Critical National Infrastructure – How secure is your country? in conversation with TFL & Roke Watch Now

How dangerous is your supply chain?

Frequently Asked Questions

+  What is Vendor Risk Management?
+  What is Vendor Risk Management?
+  What is Vendor Risk Management?
+  What is Vendor Risk Management?
A SolarWind that blows nobody any good.
Nike’s woes in China, paralysis in Suez, Brexit border chaos and above all the growing threat of cyberattacks – when it comes to fast-moving consumer goods (FMCG), luxury and sporting goods it has never been more important to manage and minimise supply chain risks.

Nike’s situation is as complex as it looks. The company is suffering a backlash after expressing “concern” about alleged Chinese use of Uighur forced labourers in cotton production. Chinese consumers have called for boycotts of Nike goods, celebrities have stopped endorsements and state media has criticised the brand. Nike does not even use cotton suppliers from the Xinjiang region, yet has found itself in a political argument that demonstrates the vast scale of supply chain risk. More risks have been highlighted by the blockage of the Suez Canal, which carries 12% of global trade each day. Even with the massive Ever Given container vessel freed, shipping backlogs mean the ongoing costs will be $10bn a week, according to German insurer Allianz. BBC Business Correspondent Theo Leggett makes the point: “Industry experts are warning that the knock-on effects on delicately balanced supply chains could be felt for months to come.”

In a 2020
report McKinsey predicted border delays causing major damage to the FMCG industry, something that has come vividly true post-Brexit. It also noted how US-China trade disputes ­– and the introduction of new tariffs – represent a profound and systematic threat.
Cyberattacks – the growing threat
Cyberattacks offer more potential for unexpected calamity, and the speed and scope of the damage can be eye-watering. British Airways was fined £20m by the Information Commissioner’s Office for a massive breach of customer data after hackers stole the personal and financial details of more than 400,000 passengers in 2018. Crucially, the technical vulnerability had been well known yet the airline had not updated its systems. This spurred accusations of negligence or reckless risk-taking – all the more so because BA did not detect the cyberattack for more than two months. The fine will have dwarfed what the cost would have been to patch the vulnerability in the first place.

Supply chains and vendors are a frequent target: 70% of cyber security data breaches now involve a third party supplier of some sort. In the 2020 SolarWinds cyberattack that compromised U.S. government agencies and 18,000 companies on a scale that surprised even veteran security experts, the hackers zeroed in on a weak link in the software supply chain that all corporates and institutions rely on.

Cyberattacks are rife and if you are not already identifying the risk in your supply chains you can no longer afford not to. All it takes is for an employee at one of your suppliers to click on the wrong email or forget to update the antivirus software and ransomware attackers have a fast track into shutting down your whole business.
What is preventing your business from managing supply chain cyber risk?
Common factors that prevent FMCG, luxury and sporting goods brands from managing supply chain cyber risk include:

- Fear of overwhelm. You believe you have too many suppliers and that monitoring them is too difficult.

- Fear of the failings and insecurities you will unearth if you do investigate.

- Fear of using up resource and skill when you are struggling to protect your own organisation.

But this approach ignores potential impacts that could cause even greater damage. Understand the risks, and your business will be in a better position to respond if something goes wrong. If you have already done the strategic thinking, when trouble strikes you can apply your finite resources to the areas you have identified as most important.

It’s why the McKinsey report warns: “Supply-chain risk management needs to be incorporated into regular decision-making and planning processes. Embedding risk-management capabilities as a regular ingredient of business decisions in operations is the first step towards creating a true risk culture and a resilient company.”

This is where C2 Cyber comes in. We are experts in cyber security and vendor risk management, with a proprietary COBRA platform that enables our clients to identify the supply chain risks that pose the greatest threat then focus their limited resources on collaborating with supply partners to reduce them.
Why the time to act is now
Supply chain cyber risk is magnified because increasingly systems are connected to enable integrated digital services that reduce inefficiencies. By 2027, 50 percent of luxury purchases are predicted to be digitally enabled as a result of new technologies such as virtual reality and mobile payments (Source: Bain & Company: Macro trends in the luxury goods sector 2025-27). This introduces systemic risks and the possibility of one company infecting many others with viruses and malware.

Research into the risks faced by fast fashion pointed out how the pressures of short lead times (pivotal to the success of the sector) could be addressed by developing relationships with the outsourced supply chain (Risk Management: Rethinking Fashion Supply Chain Management for Multinational Corporations in Light of the COVID-19 Outbreak, Journal of Risk and Financial Management, 2020). These relationships are often based on networked supply chain models that can in turn increase the risks of costly mistakes that infect the entire network. Indeed, McKinsey suggests that the global average share of products that are partially to fully digitised advanced seven years in 2020 as a result of Covid-19.

And cyber attackers are ever more inventive. Forbes reported last month how hackers used the data stolen in an attack on a major maternity clothing business to contact its customers and urge them to demand the company pay a ransom …

Isn't it time you reduced your third-party risk to protect your business?