5 steps to better supply chain security

Supply chain

It’s not an exaggeration to say that supply chains pose one of the greatest cybersecurity risks to any business. In recent years, there’s been a huge increase in attacks stemming from supply-chain vulnerabilities. According to IBM’s 2023 X-Force Threat Intelligence Index, more than half of security breaches are attributed to supply chain and third-party suppliers, at a high average cost of over $4 million. 

It’s a serious problem. And, like most small businesses, you’re probably asking what you can do about it. After all, looking after your own cybersecurity is tricky enough; how on earth do you start addressing gaps in your suppliers’ defences? 

To help you get started, we’ve put together 5 supply chain security best practices to strengthen your digital defences.

Supply chain

1. Protect your own business first 

This almost goes without saying, but before you delve into your supply chain, it’s worth considering your own cybersecurity status first. Is your business Cyber Essentials certified? Do you have security controls in place? Do you provide regular training for staff on cyber threats and best practices?

If you’ve answered no to any of the above, then these are great first steps in securing your business. And there’s a bonus to taking these measures first. By reviewing your own security, you’ll get a good idea of your business’s crown jewels – those critical aspects of your organisation that need the strongest protection.

2. Talk to your suppliers 

Progress begins with dialogue. So talk to your suppliers and partners about their cybersecurity. You may find that your business faces many of the same difficulties and threats. 

This can help you work together to ensure everyone in your supply chain works to the same security standards. And keeping dialogue open makes it much more likely that suppliers and partners will let you know faster if something goes wrong – protecting your business in the long run.

3. Make cybersecurity part of your contractual agreements 

Behavioural change often requires incentives. Once you’ve established what good cybersecurity looks like for your business, apply those principles to your partner and supplier contracts. 

How these agreements look will depend on your organisation. Requiring your partners to have a complete Cyber Essentials certification will be enough for some businesses. Others may need something more comprehensive, like ISO 27001 certification

The important thing is that you make good cyber hygiene an expectation (rather than a nice to have) for anyone working with your business. By doing so, you not only incentivise good cybersecurity behaviours across your supply chain but also protect your business. 

4. Keep improving

Building a strong cybersecurity culture across your network takes time. It requires trust between businesses, and you can’t build that overnight. So persevere if your supply chain doesn’t immediately transform from leaky to locked down.

 Cybersecurity is all about learning. As cyber threats evolve, so too do the methods for thwarting them. Stay updated with new threats and tweak and adapt your practices accordingly. You can then use this knowledge to update partners and suppliers and strengthen your supply chain.

5. Follow the NCSC’s new guidance 

Finally, if you’re looking for a framework to tie everything together, you could do a lot worse than the National Cyber Security Centre’s (NCSC) supply chain cybersecurity guidance.

The NCSC’s guidance breaks tackling supply chain security down into five basic steps ( in case you were wondering where we got the idea from):

  1. Understand why your organisation should care about supply chain cybersecurity
  2. Develop an approach to assess supply chain cybersecurity
  3. Apply the approach to new supplier relationships
  4. Integrate the approach into existing supplier contracts
  5. Continuously improve

It’s a great place to start if you’re serious about tackling cybersecurity across your supply chain.

It’s a journey, not a destination

And remember, securing your supply chain is an ongoing process, but starting now is one of the biggest single investments you can make in protecting your business. Want to know more? Check out our new guide to protecting your business.

Supply chain CTA 2

What is a supply chain early warning system and how does it improve your cybersecurity?

supply chain early warning

89% of businesses have experienced a supply chain risk event in the past five years. Discover how a supply chain early warning system can help you reduce risk and stay one step ahead.

What is a supply chain early warning system?

A supply chain early warning system (EWS) identifies potential security threats in your supply chain, based on a combination of internal and external data. After analysing the data, the system notifies decision-makers and suggests measures to mitigate the threat or minimise the impact. Together with your cybersecurity tools, processes, and policies, it helps to protect your business against third-party threats.

In the past, supply chain early warning systems focussed on far-reaching external factors that could disrupt business operations. For example, natural disasters, critical component shortages, or industrial action. But, due to the growing threat of supply chain attacks, today’s systems play a crucial role in protecting businesses against cybercriminals.

Supply chain attacks increased by 633% in 2022.

