You might think that if your organisation is protected against cyber-attacks, that’s all you need to worry about. Even if you have put measures in place to make sure your network and systems are highly available but also safe and secure, have you considered whether those in your supply chain can say the same?
Hackers deliberately target supply chains as easy gateways through which they can reach a large number of infrastructures through a single attack, and wreak a considerable amount of damage.
It is a well published fact that employees frequently succumb to sophisticated phishing and ransomware attacks, if these attacks are built around a profile that looks like a bona fide member of the supply chain. It is estimated that 91% of successful data breaches started with a spear phishing attack.
Which makes it all the more surprising to read figures from the National Cyber Security Centre’s Security Breaches Survey 2016 which show that only 13% of those businesses surveyed set minimum cyber security standards for their suppliers. That breaks down to 25% of medium sized organisations and 34% of large organisations, with data-heavy sectors such as finance, insurance, education, health and social care sectors leading the way.
Around 50% of those that set standards insist on a recognised quality standard such as ISO27001, with 8% looking for suppliers who hold Government and industry-backed Cyber Essentials certification, and 5% asking for Cyber Essentials Plus.
The Government is holding up Cyber Essentials and Cyber Essentials Plus as demonstrators of information security good practice, and from 2014 required all suppliers bidding for contracts involving the handling of sensitive and personal information to be certified. We believe that this will become the ‘must have’ minimum to which customers and suppliers must adhere.
Securing the supply chain can be difficult but the need to act is more urgent than ever before, in the face of continuingly sophisticated cyber-attacks which are costing UK businesses millions, both directly and indirectly. Witness the £100,000 fine levied on communications firm TalkTalk by the Information Commissioner’s Office, which was actually down to a supply chain third party’s misuse of data, but responsibility ultimately rested with TalkTalk.
So what can you do to ensure the security of your supply chain?
As cyber security experts our advice is to start by embarking on the Cyber Essentials and Cyber Essentials Plus certification processes. These serve as markers that demonstrate an organisation has adopted good practice in information security. Relatively quick to implement, and available at a modest cost, having them in place creates solid foundations for creating a robust cyber-security wraparound for your own business.
Looking outward to your supply chain, the NCSC has published useful guidance in the form of 12 principles designed to help businesses understand the risk, establish control, check arrangements and maintain a cycle of continuous improvement to ensure their supply chain is as secure as possible.
It is not an easy task but it is a very necessary one. Ian Levy, technical director of the NCSC calls it “a complex problem with lots of nuances.” It may look daunting but if you have the right IT partner in place, it should be something they have done hundreds if not thousands of times, and they should be able to help you.
Businesses can no longer rely on simply protecting their own organisation, they must look further afield at partners and suppliers and satisfy themselves that they too have the right security measures in place.
Any chain is only as strong as its weakest link. Give our cyber security experts a call and see how we can help you turn any weak link into a strong defence.