Building a cyber-resilient organization is no longer something supply chains can wait to do or invest in over time. It has become a critical priority.

From the healthcare sector to major breaches like the SolarWinds hack that affected thousands of organizations, including the U.S. government, every industry is taking a closer look at their security and identifying potential risks, as well as bringing on business-critical talent to ensure cyber-resilience in the supply chain. 

With the stakes so high, skilled professionals are in high demand to secure the vital infrastructure of businesses. By 2030, there will be a need for 3.4 million additional security positions, and not nearly enough people to fill them.

IBM’s recent Threat Intelligence Index found that 51% of organizations plan to increase their security investments next year. This is especially crucial in the supply chain, as 98% of companies have experienced negative consequences due to a cybersecurity break among the external vendors and suppliers that make up their supply chain. Driven by a growing awareness around the need for security, supply chain leaders must capitalize on opportunities to develop effective cybersecurity strategies.

Online attacks on businesses have become more prevalent in recent years, thanks to technological advances such as artificial intelligence and cloud computing, alongside a shift to remote work. These trends make IT networks and data more vulnerable to cybersecurity threats.

The recent MOVEit supply chain attack targeted the MOVEit Transfer tool that allows users to transfer sensitive files securely. The attackers managed to compromise more than 515 organizations, including the BBC, Zellis, British Airways, Boots and Aer Lingus. The attack infected the web-facing MOVEit application with a web shell that was then used to steal data from MOVEit Transfer databases, including personal identity information such as staff addresses, IDs, dates of birth and national insurance numbers. This attack shows how quickly a supply chain breach can escalate, and how smaller vendors can have a massive impact on even organizational giants.

Only when the entire team understands the importance of cybersecurity, and is armed with the necessary knowledge and expertise, can the supply chain be considered secure. Even then, companies need to be constantly on the lookout for potential threats from suppliers or other third parties who have access to their organization’s data.

Following are a few ways to work toward building a cyber-resilient team and supply chain.

Create a culture of security. Beyond specific trainings for new technologies, supply chain management should prioritize fostering a holistic culture of cybersecurity awareness, and maintaining it as the industry continues to evolve. Make sure that cybersecurity is a part of the conversation from the get-go, and that everyone is given the tools to spot attacks.

A culture of security starts at the top and trickles down. To encourage a security-first mindset among employees, C-suite executives need to lead by example and set the tone for awareness throughout the organization. This is even more important when onboarding new talent, to seamlessly integrate them within the culture and existing teams.

Leaders should ensure that their teams are constantly educated on cybersecurity. To keep employees up to date on the latest threats, offer engaging and interactive security-awareness programs at all levels. Leaders can also consider drills that simulate various kinds of threats or offer opportunities to get SANS-certified. The SANS Institute offers courses and certifications in cloud security, cyber defense, cybersecurity, IT essentials and more. These steps demonstrate a company’s commitment to personal and professional development, which is attractive to prospective talent and can increase retention.

Since the surge in digitization due to the COVID-19 pandemic led to a 38% increase in global cyberattacks, companies and security leaders are taking a closer look at potential threats and resolving vulnerabilities from both an external and internal point of view. 

Address internal and external risks. The most common mistake companies make in addressing security risks is prioritizing the technology before assessing potential internal risks. More often than not, problems arise from internal team members that have a lack of understanding around the best practices, processes and technology that encompass the supply chain’s security framework. 

The first step for addressing and updating the supply chain’s security is for management to meet with every team and understand what they do on a molecular level. Then companies need to seek out the best solution for addressing and mitigating internal threats from a cybersecurity standpoint. This can include specialized training or educational programs, to ensure that every team member is well-versed in the technology and operations. As a security leader in the supply chain, the focus should be to proactively maintain the process and connect with teams individually to manage cybersecurity.

The next step is to assess any potential external risks. Since many security breaches come through third parties, some companies are even restructuring and choosing to rely on internal teams to create and replace supply chain technologies, to minimize potential vulnerabilities. This isn’t always possible for every company or industry, but it’s something to consider when looking to mitigate potential external cybersecurity risks.

Create a diversified team. Mitigating external and internal risks always begins with the right team. It’s important to build a team with diverse talent across a supply chain. This includes representation from various gender, sexual orientation and ethnic or racial groups, as well as varied professional backgrounds.

Currently, only 26% of cyber security professionals identify as an ethnic or racial minority, and only 24% of women hold cybersecurity positions. Furthermore, women only accounted for 41% of the workforce in the supply chain industry in 2021, compared with 56% in the overall labor force. This demonstrates a clear need for increased diversity, equity and inclusion (DE&I) efforts in the supply chain and, more acutely, in cyber positions, to ensure the representation of top talent from all backgrounds.

Research has also shown that a diverse workforce can lead to increased innovation and productivity. In fact, the accumulation of varied perspectives and experiences greatly benefits business — companies with above-average diversity produced a greater proportion of revenue from innovation (45% of total) than those with below-average diversity (26%). 

Diversification is also important when considering professional backgrounds. Military personnel, for example, are attractive because they can quickly assess risks and prioritize solutions in high-pressure situations. Technical talent from the healthcare or financial services industries is well-versed working in highly regulated environments. Rarely does a threat actor do the same thing twice, and their methods will vary based on the infrastructure they’re dealing with. A diverse team with experience across different industries will provide different perspectives, which is invaluable as new challenges arise. 

Emphasize end-to-end security. Because supply chains touch so many areas of a business, they are is an especially vulnerable space for cybersecurity threats. As awareness and security investments increase, organizations need to hire and retain business-critical talent and ensure a company-wide culture of security awareness.

This is an essential time to evaluate risks in the supply chain, particularly when it comes to cybersecurity. Leaders who operate with the mindset of “wait and see what happens,” versus being two steps ahead of a problem, will quickly realize the cost of their mistake. Success in running a secure business will come for those organizations that proactively address cybersecurity internally, retain top talent, and closely assess (and always re-assess) external factors. Only then can the supply chain be considered cyber-resilient and stand up against even the most determined attackers. 

Katie Owston is vice president and market specialist for security operations, threat intelligence and information security at Glocomms.