SMEs the weak link in supply chain cyber security

Disproportionate access to important information makes small to medium enterprises (SMEs) targets of cybercriminals

SMEs are at the greatest risk from cyber-security threats, and their vulnerability in turn poses a danger to major corporations with which they do business.

That’s the view of Steven Melnyk, professor of supply chain management at Michigan State University in the United States, who recently shared his insights with local supply chain professionals at the inaugural SAPICS Spring Conference.

“Blockchain is vastly overrated; supply chain cyber security is underrated; and we are not spending enough time on small to medium enterprises. We need to grow them; but they are a challenge in terms of cyber security,” Melnyk said.

He explained that SMEs had disproportionate access to important information. “They are often mission-critical suppliers that produce niche products. They are protected by governmental regulations and requirements. However, they generally have the weakest cyber-security arrangements in terms of size, resources and expertise. They open up large clients to cyber-security attacks.”

Melnyk cited the example of a well-respected American chemical company that was hacked through its supply chain. The hackers obtained information about customers and orders, including quotes. They saw details of items that the company – which was renowned for innovation – was getting ready to patent.

“The hackers altered the master production schedule; they changed due dates, order quantities and order quality levels. Deliveries were compromised. A new supplier then entered the market, with the precise items that the customers wanted, at prices lower than the current variable costs. The supplier also patented the firm’s innovations,” he revealed.

Listing other examples, Melnyk said General Electric had suffered a cyber-security breach in which hackers had obtained the business’s target prices, while Macey’s and the Bank of America had also been targeted. “Every significant breach occurred through the supply chain,” Melnyk said.

According to Melnyk’s reckoning, companies in the United States (US) had spent about US$ 84 billion defending themselves against breaches that had cost them about US$ 2 trillion. “The average cost of a cyber breach is US$ 7,9 million and the average time to contain a breach is 276 days,” he said.

Melnyk added that the growth of the digital economy and digital supply chain was contributing to the growing cyber security threat, with four-billion people predicted to be connected to the internet daily in 2020. He advised that companies consider the threat of collateral damage when assessing their cyber-security risk.

“In June 2017, Russia launched the NotPetya cyberattack against Ukraine. Its targets were banks, energy providers, governments, airports and hospitals, and its goal was to wipe data from computers. Companies including Merck, FedEx, Maersk and Mondelez suffered significant collateral damage,” he revealed.

According to Melnyk, the attack cost pharmaceutical company Merck US$ 870 million, incurred as a result of collateral damage through its connection to hospitals. He said that Maersk was reportedly so ill-prepared for the threat that the firm’s IT people had had to run down corridors to tell employees not to turn on their computers.

He urged supply chain professionals to consider cyber-security prevention, detection and recovery measures, and to understand how contamination might occur. “It is time to act now. Cyber security is not an IT issue; it is a supply chain issue. Cyberattacks are on the rise.”

Melnyk said that the current global cost of ransomware damages was more than US$ 5 billion, and by 2021, it would exceed US$ 6 trillion. “Blockchain offers some protection, but it is not enough. If you want to develop a competitive edge in South Africa, offer your customers secure supply chains,” he advised.