– Sonatype, Stats of the Software Supply Chain

5 supply chain cybersecurity risks an early warning system detects

Supply chain attacks surpassed traditional malware-based exploits by more than 40% in 2022, according to the Identity Theft Resource Center’s annual Data Breach Report. In the past twelve months, supply chain attacks impacted over 10 million people representing 1,734 entities.

What makes them so difficult to detect, let alone stop, is the diverse array of delivery methods. Of the numerous supply chain risks to be aware of, these are among the most common.

Worried about the threat posed by supply chain attacks? Read our guide to protecting your business.

1. Watering hole attacks

The hacker inserts malicious software into a website that receives a lot of traffic from the target business or businesses. When someone visits the compromised site, the malware infiltrates the visitor’s defences to gain access to their systems or data. Watering hole attacks are difficult to detect and boast a higher-than-average success rate.

2. Compromised software development tools

The hacker compromises a supplier’s software development tools, infrastructure, or processes. This leaves any resulting applications built from them vulnerable to zero-day security exploits, putting end-users at risk.

3. Compromised website builders

The hacker compromises a supplier’s website via its website builder. Typically, the hacker installs malicious software or a redirect script into the target site, which sends users to a malicious clone of the website when they visit the URL.

4. Stolen product certificates

The hacker steals an official product certificate, which enables them to distribute malicious software and applications under the guise of legitimate products. 

5. Third-party data store breaches

The hacker infiltrates a third-party data centre, for example, via a botnet. Once inside, they can steal sensitive business or customer information which they can then:

  • Sell for profit on the dark web
  • Ransom back to the victim
  • Release to the public
  • Delete or corrupt

How do early warning systems protect you against supply chain threats?

Detect and respond to network vulnerabilities

Most businesses only realise a hacker has compromised their network when they spot suspicious activity. For example, when a network client scans the internet. But at this point, the damage may already be done. An early warning system proactively monitors your network for vulnerabilities and malware, giving you time to repair any breaches before hackers can exploit them.  

Identify and assess cyber risks

An effective supply chain early warning system raises your awareness of external cybersecurity threats that may impact your business. When your system identifies a potentially harmful event or attacker, it notifies relevant stakeholders. This helps you:

  • Quickly spot and assess risks
  • Proactively monitor emerging threats or incidents
  • Prepare your defences to minimise or mitigate the impact on your business

Raise stakeholder awareness

By keeping stakeholders informed of current and emerging threats, early warning systems help to raise awareness of your supply chain risks. Over time, you’ll understand what to look out for and where to invest your cybersecurity budget to protect against online threats. 

Forewarned is forearmed

A supply chain early warning system adds another layer of defence to your cybersecurity. It gives you a clear view of your risk landscape, so you can detect and respond to online threats more effectively.

However, you don’t necessarily need a specialist tool to dramatically improve your supply chain security. Cyber Essentials certification can help you get the basics in place. Meanwhile, a generalist security tool like CyberSmart Active Protect can give you early warning of vulnerabilities within your own organisation, mitigating many of the risks your business faces. Likewise, following the NCSC’s guidance on mapping your supply chain can also help better protect your organisation.

You can’t always control the security of your suppliers or partners, but by getting the fundamentals down, you can minimise your risk.

Supply chain CTA 3

What is a watering hole attack and how can you prevent them?

Watering hole attack

In 2018, the Cambodian Ministry of Defence and several Vietnamese news outlets fell victim to a sophisticated cyberattack targeting multiple high-profile websites across Southeast Asia.

The attack went undetected for months, during which time anyone who visited the compromised sites was redirected to a page controlled by the hackers. From there, the hackers were free to distribute malware to the unfortunate victims. The notorious OceanLotus threat group claimed responsibility.

Known as a watering hole attack, OceanLotus was by no means the first group to target places people visit rather than the individuals themselves. In this article, we explain what a watering hole attack is, how they work, and how you can protect your business against them.

What is a watering hole attack?

Watering hole attacks are a type of third-party or supply chain attack. The hacker aims to install malicious software on the victim’s computer or gain access to their network by compromising websites they visit frequently. The consequences can be severe, ranging from theft of sensitive customer information to making the victim’s computer part of a botnet.

The name “watering hole attack” derives from nature. Over the aeons, lions and other predators have adapted their hunting strategies to conserve energy. Instead of chasing prey across the scorching African savanna, they simply wait for the zebra or gazelle to visit a watering hole and pounce while it’s busy drinking. 

