The UK government has launched a consultation on how how different organisations manage supply chain cyber risk. It aims to understand the potential barriers that could prevent effective supplier risk management.
“We know that relatively small proportions of organisations are effectively managing cyber security risks posed by their suppliers,” it said in its consultation document. “Supply chain risk management is an aspect of cyber security that organisations find particularly challenging.”
The government’s Cyber security breaches survey 2021 found that just 12 per cent of businesses had reviewed cyber security risks posed by their suppliers. And only 5 per cent have done so for their wider supply chain networks.”
It said that there were five main barriers that generally prevent businesses from getting a grip on the issue.
First, businesses are often unclear about how the cyber security of their suppliers is linked to their own security. That has lead to enterprises putting the issue low on the list in procurement processes. Someare ignoring it altogether.
Second, too many organisation have limited visibility into their supply chains. It can be difficult to get suppliers to share information. “Supplier resistance can be an obstacle for organisations, particularly when there is a lack of information availability on the part of suppliers, and a reliance on supplier attestation,” the government said. Businesses also face significant challenges with multi-tiered supply chains, geolocation of resources, and digital complexity.
Third, organisations often do not have the skills to evaluate supplier cyber risk. As a result, they can fail to ask the right questions of their suppliers. Or they do not understand what good assurance should look like.
Fourth, businesses lack the right tools. Too often this leads to an over-dependence on cyber security standards. “There are many standards on the market, with no overarching framework or outline for how organisations should use these standards to address their supplier risk,” the consultation said. “Different clients use multiple standards often preventing convenient, effective and assured supplier risk management.”
Finally, when the supplier is larger than the procuring organisation, they may feel unable to ask for the assurance they need.
As we reported recently, the number of businesses experiencing ten or more supply chain disruptions rose in from 4.8 per cent to 27.8 per cent during 2020.
While the pandemic has led to a renewed focus on supply chain issues, more needs to be done. This is particularly around supply chain cyber risk.
The Summer 2021 issue of Enterprise Risk will feature a special issue on supply chain risk. Find out about IRM’s Supply Chain Risk Management Certificate here.