Luke Dash, CEO at ISMS.online, explores the rising tide of supply chain cyber attacks on UK organisations and how companies can beat the odds.

In an increasingly interconnected world, the importance of robust cybersecurity measures cannot be overstated. 

At present, one of the pressing security concerns facing organisations is supply chain attacks. Supply chain attacks are a sophisticated, extremely harmful threat technique in which cybercriminals target organisations by infiltrating or compromising the least secure aspects of a company’s increasingly broad digital ecosystem.

Critically, these attacks specifically exploit interdependencies between companies and their digital suppliers, service providers or other online third-party partners. This makes them particularly challenging to defend against.

Several notable examples of supply chain attacks highlight their potentially devastating impacts, such as the recent attack on the NHS. Several hospitals were forced to cancel operations and blood transfusions following an attack on IT company Synnovis. The IT company was hit by a major ransomware attack. The consequences have affected thousands of patients. In response, the NHS has issued a major call for blood donors as it struggles to match patient’s blood quickly. 

There was also the Okta supply chain breach disclosed in early 2022. Here, a third-party contractor’s systems were breached, subsequently impacting the leading identity and access management firm. Critically, hackers managed to extract information from Okta’s customer support system. This gave them access to sensitive data such as its clients’ names and email addresses. 

Similarly, the MOVEit breach stands as another noteworthy example. Discovered in 2023, this incident involved the exploitation of a zero-day vulnerability in the MOVEit Transfer software—a widely used file transfer application developed by Progress Software. The breach led to the unauthorised access and theft of data from numerous organisations globally. The attack was so bad that the NCSC provided its own information, advice, and assistance to affected companies.

Indeed, these two incidents, among many, highlight a crucial lesson for organisations: as supply chain threats become increasingly prevalent and complex, firms must recognise that their security is only as strong as the weakest link in their network of suppliers and partners. 

Seeking to ascertain just how widespread the issue of supply chain attacks is at present, ISMS.online recently surveyed 1,526 security professionals globally to uncover their own experiences. 

Our latest State of Information Security report details the seriousness of the situation facing UK companies. Critically, we discovered that 41% of UK businesses had been subject to partner data compromises in the last 12 months. Further, a staggering 79% reported having experienced security incidents originating from their supply chain or third-party vendors—up 22% versus the previous year.

The message from this dramatic spike in statistics is clear. Supply chain vulnerabilities are not only becoming more prevalent but are also increasingly exploited by cybercriminals. This highlights the urgent need for comprehensive and collaborative cybersecurity measures across all levels of the supply chain.

Indeed, companies must work to mitigate these threats and minimise their risk exposure by reassessing their cybersecurity strategies. But where and how exactly should they focus their efforts? At ISMS.online, we believe that there are four key areas that companies should prioritise when it comes to achieving best practices.

1. Stronger supply chain vetting processes

First, it is critical to implement rigorous security vetting processes when selecting partners and suppliers. This involves thorough due diligence, assessing potential partners’ security posture and cybersecurity measures, and reviewing past security incidents and responses. Companies should also evaluate compliance with relevant regulations and continually monitor their partners’ security practices where appropriate.

2. Enhanced cybersecurity measures

Of course, it’s not good to demand that partners have robust security measures without adopting best practices yourself. Therefore, bolstering internal cybersecurity measures and extending them to the supply chain is needed to significantly reduce risks.

Here, strategies to consider include the regular auditing of internal systems, comprehensive employee training in cyber threat recognition and response, the adoption of advanced cybersecurity technologies like multi-factor authentication and encryption and keeping an updated and unique incident response plan in case of supply chain breaches.

3. Robust partnership agreements

Detailed and stringent partnership agreements will undoubtedly help establish clear cybersecurity expectations and responsibilities. Indeed, it is important to define security requirements, request regular security status reports, and define access controls to safeguard sensitive information.

4. Alignment with essential standards

Aligning with critical standards and asking that partners and clients do the same can be a highly effective way of ensuring consistent and high-security levels across the supply chain. Of course, there are a variety of standards to consider. However, for UK companies, some of the most important ones to align with include:

  • Cyber Essentials: A UK government-backed scheme designed to help organisations protect themselves against common cyber threats by providing clear guidance regarding basic security controls.
  • ISO 27001: An international standard for information security management systems that provides a systematic approach to managing sensitive company information, ensuring it remains secure.
  • NCSC Supply Chain Security Guidance: A comprehensive supply chain security guide providing recommendations about managing supply chain risks, implementing robust cybersecurity measures, and ensuring continuous monitoring and improvement.

Given the growing threat of supply chain attacks, it is imperative to demand the adoption of cybersecurity best practices both internally and among suppliers, service providers, and partners. 

From aligning with essential standards to developing new partnership agreements, it can feel like a daunting or challenging task. Indeed, the difficulty for many companies is knowing where to start. However, achieving best practices on each of these fronts doesn’t need to be as daunting or burdensome as the businesses might think.

Indeed, with proper support and guidance, best practices can be adopted, followed internally, and advocated externally with relative ease.

  • Cybersecurity

Related Stories

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.