Organizations are increasingly leveraging Internet of Things (IoT) devices and related technologies to enhance supply-chain visibility and achieve Environmental, Social, and Governance (ESG) objectives. However, digital integration introduces novel vulnerabilities: recent coverage reported that cyber-attacks on Malaysian software supply chains increased dramatically in 2024–2025, showing how technologies that enhance visibility can also magnify systemic risk (Malay Mail, 2024). As organizations more widely deploy IoT solutions and adopt ESG models, a critical question arises: Are we engineering systems that can withstand operational demands, or are we accumulating complexity that predisposes networks to cascading failure?
The promise of digital integration is nevertheless significant. For example, Saudi Arabia’s Saudi Food and Drug Authority (SFDA) is planning to mandate IoT sensors integrated with its Wasl platform for temperature-sensitive pharmaceutical goods, a proposed initiative intended to reduce spoilage and strengthen regulatory compliance. Big companies, like Unilever, use IoT in their supply chains to get real-time data on emissions, helping them meet sustainability goals and save money. These examples show how technology can change things when combined with good management, but it needs to be planned for strength instead of being complicated.
IoT allows companies to view clear, real-time data, such as temperature history and energy and emissions data, so problems can be quickly identified and reporting is simplified. But data alone won’t address weak links. If companies simply drop suppliers that do not meet the mark without assisting them, it might thin the supply mix and increase overall risk. We need to put measurements together with support, such as technical help, strategic funding, and resilience contractual provisions for sustainability, ensuring environmental gains do not compromise the network. Social tracking, on the other hand, allows safeguarding workers and accelerating enforcement, but might create privacy and fairness problems for small suppliers. A sensible approach to ESG should abide by three principles. The first principle is using standard, compatible data. The second principle is a preference for reports shielding privacy while aggregating data. The last principle is incentives, such as grants, flexible timetables, or procurement commitments, helping supply companies deliver on the standard. We should make ESG about measurable improvement, shared strength, not simply a report card.
Connectivity also poses risks. Tariq et al. (2023) demonstrate that IoT systems provide new avenues for attacks that can damage system availability and safety. Every sensor can provide an avenue through which interruptions can occur. In Malaysia’s recent wave of incidents, threat actors targeted availability and operational processes, demonstrating how attacks on software supply chains can disrupt governance systems that ESG monitoring and compliance rely on, even when the attack is not primarily data-theft.
The problem is not just about cybersecurity. Compliance with ESG, even with valid causes, makes companies less able to weather financial storms. When businesses restrict their suppliers to adhere to stringent rules, they sacrifice the backup systems that previously assisted during localised issues. Truant et al. (2024) note that the requirement that ESG be disclosed results in increased attention by stakeholders but exposes vulnerable processes to competitors and malicious individuals. Real-time IoT optimization results in brittle systems, whereby minor problems can escalate into massive issues.
The future calls not for “resilience-weighted ESG” frameworks that combine transparency with flexibility, connectivity with backup. That is, not just reimbursing suppliers for ESG metrics but for business continuity during disruption. The actual danger is not technology disruption or regulation overkill; it is the assumptions that more data and compliance somehow translate to resilience. Are we building networks that weather unpredictable storms, or glass castles, beautiful, transparent, and one shock away from shattering?
References
Malay Mail. (2024, August 13). Survey: Most Malaysian software supply chains exposed to cyberattacks. Malay Mail. https://www.malaymail.com/news/money/2024/08/13/survey-most-malaysian-software-supply-chains-exposed-to-cyberattacks/146851
Tariq, U., Ahmed, I., Bashir, A. K., & Shaukat, K. (2023). A critical cybersecurity analysis and future research directions for the internet of things: A comprehensive review. Sensors, 23(8), 4117. https://www.mdpi.com/1424-8220/23/8/4117
Truant, E., Borlatto, E., Crocco, E., & Sahore, N. (2024). Environmental, social, and governance issues in supply chains. A systematic review for strategic performance. Journal of Cleaner Production, 434, 140024. https://www.sciencedirect.com/science/article/pii/S0959652623041823
MSc ( Cornell ), Risk management and GRC expert with experience in crisis management and organizational resilience
Amena AlBasher
