The UK government has identified supply chain security as being a key risk to the UK economy. As reported by the National Cyber Security Centre, cyber-attacks launched on businesses via their suppliers have significantly increased, but very few businesses still review the cyber security of their suppliers.
Why are supply chain attacks growing:
Large enterprises are better equipped to defend against cyber threats due to their robust cybersecurity infrastructures which criminals are finding increasingly difficult to breach.
As a result, they are turning their attention to smaller and medium-sized businesses (SMEs) which may have less robust cybersecurity measures. While the potential monetary gains from attacking an SME might be lower, these businesses can be valuable stepping stones for cybercriminals seeking to breach larger organizations through their supply chain.
As a result, cyber criminals utilising an SME business to launch a supply chain attack could in theory get far more substantial ‘rewards’ for their efforts than a traditional cyber-attack.
Who’s at Risk?
Essentially any firm holding valuable data or information relating to other companies. Being an IT service provider, Pro Drive have considered themselves a target for some time and have put appropriate controls in place. Other sectors that can be considered at risk include:
- Professional services firms: Industries like accounting, legal, and financial services who possess highly confidential client information that can be exploited for extortion or financial theft.
- Software companies: Firms developing software solutions might hold sensitive financial or confidential information for their clients, or have software installed on their IT systems, making them potential targets.
- Any business with valuable data: Essentially, any business that holds valuable information on clients becomes a potential target.
What can you do?
To protect your business from the growing threat of supply chain attacks, consider these steps:
- Supply chain audit: Whether you are a business particularly at risk of a supply chain attack, or a firm who has suppliers who may be at risk, it’s imperative that you audit the cyber security practices of your suppliers.
- Cyber due diligence: You may already have experienced having to complete cyber security due diligence questionnaires – either from clients, as part of a tender or maybe from your insurers. In short, this is what you need to do yourselves.
- Leverage Security Standards: Utilising nationally and internationally recognized security standards as benchmarks, like Cyber Essentials (with the audited ‘plus’ version), IASME Cyber Assurance, and ISO 27001 provides a reasonable assurance of a supplier’s cybersecurity credentials. Ensure you get certified and ask the same of your suppliers.
- You should also ensure you are carrying out regular cyber risk assessments and acting to reduce or mitigate the risks.
How will this play out?
- Cyber regulation already exists for essential services such as energy and internet suppliers and is currently being introduced by the government in the IT services sector too. Our prediction is that this will gradually roll out across other sectors too in the future. Looking across to the US, this is already happening.
- In the more immediate future, we expect supply chain audits to become commonplace even amongst SME firms as industry regulatory bodies and insurer make them a requirement for accreditation / coverage.
- If you don’t have a process to audit your supply chain, and have proportionate cyber controls in place yourself, you will likely start to lose out on business.
If you are confused about how to ensure your supply chain is safe, need to put a framework in place or simply have no idea how to get started, get in touch with our team now!