Why Aren’t Supply Chain Leaders More Focused on Improving Cybersecurity? 

By Ryan Tierney 
 

Cybersecurity incidents are a major cause of supply chain disruptions and delays—as well a potentially devastating financial and reputational risk. So why aren’t more supply chain leaders focused on improving their company’s cybersecurity posture? 

In a recent study of 150 supply chain leaders by TrueCommerce, respondents rated cyberattacks as one of their biggest challenges and most dreaded disruptors. But interestingly, improving cybersecurity was not among their top goals.  

The Importance of Supply Chain Cybersecurity Risk Management  

In a world where almost every organization faces a relentless barrage of ransomware threats, phishing attacks, and other cyberattacks, maintaining a robust cybersecurity posture is essential to business continuity and competitive survival. This is especially true for SMB/SME supply chain partners, which increasingly must validate that they can keep customers’ data safe and comply with their cybersecurity guidelines.  

Why the growing pressure? Hackers are escalating their attacks on suppliers to exploit their weaker cybersecurity and breach their better defended enterprise customers. According to Verizon’s 2024 Data Breach Investigations Report, 15% of data breaches involved a supply chain partner or other third party.   

If hackers gain access to sensitive data that you exchange with trading partners, such as purchase orders, invoices, and payment details, it could cost you a lot more than downtime, remediation, and legal expenses. You could also lose revenue, as your customers drop you for safer competitors.  

Improving your cybersecurity is really the only way to mitigate this risk effectively. For example, even if you could transfer the financial risk of a data breach to a cyber liability insurer, this would not address your clients’ elevated “vendor risk.” Nor would it resolve any data security or privacy compliance issues you might still have. 

What does the TrueCommerce study say about cybersecurity? 

Our study touched on supply chain cybersecurity in several areas. Here are the key data points: 

• 31% of respondents said they expected to endure supply chain disruptions due to cyberthreats in 2024. Cyberthreats ranked as the third most widely anticipated disruption after labor shortages (34%) and price changes (45%).  

• Among respondents with global supply chains, cyberthreats were the number one concern, impacting 49% of organizations. Currency fluctuations and exchange rates placed second at 43%, but for many companies these present less overall business risk than cyberattacks. 

• When asked about top supply chain goals for 2024, 25% of respondents cited “supply chain resiliency improvement,” which could involve strengthening cybersecurity controls (see Table 1). This was down from 28% in 2023. “Improving cybersecurity” was not among the choices for supply chain goals.  

	Top Goals in 2023	Top Goals in 2024
Accurate demand forecasting	21%	25%
Accurate order processing	33%	23%
Hiring workers	27%	25%
Inventory-management improvement	21%	25%
Managing seasonal order spikes	17%	25%
New trade partner integration	10%	6%
Process automation	15%	13%
Productivity improvement	11%	13%
Profit increases	5%	6%
Reducing delays	15%	21%
Sales increases	39%	34%
Stockout reductions	14%	15%
Supply chain resiliency improvement	28%	25%
Technology integration	27%	21%
Time-to-market reductions	8%	12%
Visibility into business processes and workflows	6%	9%
Worker safety	3%	0%

Table 1: Top supply chain goals. 
 

Given stakeholder demands to protect their data plus the inevitability of attacks, why aren’t more supply chain leaders intent on improving cybersecurity? One reason might be that security controls are often seen from a cost perspective without factoring in how they can also create competitive value. Another hurdle we often see with security is that given all the complexities people aren’t sure where to begin. 

How can supply chain companies improve their cybersecurity? 

Because hackers can weaponize them in multiple ways, exchanging documents with your trading partners inherently increases your cybersecurity risk. Yet the ability to secure business documents is paramount given the sensitive data they contain, and the huge number of business transactions they represent.  

How can you minimize document-related risk? A properly configured electronic data interchange (EDI) solution from a reliable provider can help a lot.  

Unlike widely exploited document formats like PDFs, ZIP archives, and Microsoft 365 files that are typically sent and received via email, EDI documents are usually exchanged over secure network protocols. EDI data is also encrypted and subject to automatic checks on its integrity and confidentiality, making it extremely difficult for cybercriminals to exploit.  

EDI workflows also confirm through traceability that the data received comes from a legitimate source. A further layer of security with modern EDI systems includes robust access control and authentication procedures to thwart credential-based attacks on the EDI environment itself. 

However, EDI networks are not invulnerable to attack, especially today with the increased use of cloud-based, browser accessible portals. This makes it critical for EDI users to choose a vendor with a strong cybersecurity profile. 

What cybersecurity controls should you look for in an EDI vendor? 

