In an ever-increasingly digital world, how a business manages and protects its networks and data is a business-critical function. Supply chain partners with direct access to your networks are potentially the highest area of risk. Martin Smith MBE, the founder and chairman of the influential cybersecurity forum SASIG, the Security Awareness Special Interest Group, advocates that cybersecurity should become an integral part of the procurement process.
The pandemic has led to a boom in remote working and growing concern that cyber criminals have been capitalising on the increased use of emails and internet devices. However, the majority of cybersecurity breaches are caused by human mistakes, where unsuspecting users are lured into letting a potential attacker have access to a network.
As digitisation in business relationships becomes common and supply chains extend, we see cyber criminals targeting organisations up and down the supply chain. Cyber resilience generally varies by organisation size and we have seen the gap between small and large firms widen. In the UK, large companies are responding by investing in knowledge and, according to insurers Hiscox, almost all (98%) firms with more than 1,000 people now have a role specifically for cybersecurity.
Chief Information Security Officers (CISOs) and their cybersecurity colleagues can provide specialist cybersecurity knowledge to reduce risks of cyberattacks in the supply chain by becoming more involved in the procurement of vendors.
Cyberattacks cost the UK economy around £30 billion per annum. This is an astonishing sum, so it was no surprise that the new National Cyber Strategy (December 2021) is aimed at beefing up resilience in the fast-moving digital world. It stressed that we need to continue to adapt, innovate and invest in order to protect and promote our nation’s interests in cyberspace.
SASIG’s own research has found that commerce, industry and public services have operated a fragmented approach to cybersecurity in the supply chain and that risks are ever-present and need to be constantly monitored and reviewed.
CISOs tell us that businesses should take stronger steps to establish robust procedures that minimise cybersecurity risks within the supply chain. We found that 97% of CISOs see the supply chain as a source of risk, and more robust procedures are necessary in order to mitigate risk exposure.
We’re at a stage where procurement teams expect vendors to adopt policies and procedures that provide more robust security controls. While system and network administrators can be guilty of system misconfigurations, poor patch management practices and the use of weak passwords, ongoing auditing and due diligence can guard against these types of threats.
Organisations would be wise to adopt regular cyber audits during the course of any commercial arrangement that exchanges data and gives a third party access to proprietary networks.
Looking for third-party assessments can be fraught with difficulty because fragmented standards and cross-border working can expose some sectors to greater risk. More substantial international agreements will be necessary to tighten up on protecting against cyberattacks, and the theft of data assets and intellectual property.
The government has recently embarked on further consultation with business to drive up security standards in outsourced IT services used by almost all UK businesses and is planning the introduction of new laws.
Other proposals being considered include making improvements in the way organisations report cybersecurity incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.
Last year, the Department for Digital, Culture, Media and Sport found that only 12% of businesses regularly reviewed cyber risks, and only 5% of companies were looking at cyber risks in their supply chain. Worryingly, this had fallen from 9% in 2020.
The latest round of consultation is also aimed at raising the bar and creating a set of agreed qualifications and certifications for those working in cybersecurity, so that they can demonstrate they are properly equipped to protect businesses online.
Recently, high-profile cyber incidents, such as the cyberattacks on SolarWinds and Kaseya, have exposed the vulnerabilities in the third-party products and services used by businesses. Cyber criminals and hostile state actors can exploit weaknesses affecting hundreds of thousands of organisations at the same time.
Ransomware became the most significant cyber threat facing the UK in 2021 – a real threat that can cause disruption to the delivery of essential services or critical national infrastructure.
A ransomware cyberattack on Hackney Council last year caused many months of disruption and cost millions of pounds to rectify. At a critical time when it was dealing with the impact of the pandemic, the council was locked out of important data and many services were disrupted, including council tax and benefit payments. Other organisations have suffered similar attacks, causing disruption to services and damaging corporate reputations.
Exposure to risk within the supply chain often depends on what access a vendor has to a client network and what digital storage capability the vendor uses. Human factors, by design or accident, also expose organisations to security breaches. Educating staff (permanent and contract) and members of the supply chain is therefore essential to make people aware and accept responsibility for their own actions.
CISOs and HR teams who establish training programmes to ensure that staff understand what risk they are exposed to, and the implications of a breach, are better placed to mitigate threats. Effective training will provide the necessary skills for workers to identify a threat and react in an appropriate manner.
Employee training should also be tracked and, should maturity decline, further training then be made available to keep on top of new threats.
It is not unusual for a business manager who procures products and services, and works with the supply chain, to be unaware that a cybersecurity threat exists. Therefore, CISOs have to work hard to get closer to procurement teams and employees so that they can advise on cybersecurity issues.
Prequalification procedures can catch vendors who appear weak. When they are identified, effective due diligence is necessary prior to any appointment. Regular audits and spot inspections should monitor adherence to cybersecurity procedures by vendors and labour-only contractors.
Where there is limited strength, collaboration between partners within the supply chain will help to tighten up policies and procedures so that risk is reduced.
The lead tier in the supply chain will inevitably determine the way risk is assessed and how firmly cybersecurity is managed. Some procedures can be rigid and longwinded but may be necessary where safety and commercial/financial data are business-critical components.
The supply chain has evolved into a complex web of organisations that can deliver products and services from almost any location to customers across the globe. All sectors operate in different ways and will deliver customer services in different territories that have to respect either national or international regulations.
As international threats grow, global agreements need to be strengthened to protect commercial and personal data storage. Where data is held and who has access to this information is at the crux of ensuring that the supply chain is secure.
International threats are not a single issue. Intellectual theft and lack of enforcement are a major concern, especially where incidents go unchallenged. Geopolitical issues also put pressure on businesses operating across different territories.
At a local level, the Internet of Things has built increased connectivity, heightening concerns about exposure to more potential risk. Greater due diligence, set within robust procedures, will be necessary to minimise cybersecurity risks throughout the procurement process, from prequalification right the way through to ongoing operations.
Bad behaviour needs to be driven out by organisations that are taking the threats and risks seriously. Supply chain relationships are often built around trust, and adhering to agreed standards will improve this trust. Therefore, incorporating cybersecurity firmly within the supply chain life cycle can, and will, make the difference.
Martin Smith MBE
Chairman & Founder
SASIG – the Security Awareness Special Interest Group