IN WHAT is now an ever-increasingly digital world, the ways in which companies manage and protect their networks and data have become business-critical functions. Supply chain partners with direct access to your networks are potentially the highest area of risk. Martin Smith advocates why cyber security should become an integral part of the procurement process.
The COVID-19 pandemic has led to a boom in remote working and growing concern that cyber criminals have been capitalising on the increased use of e-mails and Internet devices as employees operate outside of the normal office environment. However, the majority of cyber security breaches are caused by human mistakes, whereby unsuspecting users are lured into letting a potential attacker gain access to the corporate network.
As digitisation in business relationships becomes commonplace and supply chains gradually extend, we see cyber criminals targeting organisations up and down those chains.
Generally speaking, cyber resilience varies by organisation size and we’ve seen the ‘resilience gap’ between small and large firms widen. In the UK, large companies are responding by investing in knowledge. According to insurer Hiscox, almost all (ie 98%) of those firms with more than 1,000 members of staff on the payroll now have a role specifically dedicated to cyber security.
For their part, Chief Information Security Officers (CISOs) and their cyber security colleagues can provide specialist cyber security knowledge to reduce the risks posed by cyber attacks in the supply chain by becoming more involved in the procurement of vendors.
Cyber attacks cost the UK economy around £30 billion per annum. This is an astonishing sum of money, so it was perhaps no surprise to learn that the new National Cyber Strategy 2022 (published by the Conservative Government last December) is squarely aimed at ‘beefing up’ resilience levels in the fast-moving digital world.
The 130-page document suggests that we need to continue to adapt, innovate and invest in order to protect and, in tandem, promote our nation’s interests in cyber space. Very true.
The Security Awareness Special Interest Group’s (SASIG) own research has found that commerce, industry and public services have operated a fragmented approach to cyber security in the supply chain. Risks here are ever-present and need to be constantly monitored and reviewed.
CISOs tell us that businesses should take stronger steps to establish robust procedures that minimise cyber security risks within the supply chain. We’ve found that 97% of CISOs view the supply chain as a source of risk and firmly believe that more robust procedures are necessary in order to mitigate organisations’ risk exposure.
We’re now at a stage where procurement teams expect vendors to adopt policies and procedures that provide far stronger security controls. While system and network administrators can be guilty of system misconfigurations, poor patch management practices and the use of weak passwords, ongoing auditing and due diligence can actively safeguard against these types of threats.
Organisations would be wise to adopt regular cyber audits during the course of any commercial arrangement that exchanges data and yields a given third party access to proprietary networks.
Looking for third party assessments can be fraught with difficulty because fragmented standards and cross-border working may well expose some sectors to greater risk. More substantial international agreements will be needed to tighten up on protecting against cyber attacks, not to mention the theft of data assets and Intellectual Property.
Driving up standards
The Government has recently embarked on further consultation with the business community in a bid to drive up security standards when it comes to the outsourced IT services used by almost all UK businesses and, in addition, is planning the introduction of new laws.
Other proposals being considered include making improvements to the way in which organisations report cyber security incidents and reforming legislation such that it’s more flexible and can react to the sheer speed that underpins technological change.
Last year, the Department for Digital, Culture, Media and Sport found that only 12% of businesses regularly review their cyber risks, while just 5% of companies were looking at cyber risks in their supply chain. Worryingly, that last statistic had fallen from 9% in 2020.
The latest round of consultation is also aimed at raising the bar and creating a set of agreed qualifications and certifications for those working in the realm of cyber security so they can ably demonstrate that they’re properly equipped to protect businesses in the online environment.
Recent high-profile cyber incidents, such as the cyber attacks on SolarWinds and IT company Kaseya, have exposed vulnerabilities in the third party products and services used by businesses. Cyber criminals and hostile state actors can exploit weaknesses affecting hundreds of thousands of organisations at the same time.
Ransomware became the most significant cyber threat facing the UK in 2021. This is a very real threat that can cause substantial disruption for essential services delivery or the operation of Critical National Infrastructure.