Cybercriminals typically use watering hole attacks to target large, well-protected organisations. Either by compromising an employee’s computer or a partner business further up the supply chain. 

Watering hole attacks are difficult to detect because they harness the implicit trust people place in well-known organisations and institutions. And, because many successful attacks target exploits in browsers or systems, they have a high success rate. 

Worried about the threat posed by supply chain attacks. Check out our guide to protecting your business.

How do watering hole attacks work?

The average watering hole attack unfolds over three stages. 

1. Reconnaissance

The hacker gathers intelligence about the target’s browsing habits. This can include a mix of publicly available information and illegally obtained private data. They can then use this information to create a shortlist of suitable sites to host the attack. Usually, these are sites with lower-than-average security.

2. Planning

Once the hacker identifies the most suitable hosting domains, it’s time to decide how to launch the attack. The two most common options are to:

  1. Probe the shortlisted hosting domains for any potential weaknesses the criminals can exploit to compromise the legitimate website.
  2. Create a spoofed version or clone of a shortlisted hosting site that contains malware.

Some cybercriminals may combine the two approaches to increase their odds of success. In this scenario, the hacker compromises a legitimate website and inserts a redirect code that sends victims to the fake site where the payload is delivered.

3. Design and execution

The hacker exploits any weaknesses to insert malicious code into the watering hole site or cloned website. Typically, this involves manipulating web technologies like HTML and JavaScript or using exploit kits that target specific IP addresses. When someone visits the compromised domain, their browser automatically downloads the malicious software. 

In the case of drive-by attacks, the hacker capitalises on the implicit trust users have in well-known websites by hiding malware in download buttons or links. When the victim clicks on the link, they inadvertently download the malicious software – often without even realising it. 

Remote access trojans (RATs) are a popular choice of malware among cybercriminals, as this grants access to the victim’s computer or systems.

Watering hole attack

*Image: Supply chain security guidance, National Cybersecurity Centre

How to prevent watering hole attacks

The first step is to familiarise yourself with cybersecurity best practices. Simple measures, like installing reliable antivirus software and upgrading your browser protection, can significantly reduce your cyber risk.

We recommend adopting these four measures, as a minimum.

Stay on top of system updates

Many cyberattacks work by exploiting unpatched vulnerabilities in operating systems, browsers, and software. And watering hole attacks are no different. By installing the latest security updates as soon as they become available, you can plug these gaps before cybercriminals have a chance to use them.

Regularly review and test your security

Many cybercriminals bank on the fact that most people think their antivirus software tackles threats for them. We recommend that you review your security tools, processes, and policies at least once a year to ensure you’re protected against the latest threats.

Educate and train your staff

The cybersecurity landscape is dynamic. Cybercriminals are constantly evolving their tactics and new threats emerge all the time. Then, there’s the human factor. According to Stanford University research, human error causes 85% of data breaches. Run regular training workshops to teach staff to identify suspicious activity, spot potential threats, and respond to cyber-attacks.

Get Cyber Essentials certified

Cyber Essentials is a government-backed scheme that provides a simple framework to help businesses protect against cyber-attacks. It’s separated into five technical controls:

  • Secure configuration
  • Malware protection
  • Network firewalls
  • User access controls
  • Security update management

Cyber Essentials is a more affordable option than advanced certifications, like ISO 27001. It’s also faster and less intensive, so it’s a good place to start. With the right guidance and support, you can become certified in just three days. This makes it the perfect solution for SMEs.

For more advanced recommendations, read the National Cybersecurity Centre’s (NCSC) 12 principles of supply chain security.

It’s a jungle out there

Watering hole attacks are no longer a niche threat. Forbes named them as one of the top ten cybersecurity threats of 2022, reflecting the increase in supply chain attacks in recent years. 

The key thing to remember is that you’re not powerless. By adopting the measures we’ve recommended here, you can minimise your cyber risks and ensure you don’t fall prey to digital predators.

Supply chain CTA 2

What do the proposed NIS regulations mean for managed service providers?

NIS regulations

As attendees of our event CyberSmart Live! will know, one of the hottest topics within the cybersecurity industry at the moment is the proposed regulatory changes for managed service providers. The Department for Science, Innovation and Technology (DSIT) is planning changes to the scope of its Network & Information Systems (NIS) regulations to include MSPS. 

So, to help you understand whether your business is affected and what you need to do, here’s a quick summary of the potential changes.

What are the changes? 

