Tuesday, 25 April 2023

Is your organisation doing enough on supply chain security?

A recent survey has shown that not enough organisations are taking supply chain security seriously. We consider the risks – and how to mitigate them.

supply chain security

A recent government survey has revealed that too few organisations are fully vetting their supply chain in order to reduce cyber risk. In this blog, we take a look at what organisations need to do in terms of supply chain cyber security and the best ways to achieve it.

Is your organisation doing enough on supply chain security? 

In the UK, it seems unlikely. A recent government survey has shown that not enough organisations are taking this threat seriously – both in terms of their immediate suppliers and their wider supply chain. 

Let’s consider what the risks are – and how to mitigate them.

What is supply chain risk?

McKinsey defines supply chain risk as arising at the intersection of supply chain vulnerabilities and exposure to unforeseen events that could have a negative impact on the supply chain. 

When it comes to cyber security, vulnerabilities might include: 

•    Data breaches

•    Social engineering

•    APIs

•    Third party software providers

•    Website builders

•    Third party data stores

•    Watering hole attacks

•    Partner cybersecurity failings

•    Corruption and culture

Yet, despite these many avenues of attack and risk, the 2022 DCMS Security Breaches Survey found that only 13 percent of businesses review the risks posed by their immediate suppliers and only seven percent review the risks posed by their wider supply chain.

So, how can you strengthen against these vulnerabilities and protect your organisation from supply chain cyber-attack?

The principles of securing your supply chain

In 2018, the UK’s National Cyber Security Centre proposed a set of 12 principles for mitigating supply chain risk, designed to help you establish effective control and oversight of your supply chain. These principles are as follows:

  • Understand the risks
    o    Understand what needs to be protected and why
    o    Know who your suppliers are and build an understanding of what their security looks like
    o    Understand the security risk posed by your supply chain

  • Establish control
    o    Communicate your view of security needs to your suppliers
    o    Set and communicate minimum security requirements for your suppliers
    o    Build security considerations into your contracting processes and require that your suppliers do the same
    o    Meet your own security responsibilities as a supplier and consumer
    o    Raise awareness of security within your supply chain
    o    Provide support for security incidents

  • Check your arrangements
    o    Build assurance activities into your supply chain management

  • Continuous improvement
    o    Encourage the continuous improvement of security within your supply chain
    o    Build trust with suppliers

Updated supply chain security guidance from NCSC

In October 2022, in response to increased threat levels and research that suggested that organisations did not have enough visibility over their extended supply chains, the NCSC updated its guidance about supply chain security. 

At the time, NCSC deputy director for government cyber resilience, said, “With incidents on the rise, it is vital that organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.”

The new guidance emphasises the need to prioritise your organisations “crown jewels”, i.e. the critical aspects in your organisation that you need to protect the most, and to prioritise your actions and protections accordingly throughout your interactions with your supply chain.

It also includes detailed advice about how to map your supply chain so that you can assess risk accurately and fully and take the necessary actions in response. Detailed mapping is also important, says the NCSC, because while you cannot eradicate supply chain attacks you will be better placed to understand when a risk materialises and better places to rapidly respond. This will help you to limit the scope of damage to your organisation.

The better management of supply chain cyber risk

The NCSC acknowledges that “supply chains are often large and complex and effectively securing the supply chain can be hard because vulnerabilities can be inherent, introduced or exploited at any point within it. This makes it difficult to know if you have enough protection across the entire supply chain.”

While it might be difficult, the growing rise of this type of attack means that organisations must try to address the risk. The step-by-step approach outlined by the NCSC is a good step on the way towards this.

Taking the time to map your supply chain effectively will help you to expose and understand these vulnerabilities so you and your wider supply chain can take appropriate actions. It will require working closely with your supply chain partners to understand and mitigate cyber risk – a requirement that will help you to strengthen your partnerships and weed out potentially risky suppliers.

What now?

The Grant McGregor team is on hand to talk you through all aspects of cyber security, including cyber vulnerabilities and actions throughout your supply chain. If you’d like further information or help, please get in touch.

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us 

Further reading

You can find additional insights into cyber security topics on our blog:

•    The 2023 cyber threats for which you should prepare

•    AI’s new role in cyber security

•    New changes to Cyber Essentials for 2023

•    A recent case exposes why cyber security requires multiple lines of defence

•    What Does the War in Ukraine Mean for Your Cyber Security?