How to Prevent a Supply Chain Attack! (Part 1)

Home    Blog    Cyber Defense
Weathered Chain
Cyber Defense, risk, supply chain

All organizations have a supply chain, but most don’t think twice about it. Supply chains are critical to organizations and their ability to create and deliver products and services to their customers. Without an effective and well protected supply chain, many organizations will struggle to succeed and be easily victimized by opportunity-seeking criminals. Keep reading the first part of our 3-part series on how to prevent a supply chain attack to learn all about supply chains and the risk they pose to your organization!

What is a supply chain?

Let’s start with a definition of what a supply chain is. I’ll summarize the litany of definitions found on the Internet.

A Supply Chain is comprised of all relationships and activities associated with the delivery of a product of service.

While vague, this definition is fundamentally complete.

The first links are forged!

Starting with a simplified example, we can begin to understand just what a supply chain is.

Kale and Tinara have decided to open a lemonade stand during a hot summer. Being enterprising young minds, they ask their dad to help them build a stand, and their grandmother for her delicious lemonade recipe.

With the stand built, and the ingredients picked up, they patiently wait for customers. Fast forward a few days and they have a lineup and have made enough money to buy new bikes.

What does their supply chain look like?

Materials and labour were procured from their father.

A recipe was leased from grandma in exchange for a few hugs and the promise of a sleepover.

Mom helped with getting the ingredients and mixing them according to the recipe.

A chain begins to form.

To fully understand the lemonade stand’s supply chain, we need to look beyond Kale and Tinara’s immediate relationships.

Where did their dad get the wood and tools from? Dad has a supply chain too. What about the recipe? Don’t forget the ingredients from the pantry, or the water from the tap to mix it all together.

Oh boy. And this is just a lemonade stand!

So, dad bought the wood and tools from the hardware store. Grandma got the recipe from her mother. Mom bought the groceries from the local market. The water, well, that’s from the tap, right?

What about the supply chain for the hardware store? Grandma’s recipe may not have a supply chain itself, but it does have another important implication – Intellectual Property. That’s a topic for another day.

How about the market? And who supplied the water? Whether from the water utility, a bottle, or a well, there’s a supply chain there as well.

Supply chains are often long and complicated, though very often simplified and overlooked as a risk to business. It is important for you to understand that they can be filled with direct risks, indirect risks, or a combination of the two.

What does a supply chain look like?

Let’s head for a glass of lemonade to examine the first few links in the lemonade stand’s supply chain.

In this example, Kale and Tinara have a “business” relationship with their father, resulting in Kale and Tinara being the “first party” and their father being the “second party”.

Starting from the top, we have dad building the stand they’ll use to sell from. Let’s ask a few questions.

Where did the father get the lumber, fasteners, and paint?

Where did the tools and come from?

You might be saying, “He went to the hardware store, of course”. Bingo. He went to the hardware store.

How did the father get to and from the store with the supplies?    

Where did the store get the materials he purchased?

This now leads to an indirect relationship between Kale and Tinara and the suppliers their father used. These suppliers are “second party” to the father and become a “third party” to Kale and Tinara, meaning they do not directly have a relationship but are still connected via their father’s relationship.

In our example, these “third parties” might include:

A gas station/company     

An automobile manufacturer

A hardware store

Moving forward, let’s look at just the hardware store. It doesn’t just have everything it needs magically; it needs someone to supply it with wares to sell. Those might include:

lumber mills

fastener factories

tool manufacturers

point of sale equipment suppliers

the list goes on!

These organizations would supply the hardware store and be “second party” to it. They become “third party” to the father and “fourth party” to Kale and Tinara, who haven’t even realized these links exist in their supply chain.

I think the picture is starting to develop, so let’s move on.

First, a primer on risk.

Before we can look at supply chain attacks and how to prevent them, we need to have a basic understanding of risk.

At a high level, risk can be defined as: “The chance, or likelihood, that an actual outcome will be different than what was expected”.

If we break this down, we can begin to understand that risk affects our ability to produce consistent, reliable results, or results that are predictable. That’s not to say risk itself produces or causes this result.

When an event associated with a risk occurs, that risk is then realized and produces some amount of impact to the business, as a result the outcome was different than expected. What are some of the risks our young entrepreneurs face?

ingredient or supply shortages or price increases

inclement weather

neighborhood bullies

Kale and Tinara expect to make and sell their lemonade for $1 per cup and spend $0.25 on supplies for every cup for a profit of $0.75. They estimate they’ll sell 100 servings of lemonade on weekends, for a profit of $75 per day.

What happens to this expected result, of $75 per day of profit, if their mother can’t buy lemons from the grocery store because it was victimized by ransomware? They will have to stop making lemonade. As a result, the actual sales will very likely be different from what they expected, meaning the risk was realized and produced an impact to the business.

Take a minute to think about your supply chain. Think about how it can attack your organization. Do you know how your supply chain could attack and how to prevent it?

That’s all for today!

Supply chains can be complex, but you should now have a good understanding of what a one looks like.

In the next post of this series on how to prevent a supply chain attack, you will learn about the different types of attacks that can come from your supply chain. Find Part Two here or Part Three here.

Want more? Sign up for our newsletter to be notified of new posts.

Ready to protect your business?

Sign up for our newsletter!