Under the proposed framework, some MSPs (more on that later) will have a legal duty to:

  • Register with the Information Commissioner’s Office (ICO)
  • Take steps to secure their networks and information systems
  • Minimise the impact of incidents on their networks and information systems
  • Report incidents to the ICO

Why does this only apply to some MSPs?

The regulations don’t apply to small and micro providers. To qualify, your business must: 

  • Employ more than 50 staff
  • Have a turnover of more than €10 million per year

On top of this, only MSPs who meet the criteria of a digital service provider (DSP) under NIS regulations need to register with the ICO. NIS defines a DSP as “providing online marketplace services, cloud computing services, online search engine services or managed services.”

What are the changes to NIS regulations for? 

Cybercriminals are targeting MSPs with increasing regularity. The risk has grown so severe that security services from the ‘five eyes’ countries – Britain, the US, New Zealand, Australia and Canada – felt moved to issue an official warning in 2022. 

MSPs are so attractive to hackers because they’re usually part of a supply chain and have access to clients’ networks and IT environments. And, to add the icing on the cake for any cybercriminal, MSPs typically have access to large amounts of sensitive data – everything from financial information to breakdowns of customers’ security. 

We’ve seen countless examples of attacks on MSPs that lead to a huge breach across their entire client base. The NIS regulations are an answer to this. The proposed changes represent a real attempt by DSIT better to protect MSPs and their customers from the growing threat. 

When are the regulations due to come into force?

As of 13th April 2023, the Government has confirmed that it will go ahead with the proposed reforms to amend the NIS Regulations. So, we’re expecting to see the changes come into force sometime in 2024. Although, it should be noted that this is subject to the government finding “a suitable legislative vehicle”.

Is there anything else you should know?

At this point, you’ve likely got some further questions about the proposed changes. Unfortunately, we don’t have space to cover everything in this blog. But, for more information, we recommend checking out our handy set of FAQs on the regulations. You should find everything you need to know to prepare you for the changes.

Here is a follow up video we did with the Department for Science, Innovation and Technology that goes into further detail on the proposed NIS regulations for MSPs.

Times are tough for SMEs, with many facing tough financial decisions. So, to help out, we’ve put together a step-by-step guide to cybersecurity on a budget. Read it here.

Cost of living CTA 3

Press release: Heightened risk of insider threats during cost-of-living crisis, according to SME study

insider threats

Our latest research (to be released as a report) reveals fear among UK SMEs about insider threats. Some key findings include:

  • Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the cost-of-living crisis.
  • 38% believe this is due to increased malicious insider threats, and 35% believe it is due to negligent insider threats.
  • 1 in 4 believe staff are overwhelmed or concerned about meeting their financial commitments.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm the company’s reputation due to resentment over salary cuts/stagnation and/or layoffs.

London, UK (15th June 2023) – Nearly half of UK SMEs (47%) believe they are at greater risk of a cyberattack since the onset of the cost-of-living crisis. Of these respondents, 38% believe this is due to increased malicious insider threats (i.e., disgruntled employees making decisions that are not in the best interest of the company) and 35% believe it is due to negligent insider threats (i.e., overworked or distracted employees making mistakes). This is according to a survey of a thousand SME senior leaders across the UK, commissioned by CyberSmart, the category leader in simple and accessible automated cybersecurity technology for small and medium-sized enterprises (SMEs), and conducted by Censuswide.

In light of the economic uncertainty, almost 1 in 3 employers (29%) admit that employee salaries have stayed the same: in effect, resulting in a decline of real wages to accommodate for inflation. A further 11% have even gone so far as to reduce salaries. What’s more, nearly a quarter (24%) of SMEs have hit pause on recruitment, while 16% have laid off employees for budgetary reasons.

It is no coincidence then that 1 in 4 employers (24%) are finding that their staff are overwhelmed or concerned about meeting their financial commitments, while nearly a fifth (18%) find they are feeling overworked. Moreover, 16% believe their staff are less engaged or productive due to the stress, 14% think they are more disgruntled and 11% have noticed an increased rift between senior leadership and employees.

Remarkably, employers expect their employees might engage in the following activities whilst in this unhappy state.

  • 22% believe employees will take on a second or third job during contractual hours.
  • 22% believe employees will be more likely to make mistakes such as clicking on a phishing link.
  • 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or for a competitive advantage.
  • 17% believe employees will seek to harm company reputation due to resentment over salary cuts/stagnation and/or layoffs.
  • 14% believe employees will use AI such as ChatGPT to do their job for them.
  • 14% believe employees will steal money from the company or commit financial fraud.

