Northdoor’s CCO reacts to the latest report on the management of supply chain cyber security risk.
The Dept of Media, Culture and Sport (DCMS) has issued an initial report following its call for views on supply chain security. In this blog, AJ Thompson, CCO Northdoor, comments on the DCMS call for views on cyber security in supply chains report. Their initial report on security within an organisation’s supply chain was released last week. The government confirms that the key barriers to effective supply chain cyber security risk management are:
- Low recognition of supplier cyber security risk,
- Limited visibility into supply chains,
- Insufficient tools to evaluate supplier cyber security risk,
- Limitations to taking action due to structural imbalances.
Research by DCMS indicates that only 12% of organisations and 36% of large firms formally review cyber security risks coming from their immediate suppliers, and, even lower, only 5% address vulnerabilities in their wider supply chains.
Supplier risk awareness is not being matched by action.
The report was drafted after a series of very high-profile breaches where an organisation’s data was compromised not by their own systems but by those of a key supplier; Kaseya’s breach was well reported, with over 1500 companies affected. Just today, the National Cyber Security Centre has issued a warning that over 4,000 Magacart users in the UK have been compromised by hackers targeting payment details.
In fact, last year, over 50% of breaches were through a company’s supply chain.
As can be seen from the report, companies are well aware of the risks but most struggle with a solution.
Risk assessments need to be brought up-to-date
Under the GDPR legislation initiated in May 2019, there was a flurry of activity to ensure companies fulfilled at least the most basic assessment of their supplier risk. Typically this comprised of an assessment in the form of a spreadsheet which allowed their suppliers to respond in free text, answering questions on their own security status. These questionnaires made their way back to the sender – eventually – and were initially reviewed and then filed them away. There was no real standardisation of response, no scoring of risk and, for almost every organisation, no subsequent follow-up either last year or this. What this means is that the good intentions of the GDPR legislation have been met in 2019 but have not been brought up to date since.
There are many issues with an annual questionnaire approach, from assessments of responses to chasing through the returned forms. The single most important is that this is typically a one-off annual review which relies solely on the recipient to provide accurate, up-to-date information. It is also unlikely that many recipients listed all of their own security issues in detail.
Northdoor has been working alongside The Salvation Army for the past twelve months, helping them to automate their supply chain management. They had similar issues to most companies: manual assessments, complex responses, once a year snapshots and no independent view of their supply chain. They are totally dependent upon the information provided by their supplier.
Northdoor plc’s low cost automated supply chain cyber risk management solution RiskXchange was awarded ‘Security Solution of the Year’ at this year’s European IT & Software Excellence awards. Share on XAutomate supply chain risk management with RiskXchange
Our solution, RiskXchange, fundamentally changed their approach. We provide a bespoke questionnaire with automatic scoring and then we run over 250 separate searches across the web every day to gather information on a supplier, such as breached email addresses, poor patching cadence, open ports, misconfigured SSL certs and more. All of this data is scored and presented in a red, amber, and green dashboard with full drill-down capability to allow you to have an up-to-date and independent assessment of your critical suppliers.
As a result of the project, we were awarded IT Security Solution of the year at the recent IT Europa Awards, a testament to the work The Salvation Army completed to automate their compliance.