category filters go here

Supply-chain security

A supply chain is only as cyber-secure as its weakest link.  Businesses can now work closer together, as a result of the digital transformation of the global supply chain, which has taken place over the past decade.  Indeed,  there are many benefits of integrating data and sharing information to create efficiencies while reducing costs.

However, each supplier brings a risk of introducing vulnerabilities to your network. It is worth noting that around 80% of data breaches originate in the supply chain.  Interestingly, smaller organisations are often targeted and used as a vehicle for criminals to access larger corporate infrastructures. Two recent examples of this approach by cyber criminals are:

  • Equifax – US Credit Rating Company Equifax suffered a breach which resulted in the loss of over 100 million user details. The breach was blamed on a weakness introduced via their supply chain.
  • Debenhams – Suffered breach resulting in the loss over 20000 user details. The cyber-attack originated within their supply chain via the supplier of their online florist services

How to identify and address the supply chain security risks:

From global conglomerates to SMEs,  we all need to address the inherent cyber-security risks within our supply chain. Risks can be introduced from various sources, for example, data can be damaged accidentally, accessed by cyber-criminals or employees who are an insider threat.

As a first step to addressing risk, you should complete an audit of your suppliers and understand who has access to which levels of your corporate data.  Similarly, you should categorise suppliers so you can consider how best to manage the risks they bring.

It is worth noting that your company will face different risks from a supplier who provides services on-site to those who provide ICT services and can access your company data. You should also consider your rules on subcontracting, consultants and partners. Once you have established who has access to what categories of your data, you can work out how to manage the risks and introduce methods of monitoring and evaluation.

Cyber –security certification options:

You can check if your suppliers take cyber security seriously by establishing if they have cyber security certification in place. IT Systems can be secure without certification.  However, a certification can be a useful indicator that cyber security has been given the attention it needs.

Likewise, there is an increasing demand, within the tendering process, for suppliers to be certificated to a recognised cyber-security standard.  The following two certification routes are the most common methods of cyber security certification:

  • Cyber Essentials – The UK Government’s Cyber Essentials Scheme aims to ensure your system is protected from basic threats.  The Cyber Essentials website offers a useful search tool which will allow you to check which of your suppliers have this in place.
  •  ISO 27001 – Internationally recognised standard ISO 27001 outlines best practise for a robust Information Security Management System.  For that reason,  it requires an ongoing commitment to external audits & continual improvements to check standards are being maintained. However, there is no central database of certification.  You would need to ask for sight of certification from individual suppliers.

Our technical consultants have a strong understanding of both schemes.   Also, we are accredited ACE Practicioners of the Cyber Essentials scheme.  We are happy to help you work out which of the available certifications is best suited to your business needs.  Contact us if you would like to speak to one of our friendly consultants.

RedMosquito provides IT support to SMEs across Glasgow, Edinburgh and throughout Scotland.



IT Support Glasgow

Microsoft Warning on Astaroth Malware

Microsoft has recently issued a security  warning.  Their Windows Defender ATP team have discovered hackers are distributing Astaroth malware using fileless techniques.  This makes Astaroth very difficult to detect as traditional anti-malware or anti-virus software tools search for infected files.  So, they would not catch Astaroth, simply because it does not infect files.    Astaroth malware […]

internet of things

Internet of Things and the Cyber Security risks they bring..

The term Internet of Things (IoT) relates to the growing network of physical devices, which connect via the internet to offer new functions and ways of using traditional objects.  Of course,  all while gathering data on users behaviour.  IoT has transformational possibilities with devices increasingly communicating with each other without the need for human interaction. A […]

microsoft logo windows 2008

Windows 7 End of Support – may put your business at risk

Windows 7 was one of Microsoft’s most popular operating systems and many of us are still depending on it on a daily basis.  It’s estimated that  around one third of the world’s PCs and laptops are still using this system.  A significant challenge lies ahead for businesses throughout Scotland as Microsoft extended support for this […]