Abstract
PurposeThe purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains.Design/methodology/approachThis research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK.FindingsResults highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach. Initiatives are adopted at a firm/dyadic level, and a network perspective is missing.Research limitations/implicationsThis paper extends the current theory on cyber and information risks in supply chains, as a combination of supply chain risk management and resilience, and information risk management. It provides an analysis and classification of cyber and information risks, sources of risks and initiatives to managing them according to a supply chain perspective, along with an investigation of their adoption across the supply chain. It also studies how the concept of resilience has been deployed in the CSCRM process by companies. By laying the first empirical foundations of the subject, this study stimulates further research on the challenges and drivers of initiatives and coordination mechanisms for CSCRM at a supply chain network level.Practical implicationsResults invite companies to break the “silos” of their activities in CSCRM, embracing the whole supply chain network for better resilience. The adoption of IT security initiatives should be combined with organisational ones and extended beyond the dyad. Where applicable, initiatives should be bi-directional to involve supply chain partners, remove the typical isolation in the CSCRM process and leverage the value of information. Decisions on investments in CSCRM should involve also supply chain managers according to a holistic approach.Originality/valueA supply chain perspective in the existing scientific contributions is missing in the management of cyber and information risk. This is one of the first empirical studies dealing with this interdisciplinary subject, focusing on risks that are now very high in the companies’ agenda, but still overlooked. It contributes to theory on information risk because it addresses cyber and information risks in massively connected supply chains through a holistic approach that includes technology, people and processes at an extended level that goes beyond the dyad.
Highlights
Over the last decades the expansion and importance of supply chain management has paralleled the growing ability of technology to exploit the benefits of information sharing for reducing costs, and concurrently improving customer satisfaction across business operations (Linton et al, 2014)
Results highlight the importance for cyber supply chain risk management (CSCRM) to shift the viewpoint from the traditional focus on companies’ internal information technology infrastructure, able to “firewall themselves” only, to the whole supply chain with a cross-functional approach; initiatives for CSCRM are mainly adopted to “respond” and “recover” without a well-rounded approach to supply chain resilience for a long-term capacity to adapt to changes according to an evolutionary approach
Theoretical background Consistently with the objectives of this research, we present a theoretical background focused on the areas investigated in this work: supply chain risk management and resilience, information risk management, and CSCRM
Summary
Over the last decades the expansion and importance of supply chain management has paralleled the growing ability of technology to exploit the benefits of information sharing for reducing costs, and concurrently improving customer satisfaction across business operations (Linton et al, 2014). This allowed hackers to access secure data giving them the location and security details of containers, meaning the traffickers could send in lorry drivers to steal the cargo before the legitimate owner arrived (Bateman, 2013). In addition to having an estimated cost for the company’s operations up to $300 million, this attack had serious repercussions on the operations of their clients, who found their shipments stranded on uncontrollable and inaccessible vessels These clients claimed that they had ICT security measures in place to “firewall themselves”, but clearly not their supply chain (Williams, 2017). Threats and attacks could involve partners upstream and downstream in the supply chain and have negative impacts on the focal company, even if “perfectly” protected against cyber-attacks
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.