Cybersecurity in the Supply Chain: How Prepared is Your Business?

By Jan Stentoft, Professor, Department of Entrepreneurship and Relationship Management, SDU. Olivier Schmitt, Professor, Center for War Studies, SDU. Marco Peressotti, Associate Professor, Department of Mathematics and Computer Science, SDU. Amelie Theussen, Associate Professor, Danish Defense Academy.

Today, Danish small and medium-sized enterprises (SMEs) rely heavily on IT both for handling internal processes and communication, but also for outsourcing and dealing with external partners, suppliers, and customers. IT technology and the internet - and its widespread use - have made interaction, coordination, and integration with the surrounding environment easier, faster, and cheaper.

Digital transformation has streamlined business processes in small and medium-sized manufacturing companies. However, it has simultaneously introduced vulnerabilities to cyber-attacks. Therefore, it is important to focus on cybersecurity, which encompasses the group of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

The environment for Danish manufacturing SMEs is also changing rapidly. We have gone from a long period with a low level of international conflict to a more conflict-ridden level, where increasing global power nations competition affects Western allies and where the focus on critical infrastructure has taken on a new strategic importance.

Geopolitical developments also increase the risk of cyberattacks from both states and cybercriminals. SMEs often rely on exports to grow their business. This means that supply chain disruptions due to geopolitical tensions and market access restrictions, such as international sanctions, will have a greater impact on them.

New research from SDU reveals a lack of cybersecurity knowledge and readiness among Danish manufacturing SMEs. The new EU NIS2 directive (Network and Information Security), which aims to improve the overall IT security of member states, contains stricter requirements for companies' cybersecurity, which also includes Danish manufacturing SMEs. The directive will ensure that all organizations that serve an essential function in society have a high level of IT security.

Information security consists of the basic elements of confidentiality, integrity, and availability.

Confidentiality refers to the protection of data from unauthorized disclosure. Unauthorized, accidental or unforeseen disclosure can result in legal action, financial loss, and loss of public trust. Integrity is about protecting information from unauthorized or accidental modification. For example, hackers can steal and modify data via malware.

Availability relates to accessing critical business data when needed. If a website is hacked, its availability can disappear.

Various business units, both within individual companies and across different companies, are interconnected through IT devices. What is known as a man-in-the-middle attack can occur when a hacker gains access to the network where data can be stolen and manipulated. Distributed network attacks can also take place where a server is overloaded.

Ransomware attacks are also a practice where the owner of an infected device is blackmailed into paying for data access again. Finally, phishing attacks are attacks that gain access to a system by tricking employees into clicking on fake emails. Not least, companies' own employees can inflict risks due to a lack of cybersecurity awareness.

Ensuring information security in the supply chain is far more complex than simply downloading the latest antivirus software. Information has been democratized.

In a digital age, vulnerabilities to company systems are compromised by second or thirdparty subcontractors who are part of a connected supply chain. Information about inventory levels, production schedules, customer orders, suppliers, and shipments are available and can easily flow between companies using laptops and a barcode scanner. The rise of the Internet of Things also creates vulnerabilities when IT devices that, for example, control intelligent robots or temperatures and monitor equipment servicing are connected to the network.

With these cyber challenges, the key question becomes what should SMEs do? First, create awareness of geopolitical tensions and cyber threats. Cybersecurity is not an IT issue, but a concern for all employees in a company.

It's about investing time in employees across organizational functions and creating an understanding of what needs to be protected, what attacks to protect against, and then clarifying what investments should be made to improve cybersecurity.

Training employees on cybersecurity is important, and this applies to all layers of the business, as employee internet behaviour, for example, can pose a threat. SMEs are prime targets for cyberattacks because they often have relatively high access to important information given their size within the supply chain.

SMEs typically have the lowest level of cybersecurity given their limited financial and human resources and IT knowledge. Hackers exploit weak links in supply chains and attack via insecure supplier systems. A backdoor to software can be created, giving access to modify the source codes. If a supplier is affected, it can lead to the customer being unable to deliver because raw materials/components are not available from the supplier.

This means that you can have your own store under control but can be hit by a supplier. If a supplier is hacked, customer data can be accessed. If a third-party logistics provider is hit, business operations can be affected if the ERP system is cloud-based, if data is stored externally, and if you use other external IT services. The loss of performance is not isolated to the individual company.

It also negatively impacts customer performance. Equally critical is the loss of credibility with current and potential customers - a consequence that can be downright devastating for businesses.

A new project focusing on strengthening cyber security in Danish manufacturing SMEs (see www.cyber-smv.dk) has just been launched with funding from the Danish Industry Foundation. The project focuses on identifying vulnerabilities in supply chains derived from geopolitical tensions and cyber threats, as well as which capabilities companies should strengthen in order to achieve greater cyber security.

It's about ensuring competitiveness.

There is a need to strengthen competencies so that the company is not wide open to cyberattacks. A strengthened level of cybersecurity and an increased awareness of vulnerability risks should not be seen as a cost for SMEs, but as an investment in (continuing to be) an attractive and secure partner in supply chains, along with good quality, environmental focus, and social responsibility.

It's imperative to shift our mindset, viewing cybersecurity not just as a protective measure, but as a cornerstone of competitive advantage.