A ransomware-based cyber attack on Hackney Council in late 2020 caused many months of disruption and cost millions of pounds to rectify. At a critical time when it was dealing with the impact of the pandemic, the organisation was locked out of important data and many services were disrupted, including council tax and benefit payments. Other organisations have suffered similar attacks, causing disruption to services and damaging corporate reputations.
Exposure to risk within the supply chain often depends on what access a vendor has to a client network and what digital storage capability the vendor uses. Either by design or accident, human factors also expose organisations to security breaches. Educating staff (either permanent employees or contracted individuals) and members of the supply chain is therefore essential to make people aware and accept responsibility for their own actions.
CISOs and Human Resources teams who establish training programmes to ensure that staff understand the risk to which they’re exposed, and the implications of any breach, are better placed to mitigate threats. Effective training will provide the necessary skills for workers to identify threats and then react in an appropriate manner.
Employee training must be tracked. Should maturity decline, further training must then be made available so as to keep on top of new threats.
People, skills and resources that protect commerce, industry and public services from cyber attacks will feature at the third edition of the Cyber Security Skills Festival being organised by SASIG in partnership with the UK Cyber Security Council. The event runs on Tuesday 22 February.
The Cyber Security Skills Festival is hosting more than 40 organisations from all sectors, all of them hungry to find new talent. Representatives of over 50 UK universities and public security bodies from across the cyber security community will be in attendance.
The agenda will include a keynote presentation from a representative of the UK Cyber Security Council and highlight the need for a new wave of diverse cyber security professionals. In addition to attending workshops, delegates can explore the array of roles now available in the cyber world.
Simon Hepburn, CEO of the UK Cyber Security Council, has noted: “We’re delighted to partner with SASIG to deliver the third edition of the Cyber Security Skills Festival. Careers and skills in cyber security are high on our agenda at the UK Cyber Security Council. Enticing more people to consider entering the cyber security industry is crucial so that we can help to close the cyber skills gap that currently exists. With skills, training and education in cyber security high on the agenda for our organisation, partnering with SASIG to deliver this event aligns perfectly with our own core values.”
Access to the third Cyber Security Skills Festival is free for attendees and employers. Further information is available online at www.thesasig.com/skills-festival
It’s not unusual for a business manager who procures products and services, and works with the supply chain, to be unaware that a cyber security threat exists. Therefore, CISOs have to work hard to become closer to procurement teams and employees such that they can better advise on cyber security issues.
Prequalification procedures can catch out those vendors who appear weak. When they’re identified, effective due diligence is necessary prior to any appointment. Regular audits and spot-check inspections should monitor adherence to cyber security procedures by vendors and labour-only contractors. Where there’s limited strength, collaboration between partners in the supply chain will tighten up policies and procedures such that risk is reduced.
The lead tier in the supply chain will inevitably determine the way in which risk is assessed and how firmly cyber security is managed. Some procedures can be rigid and somewhat long-winded, but may be necessary where safety and commercial/financial data are business-critical components.
The supply chain has evolved into a complex web of organisations delivering products and services from almost any location to customers across the globe. All sectors operate in different ways and will deliver customer services in different territories that have to respect either national or international regulations. As international threats grow, global agreements need to be strengthened to protect commercial and personal data storage. Where data is held, and who has access to this information, is at the crux of ensuring the supply chain is secure.
International threats are not a single issue. Intellectual theft and lack of enforcement are a major concern, and especially so where incidents pass by unchallenged. Geopolitical issues also put pressure on businesses operating across different territories.
At the local level, the Internet of Things has built increased connectivity, heightening concerns about exposure to more potential risk. Greater due diligence, set within robust procedures, will be necessary in order to minimise cyber security risks throughout the procurement process, from prequalification right the way through to ongoing operations.
Bad behaviour needs to be driven out by organisations being determined to take threats and risks seriously. Supply chain relationships are often built around trust. Adhering to agreed standards will improve that trust. Incorporating cyber security firmly within the supply chain lifecycle can – and will – make the difference.
Martin Smith MBE is Chair and Founder of the Security Awareness Special Interest Group (SASIG) (www.thesasig.com)