Within a networked supply chain, every company is only as strong as its weakest link, and any entry point for cyber criminals – no matter how decentralised from the core security of the organisation, poses an intrinsic threat to the entire network.
To address this, businesses should pay closer attention to the cyber security arrangements of their partners – and demand Cyber Essentials as a matter of course during the tendering process, says APMG International.
Richard Pharro, CEO of accreditation and certification body, APMG, commented: “Small companies don’t tend to be very well protected partly because they don’t have the resources to bolster their defences, but also because they don’t feel like they’ve got information that is very important. What they do offer is a pathway to information on other systems – the backdoor in to their partners’ organisations. The supply chain is one of the biggest issues facing businesses today, and it’s only now after some very large and high profile breaches that this issue is coming to the fore. As a cyber criminal, if you know a large company is very well protected, but a small supplier isn’t, you go for the smaller company.
“Taking the example of the weakest link, if your partners or subsidiaries have weaker cyber security defences than you do, there’ll be a chink in the armour. If you don’t take steps to address this, you are opening yourself or your partners up to potentially huge risks. With a little imagination, any defect in the sprawling infrastructure could be exploited, with huge repercussions. The breach of US retailer Target in 2013, initiated through its heating, ventilating and air conditioning contractor, stands as a prime example of this, highlighting the importance of supply chain security,” he continued.
Pharro went on to say that the world of business should build on the example recently set by the UK Government last year and make certification against Cyber Essentials a compulsory requirement for organisations bidding for contracts.
Developed by the UK Government as part of a broader initiative to raise cyber security awareness and preparedness in businesses of all sizes, Cyber Essentials provides a set of criteria against which organisations can measure their cyber security systems. Achieving the certification demonstrates to customers and partners that a business has taken basic and essential cyber security precautions.
“While there is arguably more work to do to secure the public sector supply chain, the Government has set a good example by demanding that certain suppliers certify against Cyber Essentials. There is a strong case that the public sector should hold their suppliers to a similarly high account and make Cyber Essentials a mandatory requirement for doing business. The Government estimates that 80 per cent of successful cyber attacks could be stopped by basic security measures. By opting to only work with suppliers that have achieved Cyber Essentials, businesses would go a long way to improving the security of their supply chains and their data,” Pharro concluded.