Member Article

Supply chain security - who is your weakest link?

You may think that if your organisation is protected against cyber-attacks, that’s all you need to worry about. But even if you are confident that your own network and systems are highly available, safe and secure, have you considered whether those in your supply chain can say the same?

Garry Sheriff, Managing Director of tech experts ITPS, gives his advice on looking outside your organisation, in order to protect it.

“Hackers love targetting supply chains. They see them as easy gateways through which they can reach a large number of infrastructures via a single attack, and wreak a considerable amount of damage.

Employees frequently succumb to sophisticated phishing and ransomware attacks, if these attacks are built around a profile that looks like a bona fide member of the supply chain. It is estimated that 91% of successful data breaches started with a spear phishing attack.

Which makes it all the more surprising to read figures from the National Cyber Security Centre’s Security Breaches Survey 2016 which show that only 13% of those businesses surveyed set minimum cyber security standards for their suppliers. That breaks down to 25% of medium sized organisations and 34% of large organisations, with data-heavy sectors such as finance, insurance, education, health and social care sectors leading the way.

Around 50% of those that set standards insist on a recognised quality standard such as ISO27001, with 8% looking for suppliers who hold Government and industry-backed Cyber Essentials certification, and 5% asking for Cyber Essentials Plus.

The Government is holding up Cyber Essentials and Cyber Essentials Plus as demonstrators of information security good practice, and from 2014 required all suppliers bidding for contracts involving the handling of sensitive and personal information to be certified. We believe that this will become the ‘must have’ minimum to which customers and suppliers must adhere.

Securing the supply chain can be difficult but the need to act is more urgent than ever before, in the face of continuingly sophisticated cyber-attacks which are costing UK businesses millions, both directly and indirectly. Witness the £100,000 fine levied on communications firm TalkTalk by the Information Commissioner’s Office, which was actually down to a supply chain third party’s misuse of data, but responsibility ultimately rested with TalkTalk.

So what can you do to ensure the security of your supply chain?

As cyber security experts our advice is to start by embarking on the Cyber Essentials and Cyber Essentials Plus certification processes. These serve as markers that demonstrate an organisation has adopted good practice in information security. Relatively quick to implement, and available at a modest cost, having them in place creates solid foundations for creating a robust cyber-security wraparound for your own business.

Looking outward to your supply chain, the NCSC has published useful guidance in the form of 12 principles designed to help businesses understand the risk, establish control, check arrangements and maintain a cycle of continuous improvement to ensure their supply chain is as secure as possible.

It is not an easy task but it is a very necessary one. Ian Levy, technical director of the NCSC calls it “a complex problem with lots of nuances.” It may look daunting but if you have the right IT partner in place, it should be something they have done hundreds if not thousands of times, and they should be able to help you.

Businesses can no longer rely on simply protecting their own organisation, they must look further afield at partners and suppliers and satisfy themselves that they too have the right security measures in place.

Any chain is only as strong as its weakest link. Check your chain and make sure any potential weak links are turned into strong defences.“

This was posted in Bdaily's Members' News section by Julie Brammer .