The directors of the Cyber Resilience Centres for the South West and Wales, Mark Moore and Paul Peters respectively, teamed up to discuss this very issue.

MM: We all operate in an interconnected business landscape, whether we are a sole trader, SME, charity or larger organisation, and having an awareness in this environment is becoming more and more important. This includes the procurement process, which should now be prioritising cyber security as a key factor to protect sensitive data, ensure business continuity, and safeguard the entire supply chain ecosystem. If as a business, charity or any organisation really, you aren’t already doing so, then it's time to start assessing the cyber security posture of your supply chain to identify vulnerabilities and mitigate the very real risks that exist.

PP: I agree and cannot overstate the importance of evaluating the cyber security readiness of your suppliers. Your own organisation’s security is only as strong as its weakest link, and any vulnerabilities within your supply chain can have far-reaching consequences. So, to coin the catchphrase from the popular show, it’s time to tell those businesses that aren’t implementing cyber security in our supply chains: “You are the weakest link, goodbye”.

MM: Organisations need to incorporate cyber security standards into their procurement process, by doing this you are proactively addressing potential risks and ensuring supply chain partners adhere to recommended security practices. Cyber-criminals will often target weak links within the supply chain to gain access to your networks, which will allow them to exploit vulnerabilities and compromise your critical systems, for example by deploying malware. So, what are the risks of not adopting cyber security considerations when looking at your supply chain?

PP: Without adequate security measures in place, an organisation can potentially expose themselves to:

• Data breaches: If there is a weak cyber security culture in your supply chain, this can lead to data breaches, where sensitive data is exposed leading to financial, legal, and reputational implications for both the organisation and its customers.
• Operational disruptions: A cyber-attack on a supplier's infrastructure can disrupt the entire supply chain. If critical systems are compromised or unavailable, for example through ransomware, the results can include production being interrupted, deliveries being delayed, and financial losses. These can impact customers and other stakeholders.
• Reputational damage: A breach within your supply chain could still tarnish the reputation of your organisation, meaning customer and supplier trust could be eroded. We have seen how quickly news of a successful cyber-attack spreads, making it difficult to rebuild your reputation.
• Impact of regulators: There are data protection and privacy regulations in the UK, and this includes a requirement to report to the Information Commissioners Office (ICO) in the event of a breach. This means the potential of the supply chain putting your organisation at risk of legal penalties, fines, and other ramifications.

MM: One widely reported example of a successful supply chain cyber-attack was SolarWinds which provided systems and network management and monitoring tools. Many of these are used by organisations across the globe. In this case hackers exploited a vulnerability allowing them to access networks of organisations using that software, including email accounts. There is some online speculation that a weak password was in use which was compromised by the attackers.

PP: Yes, and we also see phishing attacks aimed at the supply chain, seeking to trick the recipient into revealing information or downloading malware. This can potentially lead to an account being compromised, allowing for further movement up the supply chain from a trusted account. But the good news is that you can reduce the risks associated with weak password security and phishing attacks within your own supply chain by implementing robust security measures in your procurement process.

These should include strong password policies, multi-factor authentication, employee training on recognising and reporting phishing attempts, regular security audits of suppliers and partners, and continuous monitoring of network activities for suspicious behavior. Staying vigilant and promoting a strong cyber security culture throughout the supply chain will contribute towards preventing successful attacks on your own organisation.

MM: The other thing that interests me is that smaller companies often aren’t considered by those in procurement. There might be a bit of due diligence in place for IT suppliers, but this invariably tails off when it comes to those providing non-technical services, or products. Some steps to consider implementing to mitigate the risks are:

• Comprehensive supplier assessments: Assess the cyber security of your potential suppliers. Evaluate their security measures, protocols, incident response plans, and the maturity of their security practices.
• Security requirements in contracts: Incorporate cyber security requirements as contractual obligations for suppliers. Specify the necessary security measures they need to implement, such as encryption, access controls, regular audits, and employee training.
• Ongoing monitoring and audits: Continuously monitor suppliers' cyber security practices and conduct periodic audits to ensure compliance with agreed-upon standards. Regular assessments help identify any potential vulnerabilities or gaps in security.
• Incident response planning: Collaborate with suppliers to develop comprehensive incident response plans. Establish communication channels, roles, and responsibilities, and conduct regular drills or simulations to test the effectiveness of the plans.
• Security awareness and education: Promote cyber security awareness among suppliers through training programs.

PP: This is where the Cyber Resilience Centres (CRC) can support organisations. Within your supply chain there are likely businesses of all sizes. But those smaller businesses are less likely to focus on cyber security, maybe due to a lack of resources, budget, or simply not understanding the risk.

Encouraging your supply chain to sign up with a CRC means that they will have access to ongoing support and alerts. This includes guidance from the National Cyber Security Centre (NCSC), regular updates on types of attacks, and support in achieving Cyber Essentials certification. The CRCs also provide entry-point cyber security services, such as staff awareness training and vulnerability assessments, at a discounted rate.

MM: Helping businesses and charities move towards becoming more cyber resilient is the aim of the centres, so ideal for larger organisations to use to secure their own supply chains. And actually, I think it’s also helpful that the CRC’s coach small organisations through the basics of good practice. So even if they don’t secure formal certifications, making sure that they know about and have implemented basic measures, and are sighted on the latest threats, is really important.

PP: In Wales, Merthyr Tydfil County Borough Council has already introduced membership of the Cyber Resilience Centre for Wales as part of itsprocurement process, showing itscommitment to supporting and securing its own supply chain.

MM: The CRC network wants your supply chain ecosystem to be protected, and you can do this by pro-actively taking measures to raise the priority of cyber security. The first step is to encourage membership of their local CRC, and then move towards a cyber security certification. By including cyber security standards in the procurement process, you will be mitigating risks to your own organisation.

PP: And it’s important to consider that by choosing not to take this approach you are potentially allowing poor cyber security practices to flourish in your supply chain, which can lead to significant consequences for your own organisation. Don’t wait for the attack but be proactive, take action now to safeguard your data, finances and reputation by securing your supply chain.

To learn more about supply chain risks and introducing cyber security into your procurement process, contact:

enquiries@wcrcentre.co.uk – Wales

enquiries@swcrc.co.uk – South West England