Mitigating Supply Chain Risks from Cyber Attacks

A Lumberjack Story

On a sunny day amidst the forest there were two lumberjacks cutting wood. One of the men worked really hard all day in the scorching heat. He would seldom take a break, and also reduced his lunch time down to 20 minutes only. The other man took several breaks in the day and would spend 45 minutes for lunch. He also took a 15-minutes nap before going back to work after lunch.

The first man was extremely frustrated because, no matter how hard he worked, the other man’s pile of chopped wood was always more than his at the end of the day. “I don’t understand how you do it,” said the first man angrily one day. “Every time I look around, you are sitting down, and yet you cut more wood than I do. Why is that?” With a smile, the second man replied, “Did you notice that while I was sitting down, I was sharpening my axe?”

Sharpening One's Axe

Here’s another angle at “sharpening one’s axe.” Is your organization just reacting to issues after they have materialized?


Is your organization anticipating, mitigating, and improving risky scenarios? Certainly, in the world of networks, software, and digital assets one can only imagine the state of your data, secrets, and contracts against cyber attacks and data breaches. This blog looks at one area within cyber security that many organizations forget to include in their risk assessments—their supply chains.

Managing the Key Supply Chain Risks

Cyber attacks create a weak link in the supply chains because organisations can’t always control the security measures taken by the supply chain partners. This can create opportunities for cybercriminals to attack an organisation’s data and resources by first infiltrating a supply chain partner.

Because of the sensitivity of the data shared with the majority of supply chain partners, there is a heavy reliance on top-to-bottom collaboration/education of cyber secure practices. This is where many organizations fall flat; allowing third-party actors to drag down their organizational management of cyber security risks.

Any weaknesses in supplier systems become weaknesses in the organisation’s systems. Just think about the fact that each supplier probably has its own equally integrated and complex supply chain to manage as well, and you get a sense of the scale of the potential vulnerability.

The Key Supply Chain Risks are:

  • Third party service providers or vendors — from janitorial services to software engineering — have physical or virtual access to information systems, software code, or Intellectual Property
  • Poor information security practices by lower-tier suppliers
  • Compromised software or hardware purchased from suppliers
  • Software security vulnerabilities in supply chain management or supplier systems
  • Counterfeit hardware or hardware with embedded malware
  • Third party data storage or data aggregators

Time to think holistically about Supply Chain Cyber Attacks

Supply chain cyber attacks put organizations at significant risk — risk that can disrupt their operations and damage their reputations. Inadequate cybersecurity practices by lower tier suppliers introduce increasing risk to supply chain partners and monetary loss. Unpatched or poorly written software can introduce security vulnerabilities in the supply chain. Counterfeit hardware or software may contain embedded malware.

Thus, supply chain security requires a multifaceted approach. There is no one panacea, but organizations can protect their supply chain with a combination of layered defenses.

Some comprehensive steps throughout supply chain to minimize the risk of external intervention like cybercrime are:

Indeed, in the modern world where cyber vulnerabilities will only increase as organizations use more and more digital components to the supply chain, a holistic approach to mitigating cybersecurity risk is not a nice-to-have, it’s a must-have as the attack surfaces increase by the day.

To Learn More


A Roadmap to Vendor Management from Source to Contract


Comments are closed.