With cyber security breaches at the forefront of many businesses' minds — especially when disruption costs time and money — it's vital to firm up processes and procedures when it comes to your supply chain.
SoGlos speaks to the experts at Cheltenham-based P3M Works, to find out why it's so important to secure your supply chain data and software — and what the potential outcomes might be if you don't.
How do you assess the cyber security risks associated with your supply chain partners?
In order to understand supply chain risk, the supply chain must first be completely mapped. If supplier records aren’t up to date, this can be quite painful; however, it is critical to understanding risk.
Once the supply chain has been mapped, we conduct various assessments ranging from technical all the way to the geographical and ownership of the supplier to arrive at a score. It’s important to note that a key part of this process is understanding critical through to lower risk suppliers, as the level of risk will vary across the supply chain and require appropriate treatment.
Once the supply chain has been scored, we can begin prioritising mitigations.
How do you handle potential vulnerabilities in the supply chain that could lead to data breaches or other cyber threats?
Very carefully! Vulnerabilities come in all shapes and sizes, we usually work with the supplier to fully understand the extent of the vulnerability and work with them to help mitigate where we can.
For example, we recently identified an issue with a customer's supply chain around compliance, where a customer had allowed a certification to lapse and had in turn stopped complying with best practice with regards to data handling.
We needed to get the supplier compliant quickly but also ensure the correct processes and behaviours were reinstated.
Can you discuss any recent instances where a supply chain was targeted by a cyber attack and how the team responded?
I can’t go into specifics due to sensitivity, but it’s important to understand that cyber attacks are occurring all the time, to tiny micro companies all the way up to large companies.
You can read more about how attacks happen by looking up the specifics of recent incidences such as the NHS blood supply chain disruption and the MOVEit hack which attacked the BBC, BA and Boots.
Supply chain attacks usually result in disruption across the supply chain and, of course, the primary contractor. Recently, we’ve seen disputes break out as to who is responsible for the damage caused to any disruption of service or other issues caused by supply chain attacks. This is often a costly and painful process to undertake.
How do you handle data protection and privacy when working with international suppliers who may be subject to different legal frameworks?
You need to be working off of a common standard, otherwise it gets messy and you cannot be honest with your customer. Everyone has to play by the same set of rules.
Usually the prime contractor flows their terms down across the supply chain to ensure commonality. These often conform to GDPR, but also may specify protection mechanisms such as VPNs. Some prime contractors issue IT to their supply chain to ensure that all data is kept ‘within the boundary’, however, this is a costly and cumbersome approach, which can still be circumvented.
It's important to note that we’ve seen issues with smaller firms and international entities unable to meet supply chain demands such as the mandating of a certain standard such as Cyber Essentials or ISO27001 due to the cost associated with these standards. Some firms are choosing to take a more technical approach to secure their supply chain, using technology such as Guardicore or similar to enable collaboration with more niche organisations.
Do you use automation, AI, or machine learning to detect anomalies or threats within the supply chain?
There are certain tools such as Guardicore that can be deployed to assist with supply chain security.
However, the most prevalent use case at the moment is in threat detection and response. There are some tools out there, Orna for example, that are using ML to reduce the number of false positive reports and identify trends quicker than traditional analysis. This helps teams respond to events and incidents quickly.
Threat simulation is also improving with the help of AI; it is possible to model threats on types of supply chains if enough data is available (which a good supply-chain mapping should produce!)
How do you see the role of cyber security evolving in supply chain management over the next five to 10 years?
The threats will always evolve to challenge supply chain security and cyber security in general. In my opinion, supply chain management will become more automated and driven by AI insights to respond to threats.
I can’t see a future where prime contractors are issuing their own IT to suppliers, as discussed before this is a timely and costly practice. Instead, supply chains will have a common technology solution that secures them that can be easily deployed by the prime contractor across the supply chain.
I think we’ll see legislation become tighter, which will drive some of the technological change predicted.
What upcoming cyber security technologies or innovations do you believe will have the biggest impact on securing the supply chain?
It’s a bit of a buzzword, but Zero Trust adoption will help secure supply chains and is already beginning to do so. Technology will get better and there will always be new solutions getting developed.
However, the biggest impact on supply chain security will be business leaders and other people of responsibility taking time to understand the threats to their supply chains, the actions they need to take and the behaviours that must be adopted to secure supply chains from cyber attacks.
So the biggest impact won’t necessarily be technological, it will be behavioural.
