How secure is your third-party supply chain?

Every public sector body, no matter how large or small, independent or complex, uses a number of third-party suppliers to provide goods and services, from basic commodities to high-tech equipment and specialist services through to major projects. All this makes up a considerable part of the UK’s economy. According to the Institute for Government, a leading think tank that aims to make the UK government more effective, around one third of their total spending is with external suppliers.

Most suppliers have privileged access to the IT systems of their public sector customers, making supply chains not only vast, complex and interconnected, but also vulnerable. Government supply chains are vital to the functioning of the UK economy, which unfortunately also makes them a prime target for cybercriminals, most of whom are financially motivated. So the risks to third-party supply chains need to be taken very seriously – but not separately from first-party risks.

It’s wise to consider risk holistically. There’s little point in thinking of one set of risks to your organisation and a completely different, unconnected set of risks to third-parties and then treating them separately. In this wholly interconnected world that we live in, risk is risk.

For the past few years the Cabinet Office has been urging all local and regional government departments to tighten up the security of their IT ecosystems. In the recently-published Government Cyber Security Strategy report for 2022 to 2030, the UK government emphasises that “Government organisations are routinely and relentlessly targeted.” Their message is backed up by concerning statistics: 40% of the 777 incidents managed by the National Cyber Security Centre (NCSC, a part of GCHQ), between September 2020 and August 2021 were aimed at the public sector. “This upward trend shows no signs of abating.”

Microsoft’s latest Digital Defense Report, which reveals the most targeted sectors of the global economy, stated that, from July 2020 to June 2021, 48% of cyber-attacks were directed at government departments. While nation-state cyber-attacks were predominantly directed towards the US, Ukraine and the UK were the second and third most-targeted countries. The invasion of Ukraine has heightened the need to strengthen government cyber defences.

As no government body operates in isolation, no matter how good their defences are, the security measures that their suppliers have in place are really important too.

Supply chain vulnerabilities?

Imagine that a cybercriminal tries to breach a local council’s cyber defences. They are blocked, so they try a few alternative routes into the network and are blocked again each time. They realise this will be a tougher nut to crack than expected. But, motivated by the quick profit they’re confident they can make by stealing thousands of people’s data, they research which companies provide services to the local authority, and identify one they’re sure has much weaker security in place than their primary target. A little probing and testing and they work out a way into the council via a third-party supplier’s digital tools. It takes more time and effort, but they have the element of surprise and achieve their goals without the council being aware – until it’s too late.

In the aftermath, both the third party and the local council have to take their systems offline. The company can’t supply anyone for weeks. It loses business, trust, and its reputation is tarnished. The council can’t serve its community, and has to spend money on investigating and repairing the damage done. And it needs to find a new supplier.

Despite the real threat of infiltration by way of third parties, most organisations only focus on their own security. The Cyber Security Breaches Survey 2022, published by the UK’s Department for Digital, Culture, Media & Sport (DCMS) found that only 13% of businesses review risks coming from immediate suppliers, while only 7% address risks coming from wider supply chains.

Everyone is safer if every organisation in the economy is protected and secure. Everyone will be safer if risk is treated holistically.

Moving to mobile, the cloud and hybrid working

Together, the public sector’s transition to cloud services over the last ten years, the growing trend of mobile working via multiple devices, followed by the UK-wide shift to home-working in the past two years has significantly changed the way that almost everybody works. Each of these steps has had positive benefits for people in every industry. One of the downsides, however, is that it has increased organisations’ vulnerability to cyber threats because people are using so many more online tools, apps, computers, mobile services, Internet of Things (IoT) devices and endpoints.

All this adds up to a plethora of access points for any enterprise to defend. Bolting on the third-party components increases the challenge of reducing risk along the whole supply chain and, therefore, the challenge of reducing risk to your organisation.

So, how secure is your organisation if you have the latest cyber security technologies, a certified security team, well-trained employees who know how to avoid phishing traps and rigorous procedures in place, but have absolutely no idea what your suppliers are doing on their side? Are they equally well prepared and protected? Or is it another case of ‘not if, but when’?

Scale and severity of cyber-attacks

Highlighting the shocking rise in the number of incidents in the public sector, in 2020 UK councils reported more than 700 data breaches to the Information Commissioner’s Office. Councils in every region of the country have been subject to attacks of varying severity. Costs and losses combined have racked up to millions of pounds in some cases, with all manner of public services disrupted, including council tax, benefits and housing waiting lists, all of which impact people’s lives and incomes and have a knock-on effect in the local economy.

Boosting cyber security in supply chains

In November 2021 the UK government announced new plans to boost the cyber security of the country’s supply chains. Public sector bodies might soon be forced to only buy services from companies with “good cyber security”.

Research from the Department for Digital, Culture, Media & Sport reveals that 91% of CEOs and directors of Britain’s top companies see cyber threats as a high or very high risk to their business. And while 69% say that their organisation actively manages supply chain cyber risks, nearly a third of them are not acting to improve supply-chain cyber security.

How to mitigate third-party risk and prevent supply chain cyber-attacks

There are several points to consider and plan when thinking about mitigating against cyber-attacks and how to keep your organisation running if there is an incident. For instance, are you backing up your data? Are your employees trained to identify and deal with suspected phishing emails? What decisions would you make in the first 24 hours after realising your department has been breached? Who do you call for help? Can you continue to serve the public if your IT systems are down? Can you still work with your third-party suppliers? When and how can you bring your services back online safely?

The good news is that there’s no need to be daunted or overwhelmed. Everyone is in the same boat. None of these issues are insurmountable, and time, stress and damage can be significantly reduced with good preparation and planning before any incident occurs.

Perhaps the best place to start is by considering zero trust. Today, the UK’s National Cyber Security Centre strongly recommends that every organisation follows the zero-trust approach. It’s built on the three core principles of Verify Explicitly, Use Least Privileged Access and Assume Breach.

Taking the first steps will put you on the path to security maturity and greater peace of mind.

Learn more about how we can support you on our dedicated page, Cyber Security Services in Local & Regional Government.