Large businesses 'overlook' supplier cybersecurity risks

IT professionals question due diligence process when onboarding new suppliers

Large businesses in the UK may be overlooking vulnerabilities in their supply chain when devising their cybersecurity strategies, new research suggests.

Despite being confident in their own organisations' protections, IT security professionals are concerned that the due diligence security audits performed when taking on suppliers are insufficient, with only 35% of those questioned considering these audits to be 'very comprehensive'.

Moreover, almost one in 10 of the 750 respondents told Citrix that these checks amount to simply asking a few questions during the initial pitch, with a fifth, 20%, confirming they do not communicate with suppliers when testing their cybersecurity recovery process.

"Recent cyber attacks demonstrate that the supply chain can be the weakest link for a significant number of organisations," said Citrix's chief security architect, Chris Mayers.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"For example, the 'NotPetya' campaign began with an extremely effective supply chain attack, which had disastrous consequences for Ukraine's national bank, airport and government department - proceeding to infect machines in a staggering 64 countries.

"It is therefore vital that businesses conduct the necessary due diligence when integrating a new provider into their supply chain," Mayers added.

Despite sharing concerns around their supply chains, the vast majority of those questioned were convinced in the maturity of their own organisations' cybersecurity resilience, with 93% expressing confidence that their businesses would be able to operate effectively following an attack.

More than half of respondents felt more confident their organisation was sufficiently prepared against ransomware, and nearly two-thirds said the same about phishing, 64%, and 72% about malware, but just 49% felt the same about a distributed denial of service (DDoS) or application layer attack.

However, almost half confirmed their businesses had suffered a data breach in the last three months, with 11% admitting they'd experienced one in the last week.

"Considering the risk associated with a supply chain attack, conducting a cybersecurity audit of your supply base should not be a box-ticking exercise," Mayers continued.

Advertisement - Article continues below

"Ask yourself this question: has my business ever rejected a supplier on the basis of audit findings? I suspect this number would be significantly lower than the amount that are confident in their supplier due diligence.

"The assessment of cybersecurity procedures should be a vital part of any contractual agreement and organisations will need to ensure that they have insurance to cover their supply base. Without these measures in place, cyber criminals will use suppliers as a stepping stone to gain access to their ultimate target - your business."

Channel partners themselves should ensure they can withstand the scrutiny of tougher security audits from clients, with the risk of fines under GDPR a particularly strong reason for firms to ensure their partners' security is in good shape.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/government-it-strategy/28305/ir35-news
Policy & legislation

Government announces review of IR35 off-payroll changes

8 Jan 2020
Visit/strategy/28223/cio-job-description-what-does-a-cio-do
Business strategy

CIO job description: What does a CIO do?

7 Jan 2020
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/wifi-hotspots/31488/how-to-boost-your-business-wi-fi
wifi & hotspots

How to boost your business Wi-Fi

22 Oct 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020