UK data exposes supply chain cyber risks

In October 2022, the UK’s National Cyber Security Centre (NCSC) issued guidance to help businesses contend with the growing number of cyber attacks on supply chains.

The NCSC is a division of the intelligence and security agency GCHQ, set up to protect the UK's critical services from cyber attacks. The NCSC specifically cites the SolarWinds attack as a cautionary tale for every organisation dealing with third parties.

SolarWinds was a supply chain-based breach that allowed threat actors an estimated 14 months of free access to emails and data held by a wide range of private organisations and US government agencies – including Microsoft and the Department of Homeland Security. The full scale of the breach, which began in late 2019, is still being determined.

No such thing as ‘too small a target’

Even though it was well-publicised, the SolarWinds hack does not appear to have spurred many organisations into defensive action. The 2022 Cyber Security Breaches Survey provides the latest available government data. The survey indicates that the UK is still too relaxed in its approach to third-party risk management (TPRM):

• only one out of every ten businesses review the risks posed by their direct third-party suppliers (13%); and
• just 7% of businesses review the risks posed by the wider supply chain.

It seems hard to shake the idea that cyber risk is, to paraphrase one survey respondent, primarily “something for banks and central government to worry about.” This is despite the growing number of targeted supply chain attacks on charities, local government bodies and smaller firms.

No matter how big or small your organisation is, it is both vulnerable to attacks via your third parties and a potential access point for threat actors looking for ways to target your suppliers and clients.

TPRM is for everyone

Most survey respondents prioritise cyber security in principle, yet take a reactive rather than proactive approach to TPRM. The survey attributes this to a lack of in-house expertise combined with competing budgetary demands.

Also of concern were the indications that a small-but-significant number of UK businesses and charities seem content to assume that their suppliers and partners have ‘good enough’ due diligence measures in place to make ongoing TPRM all but pointless:

… organisations will often require that suppliers, including [managed service providers], prove they have robust cyber security when signing contracts. Once the contract is signed, though, this is not often followed up with extensive due diligence or measurement of KPIs, and risks are not reviewed throughout the duration of the relationship.

The reality, however, is that the risk environment is not static. The level and kind of risk that the supply chain is exposed to changes constantly. This is because the modern supply chain is not a simple chain at all, but a complex network – and that makes TPRM the responsibility of everyone in it.

That may sound daunting, but it is possible to implement a cutting-edge solution that is also flexible and affordable. Thomas Murray Orbit Security is our award-winning, fully automated and scalable threat intelligence platform. Across all industries, we use our leading technology and extensive experience to help organisations of every size to monitor their enterprise and third-party cyber risk.

Talk to one of our experts about how we can work with you to protect your organisation, your clients, and your third parties.