusion. Gartner has been covering supply chain cybersecurity since 2017, and the profession has made great strides. However, there’s still work to be done. Given the ongoing threat environment, we have just released a new entry in our Supply Chain Executive Report series: Combating Enterprise and Ecosystem Cybersecurity Threats.

This report offers a comprehensive look at the current state of supply chain cybersecurity. It’s designed to help our clients across key industries understand current approaches and best practices, as well as see how this effort may evolve over the next few years. In this report we put forward a framework for companies to use as they plan and execute their defenses.

One of our key findings is the deployment of systems and product protection.

These deployment numbers are consistent with surveys we have run in the past, where we see protection for IT in place most often, then OT and then IoT. In fact, we can see the progress the profession has made; in a similar survey we ran in 2018, the numbers across the board were lower (64% for IT, ~45% for OT, 34% for Product, and 27% for IoT).

As encouraging as it is to see the positive steps the profession has taken over the last five years, our research shows that organizations have an inflated sense of their supply chain’s cybersecurity. In our “Heightened Complexities” survey, which partly informed the new report, when we asked respondents how protected they thought their supply chains were on a scale of 1 to 7 (with 1 being not at all and 7 being completely protected), 83% of respondents rated themselves a 4 or higher. Yet the same survey showed that over the last two years nearly a third of all the companies we surveyed suffered a cyber attack that impacted their specific supply chain functions or operation.

When we look at the Heightened Complexities responses from the view of a “VP and above,” the numbers change. These leaders will tell you they are less confident. In fact, the numbers go from 70% at a confidence level of 5 or higher for managers/heads of functions, to 44% at 5 or higher for VPs and above. We believe the different vantage point gives the respondent a fuller and truer understanding of what the extent of the risks are across the extended enterprise and third-party supply chains.

This overconfidence has been likewise evidenced in other Gartner supply chain surveys. And in addition to our quantitative data, we have our qualitative insights from our new research as well. When we asked about this overconfidence, respondents from across different industries said:

“The people who say they are confident, they don’t understand all the risks.”
 “People have their heads buried in the sand.”
“As the less mature companies with fewer connected systems will tell you, they have a lower level of worry about this problem.”
“We rely on blind faith.”
“I have no idea how prepared (or unprepared) our logistics partners are to face something like this.”

We hope this new report will help. Some of our key findings include the following:

• For 63% of the respondents, spending on supply chain cybersecurity was expected to rise by at least 5% from 2021 to 2022.
• Audits of suppliers, contract manufacturers and logistics partners still make up the top technique used in the fight against supply chain cyber attacks (see below figure).
• Logistics providers were the No. 1 failure point for companies that had suffered a supply chain cyber attack.
• Of those surveyed, 63% of companies are actively working with third parties on the problem.
• Cybersecurity talent in supply chain will be a top demand.
• Only 38% of respondents say “% of completion of third-party risk assessment” is a metric they use in quantifying supply chain cyber risk.

If CSCOs are going to face the threat of increasing cyber risk head on, they must continue to educate themselves, avoid complacency and take action. They must close the confidence/capability gap. We look forward to working with them on the journey. If you have comments you’d like to make on your own journey, we’d love to hear from you as well.

To take a deep dive into the suggested strategy, Gartner members can review the Supply Chain Executive Report: Combating Enterprise and Ecosystem Cybersecurity Threats.

An accompanying podcast is available on Gartner.com, Apple Podcasts, Spotify and Google Podcasts.

Mark Atwood
Managing VP
Gartner Supply Chain
mark.atwood@gartner.com

You are invited to participate in the 2022 edition of Gartner’s Future of Supply Chain Survey.

This survey covers five critical emerging themes for supply chain organizations. As these themes shape the future of the supply chain profession across the next three to five years, this survey seeks to enable our clients to strategically plan for these shifts.

The findings of this survey will be published in Gartner’s annual Future of Supply Chain report at the end of December 2022. As a thank you for participating, we’ll send you a high-level summary of the key findings as soon as it is available.

Survey closes on 15 October 2022.