This video presents findings from a CAPS Research report on cybersecurity in supply chain networks. The speaker emphasizes that cybersecurity is not solely an IT issue but significantly impacts purchasing and supply chain management, highlighting the vulnerability of companies through their suppliers.
Hi, my name is Zach Rogers and I'm an assistant professor of supply chain management at Colorado State. Together with CAPS research today, I'm going to present to you the findings from our report, cyber security in supply chain networks. I worked on this with a team of researchers: Victor Benjamin, who was an assistant professor of information systems at Arizona State; Mohan Gopalakrishnan, a professor of supply chain management and the chair of the supply chain department at Arizona State; as well as Dr. Thomas Choy, a professor of supply chain management at Arizona State; and of course, the director of CAPS research. Supply chain managers, particularly purchasing people, tend to think of cyber security as that that's an Information Systems problem that is, people will deal with it. That's not something we really need to handle. Purchasing is focused on price, delivery, quality. Cyber security, that's something else. In fact, almost two-thirds of all data breaches happen through either a supplier or a third party. Walmart, the recent Equifax breach, Apple, CBS, CNN—all of these big breaches happened not because of problems with their system, but because of issues and vulnerabilities with their suppliers. Yes, most CPOs, when they talked about cyber security, they're only worried about the impact of a malicious actor, some hackers, and what they could do directly to a focal firm. However, when we think about how the Target breach happened, what Target was attacked, not directly from the malicious actor, but indirectly through Fazio, their supplier. In our report, this is only one of five of the archetypes that we present. We find attacks through a supplier, attacks from a supplier, supplier from a supplier of a customer that the focal firm may not even have any visibility to, from a competitor's shared supplier. And that's interesting because then competitors need to work together to address the problem. All of this is covered in great detail in our reports, as well as mitigation strategies and ways that companies can deal with this. Every supplier relationship is really a vulnerability. Think about it like your house. Every supplier has a key to your house, and so if you can't trust every single supplier with that key, then you have a problem. There's a lot of access points for hackers, especially as you know, sort of the focal firms, the big companies get better and better at defending themselves; they're gonna try a lot of different ways to access those companies. The cyber security really is a supply chain problem, and we can't just keep depending on IT people to fix it. Two-thirds of attacks come through the supply chain, and because purchasing is the interface with that supply chain, with those two-thirds of attacks, purchasing needs to be the ones to help solve this problem. Thank you for your time. I hope you enjoy the report.
