When you think about supply chain risks, what's often mentioned is not something related to the physical supply chain. Rather, it's the growing number of IT-related cyberthreats that could do serious damage.
A recent report from the Georgia Institute of Technology on emerging cyberthreats, for instance, includes information around exactly this theme. Give the report a quick scan, and phrases and section headlines like these could leave many supply chain executives and CIOs wondering what's lurking in the background undetected:
- Insecurity of the Supply Chain: Hard to Detect, Expensive to Fix, and a Policy Nightmare
- Supply chain insecurity is both hard to detect and expensive to defend against
- On an international policy level, supply chain issues will continue to be an intractable problem
- Cloud Security Enters Its Teenage Years: Data in the Cloud Will Have Better Overall Security, but Failures Will Be Severe
So, it's not a stretch to believe that we'll be seeing more companies and governments trying to curb these risks in the next couple of years. In fact, we're already seeing some of this conversation happening in Europe.
Earlier this month, the EU proposed new cybersecurity rules that provide the region's “comprehensive vision on how best to prevent and respond to cyber disruptions and attacks.” With the overarching aims of “achieving cyber resilience, drastically reducing cybercrime and establishing a coherent international cyberspace policy for the European Union,” the directive is looking for ways to address problems like these listed in its press release:
- According to the World Economic Forum, there is an estimated 10 percent likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.
- The 2012 Eurobarometer poll on cybersecurity found that 38 percent of EU Internet users have changed their behavior because of these cybersecurity concerns: 18 percent are less likely to buy goods online and 15 percent are less likely to use online banking.
- Eurostat figures show that, by January 2012, only 26 percent of enterprises in the EU had a formally defined ICT security policy.
According to media reports, each EU member state would set up “CERTs,” or Computer Emergency Response Teams, to deal with hacking and malware crises and there will be more pressure placed on private companies across many vertical sectors — banking, energy, Internet search engines, cloud service providers, transportation, stock exchanges, to name a few — to report major security breaches and cyberdisruptions. The Wall Street Journal, citing EU officials, said as many as 40,000 companies could be impacted if the proposal becomes law. That means many companies either directly in or touching the electronics supply chain may be included in the reporting requirements.
The proposal has to go to the European parliament and be approved by the leaders of the EU's 27 national governments before being signed into law, a process that could take a couple of years. Even though companies don't have to comply with this right now, it seems pretty clear the handwriting is on the wall.
Cyberthreats will continue to be a significant risk on many levels. Governments will try to protect their constituents from cybercrimes with rules that will impact businesses. Supply chains — and the IT systems supporting them — could face serious disruptions in the wake of major security breaches. So, maybe now's a good time to ask — what are you doing to curb such risks?