Unravelling Your Supply Chain Security
Most businesses, even the smallest, will have some kind of supply chain. Not all will present cyber security risks, of course, but as your organisation grows, the number of suppliers on whom you depend grow and your supply chain will become more complex.
Supply chain attacks are frequent – according to the National Cyber Security Centre (NCSC), they made up 17% of all cyber attacks in 2021. But what is a supply chain cyber attack?
What is a supply chain cyber attack?Attackers may attack your supply chain to cause harm to you, or to your suppliers – which may indirectly harm you by cutting off your supply.
This is not necessarily a cyber attack, of course. For example, if you are a small business making clothes to sell online and someone deliberately flooded your supplier’s factory, they would have to stop producing the fabric you needed. This would be a problem, but not a cyber attack.
Examples
-
Although, if your supplier is providing digital services such as; software to handle the payments from customers, your accounting service, or maybe they host the website which is your digital shop window, this is therefore vitally important for sales. And these digital services could be attacked in various ways: for example, by phishing, ransomware, malware or denial of service attacks. This might mean that those services would be unavailable to you, damaging your sales, receipts and reputation.
-
Maybe you bought software to run on your computerised sewing machines, or the laptop that you use to do your accounts, but that software had been ‘contaminated’ with malware before you bought it. The result could be that when you installed it locally, your devices were damaged by the new software.
-
Perhaps your new hardware was tampered with by an attacker before you bought it, with the result that the attacker was able to steal data from you.
The above three examples are all cyber problems caused to you by a problem that began in your supply chain.
What can I do to help secure my business?The NCSC has launched two new (free) e-learning modules to help you manage the cyber security risks across your supply chain:
-
Mapping your supply chain
-
Assessing your supply chain cyber security
We suggest that you start by stepping through the NCSC training to see how to go about this task. The training is laid out very clearly, and is easy to follow:
-
Start by identifying what you need to protect, and why
-
Know who your suppliers are, and understand the security risks in your supply chain
-
Set minimum security requirements for your suppliers, and communicate this with your suppliers
-
Add security considerations to your contracting processes
-
Monitor your suppliers to check that they are meeting your requirements
-
Support your suppliers as necessary
-
And meet your own security responsibilities as a supplier in turn.