It’s easy to look at the 2018 British Airways website hack and the resultant c5% fall in the IAG (BA’s parent company) share price, with a certain sense of detachment. It’s a strange phenomenon that this type of headline is at least a monthly occurrence but still companies often adopt a “minimum effort + fingers crossed” type of approach to cyber security, particularly across their supply chain. At their worst, cyber-attacks can present an existential threat to businesses and should be treated accordingly, after all, you wouldn’t leave your business premises unlocked overnight and keep your fingers crossed. What makes things more complicated and more tempting for observers to bury their heads in the sand is that the breach in the BA website case, was likely a third-party supplier providing elements of the web commerce facility, not BA itself.
With malicious code available to virtually anyone who is interested, often via the dark web, the hacking of corporate systems is becoming ubiquitous. We should all face up to the reality that an intentional breach to our IT systems is inevitable. This pragmatic approach to the issue may on the surface, seem to be pessimistic and in some cases does take a brave manager to pursue. The costs of preparing for an incident which has not yet happened can be labelled as nugatory spend by those with too narrow a view on the bottom line. However, the actions that will serve to mitigate this risk, including planning and exercising for a breach, will serve to minimise the impact (and therefore the costs) when it does happen.
Just spend some time and think about the data you pass to your customers, suppliers and beyond. As a minimum these organisations will store data about you including your company bank details, address, VAT number and the values of your orders. This is already information that would be useful to some hackers wishing to expand their knowledge of the pattern of activity of your company, particularly those with criminal intent. Couple this with your company email addresses, website address, passwords to your portal, intellectual property/designs and management information relating to your engagement and you are (or you should be) starting to look and feel quite vulnerable.
Every time you reach outside of the inbuilt protections of your own company you are opening up to additional risk. The key is understanding these risks and putting sufficient mitigations in place to manage the aggregate risk down to acceptable levels. Mitigation approaches can be technical in nature (encryption, secure cloud etc) but are equally likely to involve process and procedural aspects. It’s important to note that the highest risks to an organisation’s security include insider threat and procedural malpractice. The agreement and policing of understandable and achievable terms in contracts with your supply chain partners should underpin these approaches and mandate proliferation of good practices down the supply chain.
Documenting the minimum standards that you expect of your customers and suppliers is crucial and these standards can be made essential (i.e. the remedy for a breach becomes potential termination) to your agreement through the use of a number of contractual instruments. Supporting this by undertaking regular status reviews is essential. A review of an organisation’s cyber health is really only as good as the day on which it is conducted so reviews should be regular and comprehensive. The cost of these measures could potentially be borne by the supplier as “cost of sales” and, to keep costs down your policy may allow for the organisation to routinely self-certify with occasional audits by you or your authorised agents.
As well as giving a company the confidence to conduct its business digitally, It stands to reason that companies following such a robust approach to cyber security as well as being in a much better and safer position to conduct business in the 21st century, should also receive the more peripheral benefits including lower insurance premiums, higher consumer confidence in engaging through e-commerce and compliance to some potentially quite punitive legislation.
Cyber security protects the foundations of your business. Extending this critical business function out to your supply chain is a no-brainer.