In this article, originally featured in Business Insider, Darren Grey, Securious operations director, outlines the four steps organisations operating within a globally interconnected supply chain need to take to keep themselves from cyber attackers
The commercial landscape has changed dramatically, with digitalisation breaking down geographic barriers and opening up opportunities to work with clients and suppliers globally.
However, digitalisation has also opened further opportunities for cyber crime, which is simultaneously borderless, well-funded and advancing technologically at an alarming rate.
There is now the opportunity for malicious attacks to be launched by groups working collaboratively across the globe, pooling their skills and technology, and creating well-organised supply chains of cyber criminals.
This has to be taken seriously: no one is immune, and every business is an opportunity waiting to be exploited. Because these attacks are time-consuming and expensive to resolve, they are often devastating for the businesses involved and evaluating the risks must become a priority.
So what should you do?
1) Align to regulations
Legislation has been introduced to mitigate risks, initially focussing on Data Privacy with GDPR, which requires robust technical and organisational controls to be in place. More importantly, it holds organisations accountable. This is not global, but for organisations working with EU citizens’ data, this is a requirement.
There has also been the introduction of the Digital Operational Resilience Act (DORA), which requires all financial institutions to follow rules for protection, detection, containment, recovery and repair capabilities against information and communications technology (ICT) related incidents. This Act acknowledges that ICT incidents and a lack of operational resilience could impact the soundness of the entire financial system. It explicitly refers to ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk-monitoring.
Many organisations that might not be required to comply with these regulations are still at risk, but without any regulation that they are required to align to, they do not prioritise these tasks and as such represent a considerable vulnerability in any supply chain.
2) Understand your own risks and vulnerabilities
As part of a global supply chain, each interconnected business is only as strong as its weakest link. Cyber criminals will look for opportunities to gain access to larger organisations through the easiest route, and often this will be a third party in their supply chain. Outsourcing any activities therefore requires evaluation of the potential risks and thorough due diligence to mitigate these.
3) Seek third-party assurance
External third-party assurance can provide a more robust review and help baseline your current cyber posture, in turn helping you build a prioritised roadmap for continual and effective improvement. Part of this review needs to include carrying out due diligence on your supply chain to establish whether your suppliers provide an easy route into your organisation by asking questions such as: what access do they have? Are they key to your operations? And, if they have not built cyber resilience into their systems and have an attack, what would be the impact on your business?
Ultimately, by requiring the businesses we work with to be better through third-party audits, we will build out a more robust commercial landscape and reduce the opportunities for cyber criminals.
4) Take cybersecurity seriously
The most common mistakes businesses make are not taking this seriously, believing that it will not happen to them and not making it a priority.
They work very hard at building their product and scaling their business, but do not build security into their roadmap. Traditional businesses are assuming that because they have never been affected by a cyber attack, it must be low on their risk register, and therefore it ends up being low on their priorities.
The key consideration is for them to understand the real threat, and to have their resilience to these threats challenged by qualified third parties. For example, do they have a robust incident response plan in place and have they tested it? In addition, it is essential that the board is included in this, because they have ultimate responsibility for it. Otherwise, the damage could be significant.
With well-funded criminal gangs working collaboratively and globally, the threats are evolving faster than we all appreciate. No longer are cyber criminals restricting themselves to gaining entry, encrypting data and demanding ransom. Instead, they are increasingly sitting on systems, continually covering their tracks, bringing in specialists within their community to gain enhanced access, with programming languages we are unfamiliar with, exfiltrating data, and finally encrypting systems to make them, effectively, unusable by the business (including backups and cloud services).
Once they have brought organisations to their knees they are demanding huge ransoms, not just to decrypt systems but to prevent sensitive data from being released – both personal identifiable information but also commercially sensitive documents.
Organisations that are able to recover and do not pay the ransoms are then targeted again. This is a very unpleasant crime that is so lucrative, anonymous and borderless that it has to be taken seriously by all businesses.
There’s not an easy solution
Insurance was once seen as a quick fix for many organisations when it came to cyber risk, but that is no longer the case. Insurance companies are seeing huge financial impact as the risks increase, and now want to see that companies are putting in place robust cyber security, many demanding multi-factor authentication on systems before considering insuring. The costs of insurance have inevitably skyrocketed, as this is an expensive risk against which to insure.
As the digital world continues to shrink geographic barriers, organisations must prioritise cyber security as a fundamental aspect of their operations. Embracing regulations, understanding vulnerabilities, seeking third-party assurance and taking cyber security seriously are essential steps to protect against the ever-evolving and borderless threats posed by cyber criminals. The costs of complacency are too high, making cyber security a critical concern for businesses of all sizes in today’s interconnected global supply chains.
Interested in improving your organisation’s cyber security?
Get in touch with our team at Securious Ltd and we’d be happy to discuss how we can help you ensure your organisation is protected from cyber attackers.
Securious.co.uk – 01392 247110
info@securious.co.uk