Your business is only as secure as the weakest link in your supply chain. In the last 12 months, 65% of medium/large and 42% of micro/small businesses identified at least one cyber breach or attack. Whilst many occurred through in-house errors, due to an increasingly digitised environment and the reliance on third-party vendors some were inevitably a result of security issues in the company’s supply chain.
Supply chain attacks can affect your company in many ways. Not only your operational performance (for instance the NHS had to cancel operations and appointments when they were hit by a ransomware attack back in 2017
How does an attack occur?
A supply chain attack seeks to damage a business or organisation by targeting a less-secure element, such as a product, service or system, in its supply network. There are sophisticated ways for
For instance, in 2013 the US retailer Target was hit by one of the largest data breaches in the history of the retail industry. Around 40 million customer’s credit and debit card details became susceptible to fraud after malware was introduced into the POS system. It is believed to have been introduced thanks to failings in the IT system of one of their heating, ventilation and air conditioning contractors. It directly impacted Target’s profit, which fell more than 40% in the quarter after the attack.
Further real-world examples of supply chain attacks can be found here.
So how can you help safeguard your supply chain?
The National Cyber Security Centre suggests that all companies observe the following guidelines:
– Understand what needs to be protected, and why
– Know who your suppliers are, and build an understanding of what their security looks like
– Understand the security risk posed by your supply chain
– Communicate your view of security needs to your suppliers
– Set and communicate minimum security requirements to your suppliers
– Build assurance activities into your supply chain management
– Encourage the continuous improvement of security within your supply chain
– Build trust with suppliers
However, for companies that do not have the resources available to work through these guidelines and put together a full risk management policy, there are a couple of quick ways to see if your potential vendors are aware of their security responsibilities:
Check for Cyber Essentials. This simple, but effective UK government scheme helps organisations to protect a whole range of the most common cyber attacks. In particular, the focus is on protecting a company’s IT infrastructure from attacks that use widely available tools and demand little skill, such as hacking, phishing, and password guessing.
Check for ISO27001. This is an international standard for companies that