With daily pressure to improve cybersecurity operations and to counter new threats, it’s all too easy to lose strategic focus. But if you concentrate only on the systems you control directly, you will overlook entire areas of external risk.
In a recent survey (with largely positive findings!), it seems that one area where large businesses in the UK may be falling short is assessing the cybersecurity resilience of external providers within their supply chain network.
The poll, conducted by OnePoll and commissioned by Citrix to mark InfoSecurity Europe 2018 in London, quizzed 750 IT security decision makers in companies with 250 or more employees across the UK. The aim was to uncover the extent to which large UK businesses are prepared for cyber-attacks, whether businesses are conducting the necessary due diligence when assessing new suppliers, and whether this affects the effectiveness of cybersecurity practices.
Cyber resilience in the supply chain – and what good cyber resilience looks like
Only 35% of respondents consider the audit conducted by their organisation (encompassing cyber security protocols), when on boarding new suppliers, to be ‘very comprehensive’. Additionally, almost one in 10 (9%) state that their organisation simply asks a few questions during the initial pitch process. To add to this, just over a third (35%) of organisations polled said they have insurance to cover their supply chain providers – should they have cybersecurity concerns or a breach.
The research findings also highlight the need for improved communication between organisations and their supply base, with one in five (20%) of those surveyed confirming that they do not communicate with suppliers when testing their cybersecurity recovery process.
Confidence in cybersecurity strategy
Whilst the supply chain sometimes appears to be overlooked, there’s also growing confidence within IT security teams across the UK. Indeed, the vast majority (93%) of IT security decision makers questioned are confident in the maturity of their own organisation’s ‘cybersecurity resilience’ – indicating they are confident that the business will be able to effectively operate following a cyberattack.
Many respondents also considered their cybersecurity recovery strategy to be either ‘quite mature’ (51%) or ‘very mature’ (42%). The majority of those surveyed were also confident that their organisation is fully prepared against a ransomware (57%), phishing (64%) and malware (72%) attack. However, less than half were confident their organisation is fully prepared against a DDoS (49%) or application layer attack (49%).
The findings also suggest that cybersecurity resilience is becoming more of a priority for the wider business – not just the IT team. A quarter (25%) of respondents stated that this is an issue discussed at boardroom level within their organisation. A further one third (33%) consider this to be an issue discussed at a managerial level.
Despite this growing confidence and awareness, almost half (44%) of the respondents questioned by OnePoll in May confirmed that their business has experienced a data breach in the last three months that required business recovery. A further one in 10 (11%) have experienced a data breach in the last week.
IT security decision makers are still concerned that a cloud-based IT environment complicates the development of cybersecurity strategy. Three in five respondents stated that a ‘multi-cloud’ (64%) and ‘hybrid-cloud’ (60%) environment add further complication when considering cybersecurity. Furthermore, over two thirds (67%) of respondents cited ‘public cloud’ as the IT environment that adds the greatest complication to the development of cybersecurity strategy.
Why the supply chain can be the weakest link
Recent cyberattacks demonstrate that the supply chain can be the weakest link for a significant number of organisations. For example, the ‘NotPetya’ campaign began with an extremely effective supply chain attack, which had disastrous consequences for Ukraine’s national bank, airport and government department – proceeding to infect machines in a staggering 64 countries.
It is vital that businesses conduct the necessary due diligence when integrating a new provider into their supply chain. Considering the risk associated with a supply chain attack, conducting a cybersecurity audit of your supply base should not be a box-ticking exercise. Ask yourself this question: has my business ever rejected a supplier on the basis of their audit findings? I suspect this number would be significantly lower than the amount that are confident in their supplier due diligence.
The assessment of cybersecurity procedures should be a vital part of any contractual agreement and organisations will need to ensure that they have insurance to cover their supply base. Without these measures in place, cyber criminals could easily use suppliers as a stepping-stone to gain access to their ultimate target – your business.