Why all businesses must start taking supply chain security seriously

Chris Clinton
October 31, 2022

We're kicking off this blog by making a bold statement:

Supply chain security is one of the most critical issues facing businesses today. 

The supply chain is the backbone of any business. While we traditionally think of the supply chain as the process of getting physical goods from point A to point B, the modern supply chain is much more complex and global. Take the average SaaS company: While their developers are in the UK, their customer's marketing data sits on a server in the US.Their HR services are outsourced to a firm in Germany, while their actual product is used by customers all over the world.

This globalisation of the supply chain has led to new challenges in terms of security. With so many moving parts, how can businesses be sure that their data is safe when it's being stored and processed in so many different places? In this blog post, we'll explore some of the most significant risks facing supply chain security today and explore future solutions to this increasingly complex issue. 

Your business takes data security seriously. But do your suppliers?

"The supply chain is only as strong as its weakest link" is currently security analysts' favourite phrase when discussing supply chain security.

It's corny, but it's true; one of the most significant risks to supply chain security is that businesses often have very little control over the security practices of their suppliers. While outsourcing processes such as finance, HR, and marketing can save businesses time and money, it also means entrusting sensitive data to third-party service providers.

According to a recent study by Symantec, 43 per cent of data breaches are caused by vulnerabilities in the supply chain. That's a pretty staggering statistic, and it means that even if your business has robust security measures in place, you could still be at risk if one of your suppliers has lax security. With only 1 in 10 companies assessing the security risks posed by their immediate suppliers, this lack of visibility over the supply chain is a significant concern.

Businesses currently try to mitigate this risk through supplier due diligence, which means assessing a potential supplier's business practices to ensure they meet your company's standards. This process can be time-consuming, costly and often only serves as a "snapshot in time" when assessing a supplier's security posture, failing to protect your data once those contracts are signed.

Businesses now use an average of 75 different technology products

The number of technology products and services used by businesses has exploded in recent years, with the average company now using 75 different products and services, up from just 20 in 2010. This rapid increase is due to rise in cloud-based software-as-a-service (SaaS) applications, allowing businesses to quickly and easily adopt new technologies without needing complex on-site infrastructure.

However, this increase in technology usage has led to a corresponding increase in potential entry points for cybercriminals. Picture this, last week, your marketing manager trialled two different landing page solutions, while on Monday, you found a new platform to automate your proposal process completely. In the space of a week, your business has introduced three new potential entry points for cybercriminals, and that's not even considering all the other technology products you and your team use daily.

As organisations get bigger, teams become more siloed, and more companies opt to for flexible work, it becomes increasingly difficult to track which technology products are being used and by whom. This can lead to "Shadow IT" - using unapproved tech and software products - which can pose a significant security risk as businesses lose visibility and control over how their sensitive data is being stored and processed.

The supply chain now includes businesses of all sizes

Historically, the supply chain has consisted of large businesses that outsource various processes and services to smaller suppliers. However, in recent years we've seen a shift towards what's known as the "long tail" supply chain, which includes a more extensive mix of many small and medium-sized businesses (SMBs) outsourcing services to each other.

While this shift has led to increased competition and innovation (this is a great thing!), it has also created new challenges for businesses trying to keep their data secure. As we know, SMBs often don't have the same resources as larger businesses when implementing robust security measures or access to the in-house expertise required to maintain complex security systems. In the UK, 38% of small and micro businesses reported suffering a cyberattack, with almost a third suffering an attack at least once a week.

By targeting the smaller businesses in the supply chain, cybercriminals can indirectly gain access to larger businesses.

Data protection laws add another layer of complexity

Not only do businesses need to worry about their data compliance requirements, but they also need to ensure that any supplier storing or processing their sensitive data does so in compliance with the growing number of data protection regulations now being implemented worldwide.

Let's take a small accountancy firm as an example. To save on costs, they now outsource their HR needs to another company based in the UK. As conferences ramp up again this year, they're now using a new travel management platform, with headquarters in California, to book employee travel and quickly reconcile expenses. To carry out their services, both suppliers require access to sensitive employee information such as names, dates of birth, email addresses and banking information. 

As the data controller, the accountancy firm is responsible for the sensitive information of all of its employees. In addition to meeting its own data compliance requirements, the firm must ensure that both suppliers comply with the UK-GDPR. In the event of a data breach, if one of these suppliers is found not to have adequate security measures, the accountancy firm could face a significant fine.

It's easy to see how, as the number of suppliers increases, so does the complexity of managing compliance, even for smaller businesses.

So, what does the future hold for supply chain security?

As supply chains continue to grow and become more complex, it's clear that the current approach to their security is no longer fit for purpose. Long and extensive due diligence questionnaires no longer keep up with the constantly changing nature of the modern-day supply chain, and the threat of non-compliance fines requires businesses to take a more proactive approach to effectively monitor their supply chain.

The future of supply chain security lies in real-time risk management and continuous monitoring. This means using technology to monitor suppliers on an ongoing basis rather than just conducting a one-time assessment, giving businesses a much more complete picture of their supplier's security posture and quickly identifying any changes that could represent a risk to their business.

Future supply chain security solutions must also be accessible by all businesses regardless of size. As highlighted by the NHS data breach earlier this year, hackers are now focusing on smaller companies lower in the supply chain to access the vast amounts of sensitive data held by much larger organisations. Supply chain tools and resources must also be made available to SMBs if we are to effectively secure the supply chain as a whole.

Finally, no solution will ever be 100% effective against the constantly evolving cyber threat landscape, making it crucial for all businesses to create an incident response plan for when (not if) a data breach or security incident does occur.  A good incident response plan should include what happens if a supplier suffers a cyberattack or a data breach, including what steps can be taken to minimise the loss of data and which persons and authorities must be notified.

Remember, a data breach is not the first time your incident response plan should be tested. An effective incident response plan should be tested regularly and updated as new threats emerge.

At Naq, we're making it our mission to secure the entire supply chain.

Our platform helps businesses of all sizes manage their cybersecurity threats, data compliance requirements and supplier risk through a single centralised dashboard and without the expense of hiring lawyers or in-house consultants. Book a demo with us to learn how Naq can help your business secure its supply chain, meet data compliance regulations and train your staff to keep your valuable data protected.