Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

How Better Training Can Mitigate Supply Chain Risk

27 August 2019 by UKFast

This guest blog is authored by Edward Whittingham, Founder and MD of cybersecurity firm The Defence Works.

The Defence Works brings together hard-hitting insights, efficient practices and simple hacks to keep businesses safe and offers bite-sized cybersecurity awareness training through a range of interactive channels.


Eddie Whittingham

Supply-chain risk is fast becoming a prominent theme in cybersecurity.

As the cliché goes: a chain is only as strong as its weakest link – and this applies even more so when networked IT systems and shared data are involved.

According to the 2018 Ponemon Institute survey, breaches resulting from third-party security lapses are on the rise. Last year, 59% of organisations in the US and UK said one of their vendors or partners had caused a breach. Almost 75% said they believed such incidents were likely to happen again.

In my opinion, growing supply-chain complexity is to blame. On average, companies in the Ponemon survey said they shared confidential and sensitive information with 583 third parties over the course of last year.

This year, we’ve seen even more high-profile examples of the risks that supply chains pose.

In June 2019 alone, cybercriminals hacked the US Customs and Border Protection (CBP) agency through a sub-contractor, which held photos taken of travellers and their cars as they moved across border crossings on its own IT systems. And a billing provider for the US healthcare sector exposed the personal and financial information of just over 20 million people – possibly more.

In addition, June also saw police forces across the UK forced to cease all work with the country’s largest private forensics provider, after a ransomware attack destroyed or locked essential case data held on the company’s systems.

Exact details and the extent of damage to files and data wasn’t revealed, but the company, Eurofins, processes more than 70,000 cases each year, including murder and terrorism offences. It carries out DNA analysis, ballistics, toxicology, and computer forensics. Police across the country have suspended all work with the company as a result, believed to account for more than half of all outsourced casework.

No more taking the blame for partners

While there may have been a time when organisations would take on some of the responsibility for cybersecurity across their supply chains, tolerance for breaches is fading rapidly. Businesses are now being held to account by regulators and customers for the actions (or negligent inaction) of suppliers.

Study after study tells us that customers will abandon a brand after a significant breach. Consumers now judge your company on how reliably you protect personal data. It doesn’t matter if the breach happens on a supplier’s systems. If you’re the brand that contracts the supplier and gives it access to customer data, you are to blame.

Retail and finance organisations can suffer a lingering sales drop after a breach, with a third of consumers saying they will take their business elsewhere.

Privacy protection has become a significant focus for regulators.

Information is power

Knowledge and awareness are crucial for protecting your business against cyber-incidents and mitigating the damage when they occur. Many businesses are already conducting audits of their supply chains and tracking how vendors access and use shared data.

To better prepare for the possibility of a supply-chain breach, vital steps for identifying vulnerabilities include:

  1. Auditing your existing supply chain. Prioritise vendors in order of importance or commercial significance (e.g. strategic partners versus occasional suppliers) and the level of integration between their systems and yours.
  2. Create minimum cyber-risk standards. Build them into your contracts. While you might want to negotiate these to some degree with your most important vendors, lower-tier vendors should be required to comply. This includes training requirements.
  3. Don’t forget the supplier’s suppliers. Your vendors will have supply chains of their own. When vetting first-tier vendors, it is essential to audit their respective supply chains for any potential issues.
  4. Audit, measure, repeat. The cyber-threat landscape changes every month. It’s crucial that you monitor exposures over time and can update cybersecurity criteria as part of vendor contracts.
  5. Create a culture of cyber-risk awareness across your supply chain. Establish clear policies and procedures for vendors. Train your employees, and critical vendor employees, to help keep cybersecurity at the forefront of everyone’s minds. Security awareness training programmes should be part of any organisation’s induction for new starters and elements of the programme can be replicated to business partners to ensure that their cybersecurity objectives are aligned with your own.

Strengthen security at every link

Every contractor and subcontractor working with customer or proprietary data needs to take ownership of cybersecurity, and protect the sensitive information it stores, receives, or transmits.

Your systems need the latest technological defences. But as we see again and again, it’s not a matter of if your system will be breached – it’s a matter of when.

Supplement your cybersecurity investment by empowering your own people: placing employees on the lookout for cyber-attacks and the signs that a hacker is trying to breach corporate networks or personal devices.

Overall, viewing cyber-risks as a daily management challenge and enlisting those at the front line to help is one of the most effective ways to stay secure.

Stay secure with UKFast’s range of cybersecurity services, designed to keep your online environment protected from the most prominent threats facing businesses right now.