Government report highlights an awareness of supply chain risk, but a continued struggle to find a solution
The Dept of Digital, Culture, Media and Sport has issued an initial report following its call for views on supply chain security.
After issuing a call for views the Department of Digital,Culture, Media and Sport (DCMS) has issued its initial findings on supply chain security. The call for views was in response to the series of very high-profile breaches where an organisation’s data has been compromised, not by their own systems but by those of a key supplier.
The past few months have seen high-profile supply chain breaches such as Kaseya (more than 1,500 companies affected globally). More recently, the National Cyber Security Centre (NCSC) issued a warning that over 4,000 Magacart users in the UK had been compromised by hackers targeting payment details. This trend of cybercriminals entering through the ‘back-door’ is going to continue as they sense it as a weakness in many companies.
The call for views found that these high-profile breaches had made most companies aware of the threat but many were struggling to find appropriate solutions to gain better visibility into the vulnerabilities in their supply chain.
Indeed, 67% of respondents believed that limited visibility into supply chains was a severe barrier to effective supplier cyber risk management. Around 89% also believed that there was a lack of expertise within their organisation to evaluate supplier cyber risk. This is obviously a major problem. Cybercriminals are focusing on supply chain attacks, companies are aware that it is happening and yet cannot find ways of identifying and plugging the security gaps.
The introduction of GDPR in May 2019 saw a flurry of activity to ensure companies fulfilled at least a most basic assessment of their supplier risk. However, most of this comprised of an assessment in the form of a spreadsheet being sent to partners to fill out. Once, eventually, returned the forms were quickly reviewed and filed away with companies believing that they had completed the tick-box exercise to ensure adherence to the new regulation.
However, this approach relied on the ‘honesty’ and in-house expertise of partners and with no standardisation of response or scoring of risk, it was simply made companies feel better but offered very little other value. With this process typically only taking place annually, there is obviously plenty of opportunity for cyber criminals to take advantage of gaps that appear in the meantime.
The key is therefore, to industrialise the process, to make it an ongoing process to ensure that gaps within the supply chain are identified immediately and dealt with, as AJ Thompson, CCO at Northdoor explained. “There are two branches to this discussion. Firstly, there are those companies who are aware that there is a problem and know how to solve it, but are budget constrained. Secondly, there are those, who perhaps rather naively believe that they are unlikely to suffer a breach via their supply chain.
“The second branch is obviously worrying and probably represent those that are happy to continue to send out a spreadsheet once a year to analyse their supply chain’s vulnerabilities. Both branches need to take the threat seriously though. The threat from supply chains is very clear. No matter how high your own defensive walls are, or how much money you’ve spent on them, if you’re leaving the backdoor open you are inviting the cyber-criminal in.
“Industrialising the process internally is crucial,” continued Thompson. “Too often the manual process that takes place at the moment is not effective. It doesn’t happen regularly enough, it doesn’t happen well enough and it often falls between job roles anyway. By automating the process companies can be more confident that they are getting a regular 360-degree view of their supply chain vulnerabilities.
“As a result of the call for views, I believe that companies will soon have to take supply chain security seriously anyway. Legislation is likely to focus on companies who outsource their IT and similar areas to third parties as the potential downside is dramatic across multiple, possibly thousands of organisations, if they are breached. However, companies should be acting before they are forced to. It is not just a regulatory obligation, but a moralistic one too.”