“Not all businesses are experiencing a negative company culture as a result of the crisis. In fact, 20% believe the cost-of-living crisis has brought the company closer together and 16% of employees are becoming more motivated to impress senior leaders. Nevertheless, in times like these, it is crucial that employers are mindful of how their staff are coping,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “It only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk. This research highlights the importance of conducting regular security awareness training, but also the need to show up for employees with empathy and support.”

It should be noted that SME business leaders also consider external forces to be responsible for the growing risk of cyberattacks, with 32% attributing it to higher rates of supply chain fraud and 31% expressing concern about nation-state interference from hostile countries such as Russia and China.

Want to know more? Read the report in full here.

SME cost of living crisis

What is a DDoS attack?

The cybersecurity industry has long had a reputation for impenetrable jargon, be it tools, threats or solutions. So, in this blog, we’re demystifying another confusing term. What are ‘DDoS attacks’? Why should you be worried about them? And, most importantly of all, what can you do to stop them?

How does a DDoS attack work?

DDoS stands for Distributed Denial of Service. And it’s a very simple but potentially very disruptive premise. Cybercriminals pick a target, then flood its network with so much malicious traffic that it can’t operate as it usually would. The result is that legitimate traffic (such as shoppers or readers) grinds to a halt. 

You’ve probably seen this technique used before without necessarily putting a name to it. Google was hit with the largest attack on record in 2017. Meanwhile, Amazon Web Services fell foul of a gigantic attack in February 2020

How common is this kind of attack? 

DDoS attacks are more common than you might think and they’re on the rise. 2020 saw a 151% increase in the frequency of attacks in comparison to 2019. And, to make matters worse, cybercriminals are increasingly targeting small businesses with this kind of attack. 

How much damage can a DDoS attack do? 

A DDoS attack is highly disruptive for any business. But for big corporates, it’s usually something they can swallow. After all, for a multi-billion dollar business, a few days lost revenue and some disgruntled customers don’t have to spell disaster. 

However, for a small business, a DDoS attack can have serious consequences. A successful DDoS attack can take down entire websites and systems. This could mean lost revenue, breached data, reputational damage, dissatisfied customers, and a massive cleanup effort to get systems back up and running. In other words, a potentially critical situation for a small business with limited resources. 

What can you do to protect your business? 

We’ve painted a pretty scary picture so far. But that doesn’t mean small businesses are defenceless in the face of DDoS attacks. There’s plenty you can do to help your business avoid the worst-case scenario. 

Use a Web Application Firewall (WAF)

A WAF blocks suspicious traffic and prevents DDoS attacks from accessing your business’s servers. And, the best thing about a WAF is that it’s easy to customise for your business. For example, if you mostly do business in the UK, you could configure it to block all non-UK traffic. Or, you could take it a step further and blacklist traffic from markets renowned for attacks.

Of course, like all software, you need to ensure you’re patching regularly for it to be most effective. 

Learn to spot the signs

We’re always talking about the importance of security training for your staff and our advice is no different when it comes to preventing DDoS attacks. One of the key reasons that DDoS strikes are so hard to stop is so few people know how to recognise them – until it’s too late and business systems fail.

To give an example of what we mean, did you know a sudden surge in traffic – even for just a few minutes – could signal the start of an attack?

Even basic cybersecurity knowledge among staff about what the threats are, how to spot them, and what to do in the event of an attack, can help your business get a head start on cybercriminals.

For more on security training, read this

Be mindful of your supply chain

A huge proportion of cybersecurity attacks now begin in the supply chain. And, unfortunately, this includes DDoS attacks. Most SMEs are part of a supply chain and lack the security resources of larger partners, making them an enticing way for cybercriminals to attack more glittering prizes. 

These ‘attacks through the back door’ are becoming increasingly common. US retail giant Target was fined $18.5 million after a breach at its air conditioning partner led to the leak of millions of credit card details. 

So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. For those below you in the chain, this may mean asking for proof that their cybersecurity is in order. And for the bigger companies you service, this could mean agreeing to shared security practices and transparency in the event of a breach. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Active Protect CTA

Why supply chains pose the greatest cybersecurity risk to your business

supply chains

What do you think of when you imagine a typical cyberattack?

