The UK has seen an increase in vulnerability to cyber interruptions in the supply chain, especially in 3rd party vendor systems, thus creating risks in corporate systems. Latest research from various industries indicates that there is an increased risk of cyber intrusion, operating from a wide net, a rationale for the lack of adequate cyber supply-chain risk defensive systems. The Chartered Institute for Procurement and Supply (CIPS) reported that there has been an unprecedented increase in cyber supply-chain attacks, and nearly 2 out of 3 UK firms reported supply-chain cyber breaches in the past year.
These attacks search for gaps in supplier security
The gaps in supplier security create an opportunity for criminals to bypass the firewalls of the big corporations. Organizations lose millions, and loss of reputation becomes a liability as the organization is unable to manage cross-breach along the supply chain.
CIPS outlines the major contradiction of the other extreme: having the majority of organizations internally secured, an organization opens the supply-chain vendor portion.
โSupply chains are only as strong as their weakest link.โ
CIPS reports that the attackers move down to the small, security supply chain and are the primary targets of the breach because no access control systems are in place to defend against the advanced breach.ย Supply Chain Security is once again rated as a really fragile ecosystem and is likely to suffer multiple failures in a row. Modern supply-chain technology involves a multiverse of contractors, logistics, and tech. Each is a potential to fall, and once one goes down, the rest fall.
Digital transformation and the adoption of more cloud-based services
The adoption of digital transformation and the addition of more cloud-based services have also contributed to an increase in the threat of fraud. Organizations share sensitive, and in a lot of cases, business operational data, with a plethora of partners and vendors, and that is an attack surface.
Fraudsters know this, and with a third-party vendor compromised, a high-value target can be attacked with ease. From crypto-locking entire sets of data to stealing complete blueprints with no authorization, and thus crippling operations.
Real direct loss to recover is one thing to consider, but the following negative chain goes from loss of reputation, loss of customer trust, loss of customers, potential fines legally, loss of revenue, and loss of ability to legally take a position to gain profit.
For manufacturing, health care, and finance, and for those sectors where the supply chain has to function as the Mission, the stakes are higher than high. Just one breach and production lines stop, deliveries become delayed, and customers’ trust in the supply chain is affected.
Vulnerability in supply chains is a reality
Experts say defending them should be a multi-step process.
- First, organizations need to evaluate the risk each supplier poses. What is their cybersecurity risk? What compliance standards do they follow? Contracts should have baseline expectations for security, and security compliance should be monitored.
- Second, there should be collaborative defense. Organizations in the same sector should share security-related information and participate in collaborative cross-sector security frameworks and cyber defense partnerships.
- Third, organizations need to change their culture. Cybersecurity should not be seen as an IT challenge. It should be a cross-functional governance, operations, and procurement priority. Leaving training to staff/partners on cybersecurity best practices is a breach waiting to happen, as human error is a significant factor in most breaches.
As supply chains become more digitally interconnected and intricate in their dependencies, securing them becomes an even more significant challenge. UK firms have to act in order to protect their supply chains. The message from recent reports is that ignoring the security risks in your third parties is a breach waiting to happen.
Disclaimer: Our coverage of events affecting companies is purely informative and descriptive. Under no circumstances does it seek to promote an opinion or create a trend, nor can it be taken as investment advice or a recommendation of any kind.
