A recent survey has shown that not enough organisations are taking supply chain security seriously. We consider the risks – and how to mitigate them.
Is your organisation doing enough on supply chain security?
In the UK, it seems unlikely. A recent government survey has shown that not enough organisations are taking this threat seriously – both in terms of their immediate suppliers and their wider supply chain.
Let’s consider what the risks are – and how to mitigate them.
McKinsey defines supply chain risk as arising at the intersection of supply chain vulnerabilities and exposure to unforeseen events that could have a negative impact on the supply chain.
When it comes to cyber security, vulnerabilities might include:
• Data breaches
• Social engineering
• APIs
• Third party software providers
• Website builders
• Third party data stores
• Watering hole attacks
• Partner cybersecurity failings
• Corruption and culture
Yet, despite these many avenues of attack and risk, the 2022 DCMS Security Breaches Survey found that only 13 percent of businesses review the risks posed by their immediate suppliers and only seven percent review the risks posed by their wider supply chain.
So, how can you strengthen against these vulnerabilities and protect your organisation from supply chain cyber-attack?
In 2018, the UK’s National Cyber Security Centre proposed a set of 12 principles for mitigating supply chain risk, designed to help you establish effective control and oversight of your supply chain. These principles are as follows:
In October 2022, in response to increased threat levels and research that suggested that organisations did not have enough visibility over their extended supply chains, the NCSC updated its guidance about supply chain security.
At the time, NCSC deputy director for government cyber resilience, said, “With incidents on the rise, it is vital that organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”
The new guidance emphasises the need to prioritise your organisations “crown jewels”, i.e. the critical aspects in your organisation that you need to protect the most, and to prioritise your actions and protections accordingly throughout your interactions with your supply chain.
It also includes detailed advice about how to map your supply chain so that you can assess risk accurately and fully and take the necessary actions in response. Detailed mapping is also important, says the NCSC, because while you cannot eradicate supply chain attacks you will be better placed to understand when a risk materialises and better places to rapidly respond. This will help you to limit the scope of damage to your organisation.
The NCSC acknowledges that “supply chains are often large and complex and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. This makes it difficult to know if you have enough protection across the entire supply chain.”
While it might be difficult, the growing rise of this type of attack means that organisations must try to address the risk. The step-by-step approach outlined by the NCSC is a good step on the way towards this.
Taking the time to map your supply chain effectively will help you to expose and understand these vulnerabilities so you and your wider supply chain can take appropriate actions. It will require working closely with your supply chain partners to understand and mitigate cyber risk – a requirement that will help you to strengthen your partnerships and weed out potentially risky suppliers.
The Grant McGregor team is on hand to talk you through all aspects of cyber security, including cyber vulnerabilities and actions throughout your supply chain. If you’d like further information or help, please get in touch.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
Further reading
You can find additional insights into cyber security topics on our blog:
• The 2023 cyber threats for which you should prepare
• AI’s new role in cyber security
• New changes to Cyber Essentials for 2023
• A recent case exposes why cyber security requires multiple lines of defence
• What Does the War in Ukraine Mean for Your Cyber Security?