If you’re like most of us, then chances are you immediately thought of a high-profile attack on a single organisation, say, the Twitter or Mariott breaches in 2020.

In reality, cybercriminals rarely enter through the front door. Here’s why supply chains pose the greatest risk to your cybersecurity.

What do we mean by supply chains? 

As a small business, you’re almost certainly part of a supply chain. Depending on what your company does, you could be a supplier, vendor, distributor or retailer. Your part in the supply chain isn’t the important thing. What’s important is the symbiotic relationship this gives you with other businesses in the chain.

Think of it as akin to the way different species exist in nature. This relationship can be mutually beneficial; bees need the pollen from flowers for food and energy, and flowers need bees for pollination. Or, the relationship can be destructive, as the increasing number of zoonotic diseases (such as COVID-19 and SARs) passed from animals to humans proves. The same is true of the ties between businesses.

Worried about the threat posed by supply chain attacks? Check out our guide to protecting your business.

Why do supply chains pose a cybersecurity risk? 

When business leaders evaluate their cybersecurity, most know the first place to look is within their organisation – at their own people, systems and infrastructure. Unfortunately, that’s no longer enough. 

According to research, up to 80% of cyberattacks now begin in the supply chain. Cybercriminals have realised that to target high-profile businesses, you don’t need to attack the organisation itself. Big corporate enterprises often have the best in cybersecurity tools and processes, so breaching their defences is difficult.

However, the SMEs who supply or provide services to these big companies usually have far more modest defences. And, crucially, they provide a ‘backdoor’ into bigger organisations by being part of the supply chain. A breach at even the smallest link in the supply chain can have dire consequences for everyone within it. This makes SMEs a prime target for cybercriminals with an eye on big enterprises. 

A great example of this is the recent SolarWinds attack. By breaching SolarWinds (an IT infrastructure provider), cybercriminals were able to gain access to some of the world’s largest tech companies, including Microsoft, Intel and Cisco. 

How to protect your business 

So, if supply chains pose such a risk to your cybersecurity, what can you do about it? Small suppliers can’t help being targeted by cybercriminals. And large enterprises can’t control what everyone in their supply chain is doing all of the time. 

Fortunately, there are a few things you can do to reduce the risks. 

Get your cybersecurity in order

Although you can’t always control what everybody else in your supply chain is doing, good cyber hygiene begins at home. This means that your priority should be ensuring your own cybersecurity is up to scratch.

A great place to start is by getting Cyber Essentials certified. The government-backed certification scheme assesses your business against five key cybersecurity controls:

  • Is your internet connection secure?
  • Are the most secure settings switched on for every company device?
  • Do you have full control over who is accessing your data and services?
  • Do you have adequate protection against viruses and malware?
  • Are devices and software updated with the latest versions? 

By ensuring these criteria are in place, you can protect your organisation against 98.5% of cybersecurity threats – including most of those that are likely to come through your supply chain. 

But don’t stop at certification. Consider using encryption and two-factor authentication on all company devices and implement a strong password policy and enforce it. 

Alongside this, put in place an easy-to-understand cybersecurity policy and make sure everyone within your business has access to it. More often than not, supply chain breaches come from staff acting in good faith. If your people don’t know which behaviours are harmful or how to spot a threat, then your business will always have a chink in its armour. Education really is the key. 

Talk to your supplier and partners 

The greatest defence against supply chain attacks is trust between partners. So talk to your suppliers and partners about their cybersecurity practices and share experiences and advice.

This may sound like something from a business self-help book, but poor communication or reluctance to admit a breach has happened can often turn a minor attack into a disaster. By fostering trust and a willingness to communicate across the supply chain, you’re effectively creating an early-warning system for your business. This can be vital in halting or at least containing the breach.

Aim to work with businesses that are Cyber Essentials certified 

Of course, building trust in any context takes time. And time isn’t always something you have when working with new partners or suppliers. So, an alternative is to insist on a minimum security standard for any business you work with. 

Cyber Essentials certification is tailor-made for this. By choosing to work only with businesses that display the Cyber Essentials logo, you ensure everyone you rely on is working to the same security standards, minimising the likelihood of a breach. How you approach this is up to you. Some businesses include it as a standard contractual clause, while others have more informal agreements in place. What matters is the assurance that your partners and suppliers take their cybersecurity responsibilities as seriously as you do. 

Supply chain CTA