Business is now truly interconnected, so whatever the nature of your product or service, your organisation will be, in some way, part of a supply chain – and a chain is only ever as strong as its weakest link. If one link experiences a security breach, then bad actors will not hesitate to use that to gain access to other suppliers’ infrastructure, potentially creating a domino chain, where a small, isolated breach leads to a string of serious, costly ones.
In 2021, for example, the NCSC and its US counterparts discovered that SolarWinds had been compromised, allowing international bad actors to mount further attacks on the organisations making use of the popular IT management platform, sending administrator-level commands to their systems.
Your systems and processes for optimising business resilience – i.e. cyber security, disaster recovery, and business continuity – should therefore be designed and developed with such risks in mind. While this may sound like an overwhelming prospect at first, the good news is that effective methodologies are already in place for establishing effective supply chain governance, simplifying the journey and enabling you to achieve and maintain cyber best practice across all levels of your organisation.
Effective governance as a powerful business enabler
It’s important to bear in mind that robust supply chain governance is more than a ‘nice to have’. If you’re looking to be part of the most ambitious (and lucrative!) projects across both the public and private sectors, organisations who cannot demonstrate the required level of cyber security maturity will not even be eligible to bid. In particular, the right accreditations are essential, as these represent internationally recognised standards that you will be required to display evidence of during the tender process.
A full breakdown of the different frameworks and accreditations utilised in modern business lies outside the scope of this article, but the following should be considered the foundation of effective supply chain governance:
- ISO 27001. The internationally recognised standard for information security, first established in 2005, then updated in 2013 and 2022, offering a proven model for maintaining the integrity of all data that an organisation owns or handles, and establishing robust risk management processes.
- Cyber Essentials & Cyber Essentials Plus. Even though these are UK accreditations, they utilise the underlying principles of ISO 27001 and NIST 800, and show represent a good baseline for effective cyber security.
- ISO 9000. A set of five international standards around quality management and quality assurance –arguably just as important as ISO 27001 when it comes to organisations’ long-term resilience.
Do not fall into the trap of assuming this only applies to larger organisations. Smaller organisations who commit to the annual auditing process required to maintain these accreditations will not only make huge strides in terms of their operational resilience, but open up a rich vein of potential business opportunities, making them a wise-long-term investment.
The annual audits will also ensure systems and processes are regularly updated to accommodate both new technologies and new cyber threats. For example, ISO 27001 has evolved considerably over the years, with its latest iteration evolving to take into account the new breed of Cloud computing and its associated security risks.
Establishing a true cyber security culture
Now, even with the most robust governance in place, any organisation can still fall victim to a breach, which means you must never allow yourself to become complacent and be ready to take a holistic view of your overall resilience.
Best-of-breed technologies should be implemented across your infrastructure, in order to minimise the security risks created by legacy systems. This should be supported by regular patching and the implementation of the latest security updates as soon as they become available.
Furthermore, never neglect the human element! Human error remains the leading cause of cyber security incidents, and so staff at all levels should receive regular training on the strategies employed by bad actors, e.g. phishing. This should not be limited to employees in IT-based roles, as many such attacks will target less obvious members of staff in order to gain access to the corporate infrastructure and then, in turn, the wider supply chain.
Ideally, there should be one designated person in place to oversee all of this, whether that’s someone from within your organisation, or a specialist from a trusted third party. As should hopefully be clear at this point, there are numerous elements to effective supply chain governance – some clear, some less so. Having one individual to oversee the entire process minimises the risk of anything being neglected, as just one missing element can have potentially serious consequences.
Making the next steps simple
If you’re in any doubt about the next steps – whether that’s earning those key ISO certifications or providing your staff with the right training – don’t hesitate to contact us. We don’t just advise other organisations on the principles discussed in this article – we apply them to every aspect of our own projects, and continue to develop our range of solutions to make the journey easier, with everything from phishing training and support around CE/CE+, to your Virtual CISO.
Governance, resilience, and a
holistic approach to supply chain security
Business across the public and private sectors is now truly interconnected, which means an interconnected approach to cyber security is essential.