/>iEffective information security is no longer just dependent on an organisation’s own internal cybersecurity controls. The UK Information Commissioner’s Office (ICO) highlights that third-party service providers are processing an increasing amount of personal data for other organisations; this means that organisations may not solely rely on their own internal security measures to offer personal data adequate protection from potential vulnerabilities in their supply chain.
Quick Hits
- Supply chains are becoming a more appealing target for cybercriminals due to their vulnerabilities, allowing them to attack multiple targets simultaneously.
- Third-party service providers with inadequate security measures may put the entire supply chain at risk of cyberattacks.
- Organisations that conduct thorough risk assessments of their supply chain may reduce the risk of supply chain attacks and/or the impact a cyberattack might have on their personal data.
What Is a Supply Chain Attack?
Digital systems are used by many organisations to handle internal IT services and procedures. As these systems get more complicated and expensive to manage, businesses are increasingly relying on outside third-party or managed service providers, rather than in-house solutions. As a result, a connected digital supply chain is produced.
A supply chain attack is an attack against an organisation’s third-party suppliers or vendors, generally carried out to gain access to organisations in the chain. A large number of third-party suppliers in the chain may increase the threat as the number of entry points or vulnerabilities increases. The ICO, the United Kingdom’s data protection authority, has identified three types of supply chain attacks: software, digital, and hardware. Software attacks involve malicious code inserted into products or systems, allowing cybercriminals remote access to an organisation’s software, while digital attacks involve inserting malicious code into widely used programming libraries. Hardware attacks involve using hardware components, such as microchips, to allow remote access or to extract data.
Reducing the Risk
Robust pre-procurement checks when using third-party service providers may help mitigate the risks of supply chain attacks. This includes the following:
- Data Privacy Assessments: Understanding the responsibilities of each party, including what information third-party service providers will have access to and why.
- Security Assessments: Reviewing the technical and organisational measures third-party service providers are implementing to secure against attacks and minimise the potential impact of attacks.
- Due Diligence: Conducting regular assessments of third-party systems and processes to ensure they align with current standards.
Upcoming Legal Changes
In line with the European Union’s recent drive to enforce higher standards of cybersecurity by way of the cybersecurity directive, the Network and Information Security (NIS) Directive, recently revised and known as NIS2, the United Kingdom has wheels in motion to pass its own Cyber Security and Resilience Bill. Similar to the NIS2, the bill, which was announced during the July 2024 King’s Speech, is set to introduce mandatory security requirements which are likely to have a widespread impact and affect organisations and industries and require organisations to implement stricter cybersecurity measures. Organisations would also be subject to enhanced incident reporting requirements, amongst other things.
