As businesses have made more use of digital services and applications over the course of the pandemic, they have become ever more reliant on digital suppliers who may or may not be implementing robust cyber security measures. Software or software patches can be compromised by attackers, so that users are unwittingly using vulnerable applications. Cloud applications might have weaknesses that could be exploited by criminals to gain access to data.
Furthermore, attackers continue to look for the weakest link into organisations and that may be through suppliers who have some connection to corporate systems. That moves the risks far beyond purely tech suppliers. Target, the US retailer, had one of the best-known data breaches in this context, when they were compromised as a result of an attack on their air conditioning supplier. The supplier had access into Target’s systems so that they could monitor air temperature in stores and this enabled attackers to get into Target’s network and point of sale systems.
Despite these risks, the latest UK Government Cyber Security Breaches Survey showed that only 12% of businesses have reviewed cybersecurity risks posed by their suppliers and only 5% have done this for their wider supply chain. There are many reasons why those numbers are so low. There is a general lack of awareness of the cyber risks that suppliers could present. Many businesses, especially SMEs, are likely to lack the time or skills to consider these risks in detail.
The National Cyber Security Centre has a wealth of good practices and principles that businesses can follow to improve their supply chain cyber risk management, including Supply Chain Security Guidance, Supplier Assurance Questions and Software as a Service (SaaS) security guidance.
But doing good due diligence over suppliers in this context can also be really challenging in practice. There’s a lack of consistent approach to standards, which leads to a lot of duplication in the process. Suppliers may be reluctant to give out sensitive information about the security measures they take. Where the largest suppliers are involved, smaller customers are unlikely to be able to get much information at all. And how far down the chain do you go in terms of sub-contractors?
Another point to consider is the impact of increasing amounts of cyber-related due diligence in procurement processes. For example, the UK government requires all their suppliers who deal with particular types of data be compliant with the Cyber Essentials standard. As businesses develop their own approaches here, in the absence of consistent standards, the ripple effects can be significant for all businesses.
The UK government has recognised these practical difficulties and launched a consultation to better understand the challenges faced, identify and share good practices in place and consider how the government should focus any future work in this area. In addition, they are consulting on a cyber security framework that Managed Service Providers could be required to follow.
ICAEW will be submitting a response to the consultation, and the Tech Faculty would welcome input from members (email firstname.lastname@example.org). We also encourage members and their organisations to submit responses.