Dan Bridges, International Technical Director at Cyware, explores the evolving regulatory landscape around cybersecurity in supply chains.SHARE THIS STORY
In our modern hyper-connected digital economy, it is not unusual for supply chains to extend ever further, becoming increasingly complex. Each supplier ecosystem can consist of organisations of any size, from sole traders on the high street to global enterprises, each of whom will have a different level of cybersecurity.That means there might be insufficient protection, blind spots and an inability to respond effectively. It only takes one vulnerability within this chain to expose all entities within to danger because bad actors can daisy-chain quickly from the initial breach to other connected corporate networks, wreaking havoc along the way.However, despite this clear risk, businesses in the UK are shockingly complacent about their supply chain security. Worryingly, the government’s 2023 Security Breaches Survey indicates that only just over a quarter of medium-sized companies monitor the cybersecurity risks posed by direct suppliers, with this rising to just over half when looking at large companies. Perhaps more alarming, it is even rarer for businesses to review the potential dangers from their extended supply chains – fourth parties and beyond – exposing many UK organisations to great risk.
Introducing the Digital Operational Resilience Act (DORA)
The EU is taking a bold stance on these supply chain risks, especially when it comes to finance and critical infrastructure. DORA outlines how financial institutions must take responsibility for operational resilience, defending against cybercriminals and enabling service continuity. It highlights the requirement to manage security risks related to third party suppliers, asking companies to assess, monitor and review their partners’ security protocols.DORA makes the penalties for non-compliance clear: if a financial institution suffers a breach due to not following best practice, considerable fines will apply. In some cases, these will not apply to just the business, but senior executives could also be on the hook for repercussions, including criminal charges.
Shaping supply chain strategies
DORA acts as a resource to assist businesses to shape their supply chain strategies and influence related security policies. It is not the only regulation in this environment: the Network and Information Systems Directive 2 (NIS2) centres on critical infrastructure resilience, hoping to make the cybersecurity processes of essential service operators more robust. We can also look to the long-established GDPR, which sets the standard for the privacy and integrity of personal data as well as the rights of data subjects. Beyond the regulatory scope of the EU, there are independent entities linked to specific industries, such as the Payment Card Industry Data Security Standard (PCI DSS 4.0), which establishes security protocols for managing card payment details to keep personal data safe while preventing fraud.Together, these security regulations aim to promote cybersecurity best practices across sectors and countries. They advocate collective responsibility, which is key to enhancing the security of complex supply chains where companies might operate as both customer and supplier. By supporting a collective approach to individual defence, all entities will benefit from faster threat detection, allowing improved incident response and mitigation. Sharing resources and processes is particularly useful for smaller organisations who might have fewer IT resources and smaller budgets.
Establishing collective defence
There are a number of prerequisites to consider before beginning your collective defence journey. It needs clearly defined policies within a legal framework to ensure sensitive data and the interests of each entity are protected. From the outset, trust between these entities is critical to securing agreement and eventual success.Next, it is time to assess current defence systems and identify any gaps. Solutions must work with the existing IT infrastructure and security tools, although it is also important to update and standardise security protocols and applications, while leveraging APIs to seamlessly connect all participants.Sharing skills and responsibilities will promote long-term, sustainable partnerships across and between each entity. For example, security teams can add specialist knowledge around SOAR (Security Orchestration, Automation, and Response) and associated automated tools. These streamline security operations, minimise alert fatigue and speed up threat mitigation. Moreover, collaboration of this type fosters learning within a community of executives with the same goals who can share the burden and support each other in the face of new threats.To keep up to date with the ever-changing threat landscape, the collective strategy must comprise regular reviews and testing: adaptability is key to defence optimisation.
Protecting the vulnerable
Business resilience and continuity depends on supply chain security and compliance. Using guidance from regulations, such as DORA and NIS2, will standardise supply chain strategies, providing a foundation for a collective approach. This guarantees a more resilient partner ecosystem for everyone.The final step is for companies to create their own information sharing networks using off-the-shelf solutions. This will keep their own operations secure while extending the protection to extended supply partners. Such engagement will supercharge threat intelligence sharing, enabling real-time cross-sector collaboration. Even the smallest sole trader could avail themselves of the early warning of looming danger to protect themselves – and others. At the end of the day, even the biggest enterprise’s defences are only as strong as its most vulnerable supplier.