How to break free of supply chain security paralysis in a single day

Guest blog by Jessica Figueras, CEO at Pionen #NatSec2024

The MOVEit supply chain cyber attacks of 2023 provided yet another eye-catching reminder of the importance of supply chain security.

It wasn’t just MOVEit’s customers who were compromised, but its customers’ customers, including the likes of British Airways, the BBC and Sony; and their customers. Some eight months later it appears that thousands of organisations, and millions of individuals, have been affected by data extortion and breaches.

Yet the vast majority of UK organisations are far from getting a grip on supply chain security. The UK Government’s Cyber security breaches survey 2023 showed that only around one in ten businesses had reviewed the risks posted by their immediate suppliers (13%), and just 7% had reviewed their wider supply chains.

Larger organisations are doing better. The Cyber Assessment Framework (CAF) is starting to prompt UK central government bodies to raise their game. Other high-risk sectors are being forced to address supply chain security by new regulatory requirements; EO14028 in the USA and, soon, NIS2 in EU countries.

But the reality is that everyone needs to so do much more. More sophisticated threat actors, and an enlarging attack surface due to increasing digitisation, will keep compounding the problem.

Why has progress been so slow? Lack of awareness has certainly played a part. But even where executives understand the theoretical risks, paralysis too often reigns.

There is usually a lack of skilled people to identify and carry out the work required. And the sheer size and complexity of supply chains is daunting. The UK public sector has tens of thousands of direct suppliers, including nearly 5500 tech suppliers (Tussell, 2021). Even a medium-sized public body will have hundreds of direct suppliers and thousands of indirect suppliers.

Where on earth to start?

At Pionen we have helped customers with enormous supply chains to overcome paralysis by taking a risk-based approach. It’s probably not possible to secure your entire supply chain any time soon, let alone keep it secure. But it is possible to identify the suppliers posing the highest risks, and to focus your cyber assurance efforts there.

Over time you will learn a great deal about your supply chain; suppliers you never knew you had, ineffective business processes, significant vulnerabilities. These can be managed and mitigated; there are standards, best practices and great tools to help you.

The hardest part is mustering the necessary organisational buy-in, ambition, goodwill and resilience.

So start with a single, highly impactful, day of action. Bring all of your key stakeholders together to map out your organisational terrain and to start discovery. Generate energy and momentum. You can get a lot done in a day. Why not start now?

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more