securing your business supply chain
Whether you are providing cyber security services & support to your clients, or you are a business or organisation buying in these services – you are all part of a complex supply chain, and one that is playing an increasingly critical role in protecting business activity and end customers.
You are at risk from cyber-crime purely by being in business now that the way organisations operate is more digitalised. When you layer on the supply chain there are additional considerations that must be made both as a supplier or buyer of solutions. As an organisation working with a number of third party providers to enable your business, whether this is for IT services, payroll, invoicing, cloud storage or data management, you are unavoidably introducing risk in to your operations. Cyber security does not stop at the edges of your own business.
As the UK Governments 2021 “the majority of organisations of all sizes have not formally reviewed the risks posed by their immediate suppliers and wider supply chain”. Lack of time, information and knowledge are the main reasons businesses do not review their supply chain security. Many organisations cite these same issues, and we hope we can help address them with greater collaboration across our members.
Cyber criminals are focused on exploiting the weak points in your suppliers, making them attractive targets for attackers as they can have a significant impact on many businesses through one target victim. This compounds the reality that this is everyone’s challenge to address and that building a more cyber resilient network is possible if we are honest about the risks and open about how we are addressing them, or not.
It would be prudent at this point to highlight that all businesses and organisations are at risk – cyber criminals do not discriminate between smaller & larger operations, or exclude sensitive or critical sectors, their approach is to find weaknesses and exploit them most commonly for financial gain. Indeed smaller organisations, of which there are many across our region, are arguably more at risk as they tend to have less secure infrastructure and are more sensitive to attacks as they can be taken offline much quicker than larger organisations, and often the effects of this are more damaging.
Setting the standard regarding how you approach supply chain security for your own business will have a twofold impact on both your organisation and your suppliers. Internally it will demonstrate that you are taking the risks seriously and investing in taking control of the security measures you can directly influence, and with your suppliers it will show them that to work alongside your business they are required to have a keen eye on their own security measures relating to their customers. Ongoing investment in a planned approach to supply chain management, and asking your suppliers and partners about their cyber resilience and approach to cyber security, is a central part of adopting good practice that builds a baseline of security for your business.
At this point you may be thinking that this sounds like a lot of work – well it often is, but the rewards are there to see every day in a business that is as protected as it can be. Cyber-attacks are increasingly a case of when and not if in today’s world. Working with a cyber security specialist can do a lot of the heavy lifting in mitigating these risks as far as is possible, whether that be through assessing your security position and working with you to build a strategy, or it may be that you have that knowhow inhouse and are looking to work with a partner on something more specific such as cloud configuration or penetration testing.
The responsibility for securing your business and your supply chain, does not just fall to you and your suppliers. There is an inherent responsibility for cyber security businesses to ensure that the work they do across their clients builds more cyber resilience in to each supply chain they touch. Whether they are providing consultancy, penetration testing or incident response planning your cyber security partners will bring a breadth and depth of experience and knowledge that an in-house resource may not have.
Early on in your relationship with a cyber security specialist what they need to do is often uncomfortable for your organisation as they will be assessing your situation as it is and there will be reasons as to why the engagement is happening. Whether that be the result of having experienced an attack or identifying some risks and not knowing how to better secure the business, they are there to support you and will be leading you to a more robust security position. Due to the nature of what they do, security companies are required to be accredited and are always working to standards and frameworks, which gives you the confidence that they can indeed do what they say they can. Beyond this it would be prudent for both parties to put in place a Service Level Agreement to ensure you get what you need and they understand what is expected of them in terms of delivery.
There is indeed a lot of work for us all to do in better securing our businesses, but the benefits of doing so cannot be underestimated.
The interconnected nature of how we do business today coupled with the need to ensure we are all operating in as secure an ecosystem as possible (the challenge of both business and cyber specialists), presents a lot of challenges and thankfully huge opportunity for collaboration and development of a more cyber secure business network across the East of England, and beyond.