CERT-UK, the UK National Computer Emergency Response Team, has published advice which aims to help businesses better understand the risks of cyber-security in supply chains. In CERT-UK’s publication, Cyber-security Risks in the Supply Chain, they explain where risks to cyber-security are usually found in supply chains and provide advice on mitigation and risk management.
The term cyber-security covers any technology, processes or knowledge which is employed to protect the data, programs, networks and computers of an organisation from any kind of cyber-attack, damage or unauthorised access. One of the challenging aspects of cyber-security is the constantly evolving nature of the security risks. CERT-UK have highlighted several recent examples of different ways in which supply chains can be threatened by cyber-attacks, including attacks on 3rd party software providers, website builders and 3rd party data storage.
One of the significant problems of trying to protect the supply chain from cyber-security breaches is the lack of procedures which focus on this kind of risk. Although general risk management procedures are common practice, the same level of attention is not generally paid to cyber-security. This results in a failure to adequately identify and assess the risks. Consequently, the risks posed by cyber-security breaches are not addressed at the strategic planning level.
Another common area of risk for supply chains focusses on the smallest organisation in the chain. Although not always the case, generally the smallest organisation is also the most vulnerable in terms of cyber-security due to a lack of resources. By the very nature of the supply chain, each link in the chain is potentially only as strong as the weakest link in the chain; the weakest link is often the smallest organisation in the chain.
To reduce these risks there are usually 3 broad areas that need to be addressed; upgraded technology, enhanced processes and education of the workforce. However, the overriding issue is one of trust. Ideally there would be a comprehensive approach across the supply chain, allowing each organisation to assess its position within the supply chain and identify its own cyber-security risks. This kind of inclusive approach can be held back by a lack of communication across the supply chain, in particular the lack of a shared risk vocabulary, as well as a lack of suitable strategic business planning.
To begin addressing these issues, the first step is to engage as many members of the supply chain as possible in a cyber-security risk assessment process. Small and medium sized businesses can improve their cyber-security credentials by joining the government’s Cyber Essentials Scheme, where they can gain accreditation. Larger organisations should follow the 20 security controls set out by the government in the Critical Security Controls guidance. Common standards are also available from the International Standards Organisation (ISO); the ISO 27000 series of standards addresses ICT security issues.
In addition, it is important not to neglect the basics. For example, it is necessary to ensure that cyber security is taken into account from the very beginning of the procurement process, that due diligence is thoroughly conducted when establishing a business relationship with new suppliers and that new suppliers show knowledge of cyber-security risks. It is also worth considering adding clauses which focus on security to contracts with suppliers; these clauses should indicate who is responsible for any data breaches or compromise and should cover all businesses within the supply chain including sub-contractors.
It is already challenging to have to deal with supply chain risk management without the added risks of cyber-attacks. The implementation of common standards, education of the workforce and upgrading of technology are all helpful in mitigating the risks posed by cyber-attacks, but one of the most important factors is the close working relationship of all members of the supply chain. Working closely together improves the strength of the supply chain and helps protect each member of the chain.