A secure, reliable, scalable, and compliant EDI platform for exchanging critical data with trading partners is foundational to supply chain operations, not to mention executives’ peace of mind.   

Here are some of the ways leading EDI vendors ensure end-to-end protection for sensitive data:  

• Hosting on redundant, Tier 3+ data centers. 

• Mirroring and real-time data replication to minimize the potential for data loss or downtime while enabling efficient disaster recovery. 

• IT security controls that meet or exceed the requirements of comprehensive cybersecurity standards like SOC 2 or ISO 27001. 

• Encryption for data in transit and at rest. 

• Implementing encryption for all portal login passwords, ensuring compliance with robust security policies. These include minimum password length, the use of special characters, restrictions on reusing previous passwords, and mandatory password changes after a defined period of time. 

• A dedicated EDI application firewall that strictly controls access to the EDI service and instantly blocks any event not in compliance with your EDI policy. 

• A full audit trail for all transactions plus reporting capabilities to ensure transparency. 

• 24×7 monitoring/logging of the EDI network to ensure transactions are flowing. 

• Service availability with 99.9+% uptime. 

• 24×7 service and support to ensure problems are addressed promptly and to help prevent potential cybersecurity incidents and other issues from escalating. 

Probably the single most essential capability for secure EDI is pervasive data encryption. Even if hackers breach your corporate network and gain access to your servers, your encrypted EDI data will still be safe. 

Application firewalls are another key element of secure EDI. Because the firewall knows exactly what information EDI documents can safely contain, they can proactively block malware, weaponized scripts, and other suspicious content—thus stopping cyberattacks in their tracks.  

Cybersecurity Benefits of an EDI Managed Service 

For organizations that lack deep cybersecurity expertise, another way to protect sensitive data is to choose an EDI managed service versus managing EDI in-house.  
 
Outsourcing to an EDI managed service provider can turn EDI into a competitive advantage by providing all the needed expertise and infrastructure—thus reducing IT complexity and cost while freeing you to focus on your core strengths and grow your business.  
 
One of the top benefits of an EDI managed service is to reduce your cybersecurity footprint. Companies are always responsible for their own internal cybersecurity controls like multifactor authentication (MFA), security awareness training, and roles-based access. But a managed EDI service provider usually takes on all the cybersecurity responsibilities associated with the cloud-based IT infrastructure your EDI runs on—including the servers and storage where your EDI documents reside, and the network elements they traverse. 
 
Cloud-based, hosted EDI also offers many other benefits besides improved data protection, especially:  

• Lower operating and capital costs by eliminating the need to deploy and manage on-premises IT infrastructure. 

• Dynamic resource scalability to automatically support growing transaction volumes without manual intervention.  

• Anytime/anywhere access to your cloud-based EDI platform over an internet connection. This facilitates remote work, supports collaboration among virtual teams, and improves overall business agility. 

• The option for seamless integration with a cloud-based ERP environment. EDI/ERP integration eliminates manually rekeying order, customer, and/or tracking data to cut fulfillment lead times, eliminate errors, and improve customer experience. 

• A streamlined approach to upgrading and integrating other areas of your supply chain technology. In particular, implementing a cloud-based vendor managed inventory (VMI) solution can reduce multiple supply chain risks, including both inventory and cybersecurity risks, by creating more advanced, efficient, and secure workflows.  

What else can supply chain leaders do to reduce cybersecurity risk? 

While technology enhancements like hosted EDI and VMI can be an effective way to reduce business risk from cyberattacks and other supply chain disruptions, organizations should also consider bolstering internal processes to eliminate gaps in protection.  

Some of the best opportunities may include: 

• Implementing MFA across networks and for all systems that handle sensitive data. 

• Ensuring your backups are safe from ransomware attacks and other sources of data exfiltration, corruption, and loss. 

• Encrypting sensitive data wherever it resides on in-house systems. 

• Moving toward “zero trust” practices like network segmentation and least-privilege access. 

• Tracking and auditing key processes that involve sensitive data in line with regulatory standards. 

• Adopting best-practice risk management processes to support business continuity. 

• Conducting regular vulnerability assessments and penetration tests to validate that your IT environment remains secure in the midst of constant change. 

• Developing an incident response plan to reduce the impact of cybersecurity incidents. 

• Providing ongoing cybersecurity awareness training for staff to reduce the effectiveness of phishing and other social engineering attacks. 

• Partnering with vendors that uphold high cybersecurity standards, and regularly validate the cybersecurity postures of your critical vendors with questionnaires or other methods. 

What’s next? 

For more guidance on how peer organizations are addressing supply chain risks, download the Supply Chain Trends Report 2024.