Time to get serious on supply chain cyber risks

The new Cyber Highway service makes it easier than ever for businesses to start to asses the cyber security of their suppliers. It’s an opportunity more need to take.

Cyber is rising up the supply chain. Last month former Home Secretary David Blunkett launched the Cyber Highway, a new website through which business can check whether suppliers are certified under the Cyber Essentials scheme.

The scheme promotes basic standards of “cyber hygiene” to protect against common risks such as hackers and malware infections. Businesses can have a self-assessment questionnaire independently reviewed by an external certifying body to gain a Cyber Essentials badge or have an external body actually do the tests for a Cyber Essentials Plus badge.

For central government, all contracts handling personal information or providing certain ICT products and services have required certification with the standard since October 2014. Two years on, the new Cyber Highway site makes it easy for private sector businesses to effectively apply the same standard. They can now track suppliers' progress towards Cyber Essentials certification in real-time.

It’s hoped this will, in turn, prompt more businesses to sign up to the scheme and work to achieve certification – vital following the vote for Brexit, according to Blunkett.

“It is more important than ever, post-Brexit, for businesses to hold an internationally-accepted certification, as competition increases and an extra level of cyber-resilience is required,” he said at the launch.

Opens doors: Risks from suppliers, vendors and customers

There’s also a couple of other reasons to welcome such moves.

One is that many big security breaches can be traced back to attackers exploiting vulnerabilities of suppliers.

That might mean criminals targeting businesses’ raw materials suppliers or just service providers. The data breach at US retailer Target, which in 2013 had 40 million customer details stolen and leaked, remains perhaps the prime example of the latter. That attack was the result of network credentials stolen from its refrigeration, heating and air-conditioning subcontractor.

The second reason to welcome initiatives like the Cyber Highway is related to this: Many businesses still seem to be complacent about this aspect of their supply chain risk.

A recent survey by insurance brokers Marsh found that only a quarter of UK large and medium-sized corporations assess their supply chains for cyber risks. As the report notes: “[T]he overwhelming majority of companies are leaving themselves exposed to third parties, from service providers to customers.”

Anything that gives businesses the tools to start changing this can only be a move in the right direction.

More than words: slavery in the supply chain

It may not seem it, but the deadline for company’s statements on tackling modern slavery is deadly serious. Businesses need to be sure they know what’s happening in their supply chains.

Human rights is the number one corporate social responsibility issue in supply chains, according to a recent survey. It ranks ahead of even environmental concerns and traceability when it comes to identifying essential concerns in the coming year.

It’s hard to argue with this: Human rights are a key focus of not just consumers, but also government in attempting to crack down on abuses. And one key example is regulation to fight modern slavery.

The end of September marked the “deadline” for big organisations with a financial year ending in March to publish their modern slavery statements. In the statements – introduced by the Modern Slavery Act 2015 – organisations supplying goods or services with a global turnover of £36 million are expected to set out the steps taken to ensure modern slavery is not taking place in their business or supply chains.

A light touch

On the one hand, the requirement doesn't seem too taxing. It is, for instance, a “soft” deadline: government guidance says only that businesses should publish their statements “as soon as reasonably practicable” after the end of each financial year, and “encourages” publication within six months – hence the end of September cut-off for those with financial years ending in March.

This is, as others have pointed out, “a light-touch approach”, and some of the initial efforts seem to reflect a failure to take the new rules seriously.

According to one analysis of the statements submitted so far, most fail to meet minimum standards the Act sets out. The majority, for instance, are not signed by a company director or are not available from the company’s website homepage – two basic requirements.

No excuse not to know: time for supply chain transparency

Nevertheless, the advent of these statements is an important milestone.

For a start, the availability of statements from hundreds of companies introduces a benchmark by which policies can be assessed. They are also likely to be pored over by campaign groups, including those focused on “strategic litigation”, bringing cases in the civil courts to penalise abuses.

Finally, more moves against slavery in the supply chain can be expected, with Theresa May recently reiterating her commitment to the issue as Prime Minister.

Given all that, statements are going to be more than just a PR tool. Some, according to the UK’s Anti-Slavery Commissioner, are likely to end up as evidence of whether companies ought to have known slavery in their supply chains was taking place – making them guilty of a criminal offence.

The statements are really just the start; businesses need to be sure they have the visibility and processes to root-out abuses in the supply chain.

As Theresa May wrote when she was Home Secretary overseeing the introduction of the Modern Slavery Act: “It is simply not acceptable for any organisation to say, in the twenty-first century, that they did not know.”