Fortifying Your Supply Chain: Navigating the New Era of Cybersecurity Threats and Regulations
Fri 17 Nov 2023
No industries have been spared from supply chain attacks and cybersecurity weaknesses in recent years. According to Gartner, almost half (45%) of organisations are expected to have experienced an attack on their software supply chain by 2025, illustrating the widespread impact of cyber attacks.
There is no shortage of regulations and government initiatives that seek to boost the cybersecurity of supply chains. Yet, companies will need to ensure that their supply chain security strategy not only includes recommendations set out by regulatory bodies, but also tracks nascent threats.
The Impact of the NIS2 Directive on European Businesses
On the European level, standards set out by the Network and Information Security (NIS) Directive are some of the most relevant and important factors for businesses to assess.
Set to come into effect on October 2024, NIS2 is an all-encompassing directive that covers everything from incident management, training, reporting obligations and business continuity issues.
In practice, a large majority of businesses impacted by the Directive will need to strengthen their cybersecurity measures and undertake a comprehensive risk analyses, potentially necessitating the hiring of more skilled IT staff to meet these requirements.
New responsibilities are listed in this directive, including three mechanisms that all companies covered by these obligations need to address.
A coordinated risk assessment to assess supply chain risk on a European level is the first procedure, followed by a national risk assessment that each member state may use to extend the scope of the Directive. Finally, an internal risk assessment is focused on essential organisations having the right approach to supply chain security.
Falling foul of this Directive has major costs for companies, depending on their size. For example, large organisations in very critical sectors who fail to meet the reporting and duty of care requirements face a maximum fine of €10,000,000 or a minimum fine of 2% of global annual revenue.
The UK’s Approach to Supply Chain Security
The administrative burden of dealing with complex regulations can be significant for larger companies. In the UK, several important regulations have been introduced around supply chain security, alongside new guidelines.
Last year, the National Cyber Security Centre released new guidelines for businesses to ensure their supply chains are cyber secure. The first step is to understand the current threat assessment and make sure that any new cybersecurity processes are implemented as soon as possible, starting with new suppliers.
In May 2021, the UK Government called for views on supply chain cybersecurity and in January 2022 launched a consultation on proposals on legislation in this area. Now the consultation has finished, it is expected that new regulations will be implemented in 2024.
At the end of the consultation, Julia Lopez, Minister for Media, Data and Digital Infrastructure, reaffirmed the Government’s commitment to ensuring supply chains are secure.
“Today we are taking the next steps in our mission to help firms strengthen their cybersecurity and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data,” she said.
While the exact regulation is unknown, the Government offered seven proposals in two pillars, one set focusing on digital service providers (DSP) and the second on how to update current cybersecurity supply chain regulations.
Of the proposals, many businesses will be most impacted by expectation for current reporting duties to be expanded to include events that do not disrupt service but may pose a significant risk, as well as the proposal to expand recovery costs.
Balancing Cybersecurity with Regulatory Compliance
In the past, physical supply chain security was the foremost concern, however, it has become increasingly clear that cyber threats, in all their forms, represent the predominant threat to companies.
Even well-intentioned policies can have negative impacts on supply chain security. The UK Online Safety Act has faced scrutiny from critics who say it forces firms to introduce a back door for Government agencies into end-to-end encryption schemes, with the appropriate authorisation.
For Gareth Williams, Chief Product & Technology Officer at Efficio, a global procurement and supply chain consultancy, there are risks to meeting this requirement of the UK Online Safety Bill
“Almost all mathematicians, scientists and engineers who understand how Internet-based encryption works say it is impossible to put in a back door that preserves full security, whilst also allowing some authorised bodies to access the messages,” he says.
Due to this backdoor requirement, a number of high profile firms, including Meta and Signal, have threatened to leave the UK if the Bill becomes law. There is also the potential for this backdoor to be exploited by cybercriminals and wreak havoc on digital service firms.
“The implications for supply chains are that, if cyber bills such as this do come into force across the world, and end-to-end encryption is weakened, supply chain security, especially for high-value, strategic IP-based goods such as semiconductors, will increase risk,” added Williams.
Adapting to Evolving Cybersecurity Challenges in Supply Chain Management
Businesses face an increasingly complex challenge in securing their supply chains against cyber threats.
With the introduction of stringent directives like NIS2 in Europe and new regulations in the UK, companies must navigate a landscape of heightened security requirements and potential penalties for non-compliance.
The challenge is further complicated by the need to balance enhanced security measures with the maintenance of encryption integrity, as seen in the debate over the UK’s Online Safety Act.
Going forward, success in supply chain cybersecurity will depend on an organisation’s ability to adapt to these evolving regulations and threats, ensuring robust protection in a rapidly changing digital environment.
– – – – – –
Your Voice Matters
If you have insights, opinions, or expertise related to any aspect of the technology sector that you would like to share, we want to hear from you. Please contact our Editor, Stuart Crowley, at [email protected] to contribute to the ongoing dialogue in the tech community.
Hungry for more tech news?
Sign up for your weekly tech briefings!