How can UK businesses protect themselves from the growing threat of supply chain cyber-attacks?

850 Views

With cyber attacks on supply chains growing by a whopping 430 per cent in 2021, and with increasing news reports of global supply-chain hacks, such as the recent MOVEit attack – cited as one of the most significant breaches of all time – businesses must act fast to protect their sensitive information and communications.

According to government data, a mere 1 in 10 (13 per cent) of UK businesses review the risks posed by their immediate suppliers, and the proportion for the wider supply chain is just seven per cent.

With supply chains becoming more complex, digitised and interdependent, with sensitive data flowing in both directions, disruptions to their IT infrastructures threaten ‘cascading impacts’ for affected companies following an attack, with potentially disastrous consequences.

With this in mind, just how huge is the scale of risk when it comes to the major threat of supply chain attacks to businesses and how profound can the impact be for organisations and their customers? Businesses that deal with sensitive data such as intellectual property and personal information are particularly vulnerable. How can these organisations ensure data is kept secure across the entire supply chain and what security measures can they put in place?

Scale of risk

With the rise of the hyper-connected supply chain, the risk of devastating effects following a cyber-attack is growing. A hyperconnected business increases the impact of an attack; a cyber incident invariably isn’t an isolated event and compromising one area, risks impacting the entire organisation. And in the world of hyper-connected supply chains, the risk could even come from one of the business partners in the chain. Ransomware gangs have been reported to target their primary victim’s business partners, threatening their organisation with an attack if they fail to pay a ransom.

Devastating consequences

Cyber-attacks are becoming increasingly sophisticated, with the effects becoming increasingly impactful and destructive.  The cost of cyber-crime to UK businesses is estimated at £27bn per annum, with a significant proportion coming from the theft of IP from UK businesses (estimated £9.2bn per annum). Not only do attacks threaten to damage a business’ competitive advantage, but they can also result in damage and denial of access to operational systems such as production facilities, and can ruin a business’ trading reputation.

Businesses risk losing a significant number of customers and suppliers following an attack which can have devastating effects on revenue. Loss of customer and stakeholder trust is often considered one of the most harmful impacts of cyber-crime and the ramifications can be brutal with reports showing that businesses are likely to lose one in three customers after a data breach. An attack is likely to lead not only to significant loss of business, but the devaluation of the brand an organisation has worked so hard to build.

Securing the data supply chain 

End-to-end encryption can go a long way to keeping sensitive information secure across a business’ entire supply chain. With a zero-knowledge cloud workspace solution with end-to-end encryption, it’s impossible for even the service provider to access any data a company is storing or processing. This means businesses can keep hold of and share files and folders securely, both internally and externally, with suppliers, customers and partners, as well as store information in an ultra-secure and compliant way.

End-to-end encryption explained

End-to-end encryption, which ensures data is encrypted both when it’s ‘on the move’ and when it’s stored, isn’t the standard for all encryption types; often data will only be encrypted while it’s in storage, or while it’s in transit. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and the intended recipients – messages are encrypted by the sender but the service provider is unable to decrypt them, because it receives the data already encrypted and stores it encrypted as wellbut the third party is unable to decrypt them and stores them encrypted. Since recipients receive the encrypted data and decrypt it themselves, third parties have no means to decipher the data being sent or stored. In a business’ hyperconnected supply chain, where sensitive data is being passed through a number of organisations, this ‘gold standard’ of encryption, offering a private communication system, in which no eavesdropper can interfere, is crucial.

Supplier management

Whereas we’ve seen a rising number of organisations pledging to work only with suppliers that adhere to social and environmental standards, only 12 per cent of businesses review risks coming from immediate suppliers, while only one in twenty address risks coming from wider supply chains.

Businesses should ensure they are vetting the security practices and data protection capabilities of their suppliers. When selecting suppliers to work with, it is crucial to conduct thorough due diligence, including assessing the data security measures they have in place, their certifications, and adherence to industry standards. Contracts with partners and suppliers should clearly outline specific data security requirements, including confidentiality obligations, data handling protocols, and incident reporting procedures. Businesses should also make sure they regularly review their suppliers’ and partners’ security measures and practices to help mitigate any threats associated with third party involvement.

What else can be done?

Cyber security awareness training for all employees is vital to help prevent cyber-attacks or at least spot them early on. Contracts with suppliers and partners should clearly outline the requirement of regular cyber security training in their organisation to ensure everyone is on the same page across the entire supply chain. Training should include details on potential threats such as phishing attempts and social engineering techniques as well as how to recognise and respond to threat situations and secure data handling.

Not only should businesses ensure that regular security audits are happening in their own organisation, and that they are keeping software up-to-date, running the latest antivirus software, using strong passwords and implementing intrusion detection and prevention systems, but they should make sure these measures are taking place across the entire supply chain.  By having these conversations up-front and making sure these details are in contracts and regularly reviewed, businesses can set themselves up for being part of a secure data supply chain.

Final thoughts

To give themselves the best chance of mitigating cyber security attacks, businesses need to have a full understanding of the concept of data security across their entire supply chain and an acute awareness of how destructive and catastrophic an attack can be. Businesses should adopt a multi-layered cyber security strategy, of which end-to-end encryption is an integral part – this strategy will be unique to each business, depending on its size, compliance regulations and industry. By fostering a culture of security awareness, adopting robust security measures and ensuring these are adhered to across the entire supply chain, and regularly reviewed, organisations can establish a robust data security framework across the supply chain ecosystem.