Building awareness of cyber security risks within your organisation and supply chain is an absolute must in today’s complex web of systems and services required to run a business of any size. Becoming aware, and subsequently realising that you need to take action to better protect your organisation can be a daunting moment, however there is much you can do to ensure that securing your business supply chain is achievable and sustainable.
Attack methods evolve at an alarming pace alongside new technologies, processes, industries, ways of working, routes to market – the role of anyone working within IT or Cyber Security has never been so diverse and challenging both in regards to breadth and depth of the possible risks and the mitigation work around those risks. To this end, communication of security needs across the supply chain are key, we all have a responsibility whether we are end users or supplying in to the supply chain.
Having a common language within your business and alongside your suppliers regards cyber security will ensure that each party has the same focus and understands key themes in the same way. To this end, following developed frameworks will not only enable this but they can do a lot of the heavy lifting for you and your suppliers. So let’s take a look at the cyber security accreditations available in the UK, for both you and your supply chain partners.
Starting with the National Cyber Security Centre’s 10 Steps to Cyber Security we have a set of guiding topics which summarise a lot of the advice NCSC give to businesses, and provide links off to more in-depth guidance. This isn’t a formal accreditation as such but is rather a great starting point for any organisation who has decided to dedicate time and resource to increasing its cyber resilience. Breaking down the challenge of better protecting your organisation from cyber-attacks will ensure a more manageable plan can be built from the outset.
There are three commonly adopted, more formal cyber security accreditations in the UK and these are Cyber Essentials, Cyber Essentials Plus and ISO 27001. Cyber Essentials & Cyber Essentials Plus are Government backed schemes that when achieved will form a solid foundation for protecting your organisation against the most common cyber-attacks. Cyber Essentials is a self-assessment accreditation that you can prepare for and carry out yourself, however we would always recommend working on the preparation with an experienced partner. Cyber Essentials Plus is an enhanced version of the above where a hands-on, in-person technical verification of security controls required by Cyber Essentials is carried out by an approved Certification Body. Both of these accreditations offer reassurance to all parties in the supply chain and also enable a solid understanding of your own security posture.
ISO 27001 is something that goes considerably further in its requirements than the Cyber Essentials scheme. It’s essentially focused on organisations meeting the requirements of 114 security control elements that focus on people, process and technology elements of information security. It is therefore a more involved process to prepare and achieve the standard, but when in place offers a depth of reassurance to partners and suppliers. Compared to Cyber Essentials, it is also designed as more of a framework and with less specifically defined control requirements, so may be more suitable for some organisations.
Outside of organisations seeking to gain formal accreditation and recognition there are two key cyber security frameworks at play in the UK, the NIS Directive and DSPT (which is solely for work delivered to the NHS). NIS has a core aim of aiming to “raise levels of cyber security and resilience of key systems across the EU”, and is part of UK law. Following the NIS regulations ensures that you are working within a framework to manage cyber security, security incidents, act co-operatively and ensure information is shared openly and will ensure that any organisation deemed to be providing essential services “are required to take appropriate and proportionate security measures to manage risks to their network and information systems”.
Being solely focused on the UK NHS, DSPT “allows organisations to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly”.
Having all this in place is a reassurance for our own business and indeed can hold us all to account, but we must always ask a key question and that is “Do our suppliers do what they say they do?”. This is a question raised in a really insightful interview conducted by The Eastern Cyber Resilience Centre here with Dr Buck Rogers. You may need to not only have accreditations and certifications in place but also ask of them from your suppliers, and on an ongoing basis will need to audit them to ensure that they are indeed working to these standards.
Ensuring that the partners in your supply chain give you the robustness you need to feel assured that your business and its key operations are secure both in terms of data & information management and operational security should be high on the agenda of any business leader today. We have talked a lot here about requirements we should ask of ourselves and our suppliers, one should not forget the importance of collaboration and trust being imperative to the success of any supply chain relationships. Both parties are facing the challenges that the world of cyber-crime present to businesses and organisations of all types; working together is paramount to success.
Beyond frameworks, accreditations and strong partnerships it will always be the case that ensuring everyone in all organisations in the supply chain are invested in protecting their business from the threats faced from cyber-attacks. To this end the people element remains an integral line of defence for supply chain security so ensuring that staff are well informed and trained on an ongoing basis needs to be factored in to any cyber security strategy. This is also a key requirement of the majority of the frameworks we’ve talked about here. Whether it’s training your leadership team on how to be prepared or putting in place an Incident Response Plan, this investment will always reap reward in the face of an attack across your supply chain.
Supply chain security is an ongoing task as those within any supply chain are always changing how they operate, their systems, their services and their staff. An approach of continuous improvement is going to ensure you have an open stance to supply chain security acknowledges the inherent cyber security risks and shows preparation to respond when you need to.