Zach Zacharia on Why Cybersecurity is Top Threat to Supply Chain

Image by iStock/Peach_iStock

In this episode of Lehigh University’s College of Business ilLUminate podcast, we are speaking with Zach Zacharia about the most significant trends in the supply chain in 2023 and the biggest threats facing the global supply chain for the first quarter of 2024, as reported in the latest Lehigh Business Supply Chain Risk Management Index (LRMI).

Zacharia is an associate professor of supply chain management, interim department chair of Decision and Technology Analytics (DATA), and director of the Center for Supply Chain Research at Lehigh University. The quarterly LRMI was developed in 2020 by the Center for Supply Chain Research and the Council of Supply Chain Management Professionals.

Zacharia spoke with Jack Croft, host of the ilLUminate podcast. Listen to the podcast here and subscribe and download Lehigh Business on Apple Podcasts or wherever you get your podcasts.

Below is an edited excerpt from that conversation. Read the complete podcast transcript [PDF]. 

Jack Croft: Let's start by looking back on 2023. What were some of the most significant trends affecting the global supply chain in the year just past?

Zach Zacharia: The first trend is that the overall average risk has been much lower than years past. It's been around 65 as opposed to being [over] 70 a couple of years ago … So one of the things I want to stress is that supply chain executives are perceiving that there's less supply chain risk this past year.

Another new trend is that Cybersecurity for the first time became a number one risk. This happened in the second quarter of 2023, and stayed as the highest risk from then on. Now, Economic Risk was the number one risk for many years. And it started as the number one risk in the first quarter of 2023, but has dropped since then to the third risk in the first quarter of 2024.

Croft: Let's turn to the new Lehigh Business Supply Chain Risk Management Index report for the first quarter of 2024. And just to recap quickly, the LRMI, as we've discussed on previous podcasts, is a number between 0 and 100, where greater than 50 suggests increased risk, 50 suggests the same risk, and less than 50 suggests decreased risk. The numbers are based on ratings submitted by participating supply chain professionals on whether they felt the risk for the upcoming quarter, in this case the first quarter of 2024, compared to the risk in the fourth quarter of 2023 would likely increase, remain the same, or decrease for 10 different supply chain categories.

The overall average risk heading into the first quarter of 2024 is 64.61, which is down slightly from the fourth quarter of 2023 and remains low compared to the average risk historically, as you mentioned when you were talking about the trends from last year. For example, the all-time high overall risk was 72.79 just two years ago in the first quarter of 2022. So that decrease sounds like good news. Is it? 

Zacharia: Absolutely. … Risk adds uncertainty, and uncertainty is always a problem when you're trying to manage a supply chain. So definitely this decrease is very, very, very good news. The other thing I do want to state is that it is not a linear number. So 64.61 is not just eight less than 72. It's actually a little bit of a geometric progression. So there is a very much larger decrease than just the number of eight that is between the 64.61 compared to 72.79. So clearly there has been a significant decrease in supply chain risk in just the last two years.

Croft: Cybersecurity and Data Risk remains the top risk for the fourth straight quarter, as you had mentioned, as seen by the supply chain professionals who participate in the survey. And it has increased by three points from 75.34 in the fourth quarter of 2023 to 78.2 in this quarter.

So what are the main concerns supply chain professionals have regarding Cybersecurity and Data Risk? And how concerned should all of us be about it holding the top spot on the risk index for a full year?

Zacharia: Examples of Cybersecurity and Data Risk is cyber attacks, data corruption, data theft, systems viruses, hardware issues, security platform controls. Clearly, cybersecurity continuing to hold the top spot is a serious issue. Large companies have spent a lot of time trying to mitigate this risk, but this risk has been increasing basically because of some of the large trends that we're seeing.

First of all, there are more employees that work from home. And anytime you are in that kind of environment as opposed to a corporate environment, there is going to be additional risk because just the way the network is set up. Second, the threats have become much, much more sophisticated. It is clear that the actual groups that are trying to attack are companies. They're not just some person sitting in a basement somewhere. These are actually groups of people who specifically are trying to steal data and trying to ransom, hold large companies ransom.

And finally, the third point to note with cybersecurity is employees are the most vulnerable part when it comes to cybersecurity. And it is very clear it's the phishing attacks that people send [through] emails. Just this morning, I got an email supposedly coming from UPS saying that they don't have the correct address. There's something that has been delivered that we need your address. Please click on the link below so that we can deliver this goods for you. I mean, it looks so legitimate, but this only works if the employee clicks on the link. So that's the weak part of having employees and training has to be done. But I think most companies are aware of this and they're taking this very seriously.

Croft: In the most recent LRMI, Customer Risk is ranked second and has also increased from the last quarter of 2023, rising four points from 67.12 to 71.79. So what does Customer Risk entail and what are the main factors driving that index up?

Zacharia: Customer Risk is defined by fast-changing customer demand, easy-to-lose customer loyalty, changing customer-based demographics, hard-to-predict customer behavior, and hard-to-service customers. And I think what has become very clear is that customers are not only becoming more fickle, but they are becoming more demanding, wanting to have more customized products that meet their requirements. And so companies are having a harder time trying to predict that kind of customer behavior. And this is why Customer Risk has now become second because it has become more difficult for companies to anticipate what is needed.

Croft: As you had mentioned, in looking at the trends from last year, Economic Risk has been at or near the top of the index since it started and still holds that all-time [record] for the highest risk at 90.72 just in the third quarter of 2022, not that long ago. So even though it checks in at number three on the First Quarter 2024 risk index, it has come down to its lowest level yet, falling below 70 for the first time to 68.83.

So, again, what are the main factors that make up Economic Risk? And what are people most concerned about? But obviously, while it's still high, is there any good news in that it's now under 70, given how much time it has spent in the upper 70s, 80s, and even 90s in recent years?

Zacharia: Let's start with what is meant by Economic Risk. Examples of Economic Risk are increasing energy costs, commodity price volatility, labor shortages, demand shocks, global energy shortages and border delays. All of those kinds of examples, clearly the risks associated with those things have dropped down.

So the answer to your first question, yes, it is very good news that the economy is stabilizing. But the other thing to realize is that all the other risks have come down, which has been a clear effect that supply chain executives are seeing that overall risk is decreasing and Economic Risk has been a large part of that risk. And so people are being very positive or confident that the risk in the economy is decreasing.