All businesses, schools, healthcare providers and charities sit within a supply chain that encompasses a myriad of service and systems providers that enable them to operate as they do. It is therefore the reality that every one of these has risk introduced to it by engaging with third parties whether they be providing systems, services or information. The proliferation of third party services that enable businesses to deliver their core services puts all businesses in a position of increased risk.
Anything that isn’t within your direct control should be considered as a third party risk. The relationships within your supply chain are often necessary and essential to your business being able to deliver its services, and often will expedite the time it takes for you to be able to do this. The Cyber Security risks in the Supply Chain are not to be ignored however, they are a very real and present threat to the stability of your business.
A lot of time is invested in ensuring that internal or proprietary systems are kept as safe as possible from email compromise, phishing campaigns or ransomware attacks – what we cannot do however is think that cyber security stops at the edges of our own business. Vulnerabilities are inherent in any supply chain whether it’s that of a large or small business. Weaknesses in a provider within your supply chain are an attractive target for attackers, especially if these suppliers work with multiple customers. That single point of access to disrupt many is a very attractive lure for cyber criminals.
Unfortunately it isn’t as straightforward as acknowledging the above and approaching each part of the supply chain in the same way; this will undoubtedly miss key points of difference and therefore risks present amongst your suppliers and partners. Each part of your unique supply chain is in itself unique even if they are providing same or similar services to your business. It is therefore absolutely key that your business has control and oversight of your supply chain as this is going to enable complete understanding of where the risk areas are.
Knowledge is indeed powerful, but knowing that there are cyber security supply chain risks simply isn’t enough. Securing the supply chain in your organisation is not a fast fix task or a tick box exercise, it requires investment and ongoing input. Continuous investment in a diligent approach to supply chain management, and asking your suppliers and partners about their cyber resilience and approach to cyber security, is the first step in adopting good practice that builds a baseline of security for your business.
As with most areas of cyber security this is a risk based approach where there is no absolute guarantee that you can be fully protected from supply chain attacks. Knowing what’s at risk and getting a more informed grasp is key, this is an ongoing requirement and should not be side-lined or assumed to be okay because it’s been looked at once before. Supplier and partner organisations are changing all the time, very much like your own business, and therefore being aware of significant changes in their operations or indeed whether they have suffered a cyber-attack is a central part of your approach to supply chain security.
One of the most effective ways to ensure that you are starting this journey with the best intentions is to meet your own requirements regards supply chain cyber security within your business. By being as secure and diligent as possible both for your business and as a part of other organisations supply chains, you are showing your suppliers that you are serious about supply chain cyber security.
Indeed, you may have already seen larger companies with more mature cyber security programmes are already putting more emphasis on supply chain security. If you are a supplier to large organisations you might experience being asked more questions about how you secure and protect your data when bidding for new contracts or at renewal points. It might be specific requests such as whether you have Cyber Essentials or ISO27001, or maybe you are just being asked to complete a security questionnaire to better inform their decision making.
To give this introduction real context your suppliers being hit with Ransomware attacks or Phishing campaigns compromising their systems and data (and your systems and data too), are two common examples of how your business could be put at risk.
Ransomware in the supply chain is not just about the big attacks such as SolarWinds or Kaseya, it is a real risk for smaller suppliers who are now more commonly being targeted by cyber criminals. The lure of the one-to-many approach for attack players can reap real havoc and therefore real rewards when smaller organisations within the supply chain are targeted. Often their systems are easier to access and their recovery measures less developed meaning that not only is it easy to get in but that it is also of greater impact to their business than for some larger organisations. This leads to the need for quick access to systems and data which often means ransoms are paid.
Equally appealing to cyber criminals are organisations where there is a less mature culture around cyber security, as this increases the likelihood that employees would engage with Phishing emails, resulting in impacts throughout the supply chain. By innocently clicking on a link within one of these emails an employee can give access to the data of their customers (your business), without you being aware as the attack isn’t hitting you directly. The effects of this can be incredibly damaging, so ensuring that your suppliers have a good security culture is something you must explore.
These risks can be managed by taking a pragmatic approach to supply chain cyber security and developing a deep understanding of the risks present in your specific supply chain relationships.
Keep an eye out for our next piece on cyber security in the supply chain where we will be looking in more detail at what the varying threats look like in the supply chain and the impacts they can have, sharing examples from across different industries.