The COVID-19 pandemic was a major disruption around the globe that revealed vulnerabilities, diffused from healthcare management to supply chains. As organizations rapidly shifted to digital operations, cyber risks spread across networks of employees, partners and suppliers. Seongkyoon Jeong, assistant professor in the Department of Supply Chain Management at the University of Tennessee, Knoxville, Haslam College of Business, and coresearchers studied how these interconnected “chained vulnerabilities” evolved during the disruption, showing how cyberattacks moved from targeting employees to exploiting suppliers and digital infrastructure during the pandemic in research1 recently published in the Journal of Operations Management.
In a Q&A, Jeong answers critical questions on chained vulnerabilities, cybersecurity and the future of cyber threats.
Your research found a sharp increase in cyberattacks routed through employees and suppliers. What does that research reveal about where supply chains are truly vulnerable, and how should executives rethink their priorities?
The main lesson is that many risks lie along the easiest paths. Supply chain attacks often happen in overlooked areas, so executives need to expand the viewpoint. The focus of supply chain cybersecurity shouldn’t just be on how important a supplier is, but on how closely it is linked to your company. The key issue lies in the nature of the connection and whether it can be used as an attack channel.
You describe digitalization and centralization as a double-edged sword. How did organizational changes and greater connectivity shift the attack surface, and what should managers take away from that?
Many people assume that improving visibility like tracking technologies in a business process improves productivity and overall performance. However, if you can see everything in your supply chain, then anyone who steals the access can also see it. In that way, digitalization is a double-edged sword.
Recall Target’s data breach case, which occurred in 2013. An HVAC supplier with privileged vendor access to Target’s main system served as the entry point of the attack. This supplier was not strategically important, but its privileged connection became a critical route for hackers. When organizations centralize and tighten control for efficiency, they also create attractive targets for attackers. Changes that improve visibility and coordination can introduce new vulnerabilities.
Many firms have moved data and operations to cloud and platform providers to outsource risk. Are cloud providers safer, or do they introduce new kinds of exposure?
This issue isn’t clear cut. Generally, major cloud providers are safer than most individual organizations. If we compare universities to Microsoft Azure, Dropbox or Google Drive, those providers tend to have higher security levels. So, moving data to the cloud service doesn’t necessarily increase risk.
The challenge lies in the supply chain structure around those services. Many different customers are connected to the same service provider. One company might be securely protected, but if another customer was compromised, that breach could extend to other businesses through the supplier.
When a centralized security system governs many users and assets, it becomes a preferred target as well. We depend on cloud and security services to protect us, but doing so also concentrates risk. Cybersecurity isn’t just about how strong the lock is; it’s also about how many people stand behind the same locked door.
As companies expand APIs and digital connections with partners but lack visibility into deeper supplier tiers, how should they approach managing cyber risk across the supply chain?
Executives must recognize that digitalization isn’t a panacea. It offers efficiency, better tracking and visibility, but those benefits shouldn’t be taken for granted. Hackers leverage digitalization just as much as we do. One practical approach is to implement role-based or level-based access to digitalized systems, just like any physically classified locations. Many small organizations still have minimal security mindsets. Even with digitalization and hierarchical access systems, suppliers with weak defense can be hacked, as can their own suppliers; cybersecurity experts call this a supply chain attack.
There’s no perfect solution, just as there’s no ideal solution for sustainable supply chains. For example, businesses often don’t know for certain of a deep-tier supplier uses child labor. They typically set minimum standards, checking suppliers’ certifications and practices and enforcing audits, but suspicions can linger.
Cybersecurity should be a formal element of supplier selection and evaluation. Just like sustainability, which has become a mainstream issue, cybersecurity needs to receive significant attention. We can’t constantly monitor everyone or act like a “big brother” since that’s impossible and too costly. Ultimately, preventive actions depend on selecting the right suppliers, not through achieving perfect visibility.
You’ve described cybersecurity as a “forever-evolving war,” especially with AI-enabled phishing and deepfakes. How is the threat landscape changing, and what capabilities should organizations build to stay ahead?
It’s a forever-evolving war because the vulnerability landscape keeps changing. From research conducted during the COVID-19 pandemic, I noticed a huge rise in supply chain attacks through digitalization. Today, the landscape is quite different; now we’re facing AI-driven threats.
Previously, our research pointed out that suppliers were particularly vulnerable. Now, employees are also highly at risk because AI tools can convincingly mimic human communication. We see more scam emails and social-engineering attacks, with messages impersonating coworkers, bosses, clients or suppliers. Our credentials have become even more exposed. As technology evolves, attackers use new methods and attack vectors continuously shift accordingly.
The solution to this challenge, although it is not perfect, is to improve adaptability. Many attacks are variations of previous ones because hackers reuse tools and techniques to re-exploit the same vulnerabilities. The solution is similar to what works in conventional supply chain risk management: the focus should not just be on recovering fast but on preparing for the next probable threat.
Cybersecurity should follow the same strategy. Prevention must come first, and that requires active monitoring to understand ongoing attack patterns since techniques used will be reused. Monitoring and preparation must be closely linked to form the foundation of cyberattack prevention.
1“Strange Dance Partners: Supply Chain Cyberattacks and Chained Vulnerability” by Seongkyoon Jeong, Zac Rogers and Thomas Y. Choi, was published in Vol. 71 Issue 6 of the Journal of Operations Management.
—
Author
Sara Hsu, clinical associate professor, shsu6@utk.edu
Contact:
Leah McAmis, senior editor, leah@utk.edu
Contact
Related News
UT Haslam Honors Staff, Faculty and Students at Annual Awards Ceremony
College leadership handed out 24 awards to the Haslam community.
Read ArticleGraduating UT Haslam Seniors Bond in Service to Country
As they prepare to graduate, Matt Coyne and Spencer Rabenold share their experience in ROTC, at UT and studying abroad.
Read ArticleAI Law Tool Wins UT Boyd Venture Challenge as Competition Expands Systemwide with $50,000 Prize Pool
The competition saw winners from UT and UTC, and the ACEI also celebrated other winners during its annual awards ceremony.
Read ArticleUT Haslam Graduating Senior Plans to Use Supply Chain to Solve Inefficiencies
Through multiple internships, Mali Tumusiime has found a passion for combining supply chain and business analytics.
Read Article