The directors of the Cyber Resilience Centres for the South West and Wales, Mark Moore and Paul Peters respectively, teamed up to discuss this very issue.
MM: We all operate in an interconnected business landscape, whether we are a sole trader, SME, charity or larger organisation, and having an awareness in this environment is becoming more and more important. This includes the procurement process, which should now be prioritising cyber security as a key factor to protect sensitive data, ensure business continuity, and safeguard the entire supply chain ecosystem. If as a business, charity or any organisation really, you aren’t already doing so, then it's time to start assessing the cyber security posture of your supply chain to identify vulnerabilities and mitigate the very real risks that exist.
PP: I agree and cannot overstate the importance of evaluating the cyber security readiness of your suppliers. Your own organisation’s security is only as strong as its weakest link, and any vulnerabilities within your supply chain can have far-reaching consequences. So, to coin the catchphrase from the popular show, it’s time to tell those businesses that aren’t implementing cyber security in our supply chains: “You are the weakest link, goodbye”.
MM: Organisations need to incorporate cyber security standards into their procurement process, by doing this you are proactively addressing potential risks and ensuring supply chain partners adhere to recommended security practices. Cyber-criminals will often target weak links within the supply chain to gain access to your networks, which will allow them to exploit vulnerabilities and compromise your critical systems, for example by deploying malware. So, what are the risks of not adopting cyber security considerations when looking at your supply chain?
PP: Without adequate security measures in place, an organisation can potentially expose themselves to:
MM: One widely reported example of a successful supply chain cyber-attack was SolarWinds which provided systems and network management and monitoring tools. Many of these are used by organisations across the globe. In this case hackers exploited a vulnerability allowing them to access networks of organisations using that software, including email accounts. There is some online speculation that a weak password was in use which was compromised by the attackers.
PP: Yes, and we also see phishing attacks aimed at the supply chain, seeking to trick the recipient into revealing information or downloading malware. This can potentially lead to an account being compromised, allowing for further movement up the supply chain from a trusted account. But the good news is that you can reduce the risks associated with weak password security and phishing attacks within your own supply chain by implementing robust security measures in your procurement process.
These should include strong password policies, multi-factor authentication, employee training on recognising and reporting phishing attempts, regular security audits of suppliers and partners, and continuous monitoring of network activities for suspicious behavior. Staying vigilant and promoting a strong cyber security culture throughout the supply chain will contribute towards preventing successful attacks on your own organisation.
MM: The other thing that interests me is that smaller companies often aren’t considered by those in procurement. There might be a bit of due diligence in place for IT suppliers, but this invariably tails off when it comes to those providing non-technical services, or products. Some steps to consider implementing to mitigate the risks are:
PP: This is where the Cyber Resilience Centres (CRC) can support organisations. Within your supply chain there are likely businesses of all sizes. But those smaller businesses are less likely to focus on cyber security, maybe due to a lack of resources, budget, or simply not understanding the risk.
Encouraging your supply chain to sign up with a CRC means that they will have access to ongoing support and alerts. This includes guidance from the National Cyber Security Centre (NCSC), regular updates on types of attacks, and support in achieving Cyber Essentials certification. The CRCs also provide entry-point cyber security services, such as staff awareness training and vulnerability assessments, at a discounted rate.
MM: Helping businesses and charities move towards becoming more cyber resilient is the aim of the centres, so ideal for larger organisations to use to secure their own supply chains. And actually, I think it’s also helpful that the CRC’s coach small organisations through the basics of good practice. So even if they don’t secure formal certifications, making sure that they know about and have implemented basic measures, and are sighted on the latest threats, is really important.
PP: In Wales, Merthyr Tydfil County Borough Council has already introduced membership of the Cyber Resilience Centre for Wales as part of itsprocurement process, showing itscommitment to supporting and securing its own supply chain.
MM: The CRC network wants your supply chain ecosystem to be protected, and you can do this by pro-actively taking measures to raise the priority of cyber security. The first step is to encourage membership of their local CRC, and then move towards a cyber security certification. By including cyber security standards in the procurement process, you will be mitigating risks to your own organisation.
PP: And it’s important to consider that by choosing not to take this approach you are potentially allowing poor cyber security practices to flourish in your supply chain, which can lead to significant consequences for your own organisation. Don’t wait for the attack but be proactive, take action now to safeguard your data, finances and reputation by securing your supply chain.
To learn more about supply chain risks and introducing cyber security into your procurement process, contact:
enquiries@wcrcentre.co.uk – Wales
enquiries@swcrc.co.uk – South West England
Click to Open Code Editor