Tom Garrison, vice president and general manager of client security strategy with Intel Corp., assesses the current state of supply chain security, and discusses what companies must do to become more resilient to cyberattack.

“There’s a rising awareness of supply chain security,” says Garrison, “but in terms of the actual security posture it’s still relatively in its infancy.” Companies are becoming more aware of the critical nature of supply chains, and are beginning to adopt basic precautions, but “I still believe there’s a lot more that industry can and will be doing to secure supply chains moving forward.”

One might think that a single major incident such as the recent ransomware attack on the Colonial Pipeline would cause businesses to become aware of the need for action on the cybersecurity front. “The reality is that there isn’t going to be one attack that gets everybody to change their behavior,” Garrison says. “Change takes longer than anyone thinks.”

In past decades, businesses have spent more time and attention on ensuring supply chain efficiency than on the nuances of security. The result has been extremely lean supply networks that allowed precious little room for error. In addition, says Garrison, too much reliance was placed on reaping the benefits of sourcing from a single supplier or geography, leaving companies vulnerable to the impact of disruptions. Nor did companies pay enough attention to the risk of various devices changing hands without proper security controls.

Cybersecurity is a never-ending effort that must be constantly refreshed in line with new techniques employed by hackers, Garrison says. “Security is like water rolling downhill. You can build a dam, but the water will chart a new course.” Methods such as zero-trust access to networks are essential to keeping pace with the challenge.