AJ Thompson is CCO at Northdoor plc
21 July 2020
The risks associated with not securing your business’s third-party supply chain have once again been thrown into the forefront; with the news that the UK government is looking to remove all Huawei equipment from the country’s 5G telecoms infrastructure by 2025, due to security concerns.
Huawei’s technology occupies every step of the network from your laptop through to the data centre that holds your content, and it is the technology closest to the data centre that has been raising concerns.
Earlier this year officials in the UK granted the company restricted access to build “non-core” infrastructure within Britain’s 5G network. However, in May the National Cyber Security Centre (NCSC) was forced to reverse this decision when the US imposed sanctions which would prevent computer chips based on American designs from being used in any of its equipment.
The deeply damaging measures threaten to cut off Huawei’s supply of semiconductors used across its product lines, from radio base stations to servers and smartphones, this could lead to the company beginning to use “untrusted” replacement technologies. Whereas a breach has not yet taken place, the risks involved due to the potential use of untrusted technology are too great.
The story has once again raised the issue of third-party risk and the importance of securing your entire supply chain. It’s no longer enough to simply ensure that your organisation’s systems are secure. Risk management programs needs to look beyond the perimeter of your organisation to properly vet the third and fourth-party vendors who will have access to your data and infrastructure without being subject to your internal risk management process.
Traditional cyber security isn’t enough. Organisations more often than not are simply reacting to issues as they arise. This may work in the short term but due to the real-time nature of cyber risk, mitigating risks as they arise can leave organisations open to dangerous levels of exposure that only ongoing monitoring can fix. Proactivity is the key here simply sitting behind your defences and hoping for the best is no longer an acceptable, nor effective method of defence.
A fully developed approach to cyber risk means that resilience should become a reality in order to tackle third-party behaviour. Due diligence is key, alongside enforcement of security practices and ongoing monitoring of vendors as part of a robust risk management programme.
Technology is also crucial to address the problem of third-party risk. An automated and centralised risk management solution that enables organisations to automate supplier risk assessments and ensure that their suppliers and third-party partners are adopting and maintaining a strong security posture.
Using clear, real-time dashboards, enables organisations to monitor their exposure to risk over time. This capability is particularly valuable when your suppliers’ business continuity plans are put to the test—for example, as large numbers of employees have suddenly switched from working on desktop machines in an office to laptops and mobile devices from their homes.
Taking an external, non-intrusive snapshot of your IT environment is crucial to ensuring that your business remains secure. Using a software solution that doesn’t need to be installed in your network, especially now due to social distancing is both cost-effective and efficient and allows organisations to produce a risk report in a matter of hours, highlighting any areas of weakness in your cyber security status.
In these extraordinary times, assessing your organisation’s potential for cyber risk within a matter of hours is critical for allowing you to identify risks and take immediate action potentially saving your business, reputation and bottom line.