As an Advisory Group member for the Cyber Resilience Centre for Wales (WCRC), Chambers Wales South East, South West and Mid is passionate about ensuring Welsh businesses benefit from the support the organisation provides.

Here, Director of the WCRC, Detective Superintendent Paul Peters, sheds light on the risks linked with insufficient cybersecurity within supply chains. Moreover, he outlines actionable measures that businesses can adopt to significantly enhance their supply chain security:

Paul said: “It’s vital that businesses across Wales start assessing the cybersecurity posture of their supply chain, if they aren’t already, to identify any vulnerabilities and mitigate the very real risks that exist.

“Cybercriminals will often target weak links within a company’s supply chain to gain access to their target business, which can allow them to exploit vulnerabilities and compromise critical systems.

“There are many different types of attacks, with new ways of exploiting vulnerable systems continually being developed. One of the most prevalent methods aimed at the supply chain is phishing attacks. A phishing attack is a form of cyber-attack where attackers attempt to deceive individuals or organisations into revealing sensitive information, such as passwords, financial details, or personal information, by posing as a trustworthy entity. This can potentially lead to an account being compromised, allowing for further movement up the supply chain from a trusted account. Once the attacker has gained access to one company, you’d be surprised just how quickly they can move towards the primary target organisation.

“Our guidance is that you can reduce the risks associated with these phishing attacks within your own supply chain by requiring policies which include;

· Strong passwords,

· Multi-factor authentication,

· Employee training on recognising and reporting phishing attempts,

· Regular security audits of suppliers and partners

· Continuous monitoring of network activities for suspicious behavior.

· Staying vigilant and promoting a strong cybersecurity culture throughout the supply chain is key to preventing successful attacks on your own organisation.

“Without these adequate cybersecurity measures in place, the risks to businesses include:

• Data breaches: A weak cybersecurity culture in your supply chain can lead to data breaches, where sensitive data is exposed, potentially resulting in financial, legal, and reputational implications for both organisations and their customers.

• Operational disruption: A cyber-attack on a supplier's infrastructure can disrupt the entire supply chain. If critical systems are compromised or unavailable, for example through ransomware, the results can include production being interrupted, deliveries being delayed, and financial losses. These can greatly impact customers and other stakeholders.

• Reputational damage: A breach within your supply chain can still tarnish the reputation of your organisation, meaning customer and supplier trust could be eroded. We have all seen how quickly news of a successful cyber-attack spreads, making it difficult to rebuild your reputation.

• Impact of regulators: Data protection and privacy regulations in the UK include a requirement to report to the Information Commissioners Office (ICO) in the event of a data breach. Should this happen to someone in your supply chain, your organisation could be at risk of legal penalties, fines, and other ramifications.

“To mitigate these risks, some steps we recommend are:

• Comprehensive supplier assessments: It’s so important to assess the cybersecurity of your potential suppliers. Take time to evaluate their security measures, protocols, incident response plans, as well as the maturity of their security practices.

• Security requirements in contracts: Incorporate cybersecurity requirements as contractual obligations for suppliers. Specify the necessary security measures they need to implement, such as encryption, access controls, regular audits, and employee training.

• Ongoing monitoring and audits: Continuously monitor suppliers' cybersecurity practices and conduct periodic audits to ensure compliance with agreed-upon standards. Regular assessments help identify any potential vulnerabilities or gaps in security.

• Incident response planning: Collaborate with suppliers to develop comprehensive incident response plans. Establish communication channels, roles, and responsibilities, and conduct regular drills or simulations to test the effectiveness of the plans.

•

Security awareness and education: Promote cybersecurity awareness among suppliers through training programs.

“The WCRC can assist with supporting supply chain businesses to improve their cyber security, no matter their size. Smaller businesses may be less likely to focus on cybersecurity, maybe due to a lack of resources, budget, or simply not understanding the risk. But, by encouraging your supply chain to sign up to the WCRC, they will benefit from access to ongoing support and alerts. This includes guidance from the National Cyber Security Centre, regular updates on types of attacks, and support in achieving Cyber Essentials Certification. The Cyber Resilience Centres also provide entry point cybersecurity services, such as staff awareness training and vulnerability assessments, at a discounted rate.

“If every business starts taking steps to address the cybersecurity posture of their supply chain, no matter how small, we can all contribute to a more secure and resilient supply chain ecosystem.”

Chambers Wales South East, South West and Mid works with the Cyber Resilience Centre for Wales to help SMEs to improve their cyber resilience.

If you would like to learn more about improving cybersecurity across your supply chain then contact the WCRC at enquiries@wcrcentre.co.uk.