Supply chain security has become an increasingly critical concern for businesses and governments alike. In today’s interconnected digital economy, supply chains are becoming ever more extended and complex. As a consequence, they’ve become top targets for disruptive cyber-attacks that have far reaching consequences for businesses and the security of national infrastructure and services.
Despite the growing number of cyber criminals looking to exploit supply chain vulnerabilities in order to target multiple systems and networks in ‘one hit’, the UK government’s 2024 Cyber Security Breaches Survey found that only about one in 10 UK businesses assessed the cyber risk posed by their immediate suppliers. In fact, even fewer considered the potential ramifications of extended supply chains which feature critical third and fourth-party providers.
In response, new regulations and frameworks have come into force that are prompting organisations to rethink their supply chain cyber security defences and adopt appropriate technical and operational practices that will boost the resilience of their supply chains.
While ensuring compliance with regulatory requirements is a top priority for businesses, these regulatory frameworks offer organisations best practice blueprints that make it possible to reshape supply chain security strategies with resilience in mind.
In the EU, the revised Network and Information Systems Directive (NIS2) has significantly extended the list of sectors that are obliged to adopt technical standards and measures to boost the resilience of critical infrastructure and ensure supply chain security. Similarly, international standards such as ISO 27001 are now focusing on improving the management of supplier and third party security controls with a view to maximising supply chain resilience and preventing potential exploits from spreading.
For organisations in the financial services sector, the EU’s new Digital Operational Resilience Act (DORA) will require financial institutions and their ICT third-party suppliers monitor and proactively manage risk. Coming into force in January 2025, DORA details the steps that financial institutions must take to prevent, detect, respond to and recover from cyberattacks and IT disruptions. When it comes to improving third-party risk management, the Act emphasises the importance of managing cybersecurity risks associated with third party service providers and requires financial organisations to assess and monitor their vendor’s security practices.
Other key regulations and standards to keep in mind include the Payment Card Industry Data Security Standard (PCI DSS 4.0), which sets out security measures for organisations that handle payment card data. Meanwhile, GDPR outlines detailed requirements in relation to third-party risk and incident response in relation to the security and integrity of data and the rights of data subjects.
Created with a common goal, all these regulations set out to instil cybersecurity best practices across industries and geographies. More importantly, they also uniformly highlight the growing importance of collective responsibility where supply chain security is concerned.
In recent years the concept of collective defence has emerged as a highly effective way to elevate supply chain security and several industry and government-led initiatives are now in place to support and promote this approach. For instance, the EU Cyber Solidarity Act aims to strengthen cooperation and cyber preparedness among EU member states by encouraging information sharing, joint exercises and capacity building programmes.
Founded on a number of key pillars designed to bolster the collective cybersecurity posture, the collective defence model encourages all supply chain stakeholders to share threat intelligence and best practices and resources that together will improve the overall resilience of the ecosystem in a cost-efficient way.
By embracing a collective defence approach, organisations can share threat information and indicators of compromise or attack in near real time. By doing so, they will not only benefit from the improved situational awareness that enhances early threat detection. They’ll also be able to engage in highly coordinated and cooperative incident response and mitigation efforts.
There are several best practices to consider before embarking on a collective defence strategy. Firstly, clear policies, legal frameworks and technical measures will need to be implemented to protect the sensitive data and interests of all participating organisations. For this to happen, it goes without saying that establishing trust between all parties will be vital to success.
Next, collective defence mechanisms will need to be reviewed to eliminate any gaps and ensure these are interoperable and compatible with existing cybersecurity tools and processes. Standardising and updating security protocols and deploying APIs will help to ensure seamless integration between stakeholders.
To foster the collaborative sharing of expertise, tasks and responsibilities, security teams can leverage the automation capabilities of SOAR (Security Orchestration, Automation and Response) platforms to streamline security operations and accelerate threat containment efforts. To maintain effectiveness, regular reviews and security testing will be vital for ensuring defences are always appropriately optimised. This is critical and pooling know-how on how attack techniques are evolving will ensure all collective defence participants are prepared to combat new threats and vulnerabilities as these emerge.
By taking guidance from regulations like DORA and NIS2, organisations can standardise their supply chain security strategies and lay the foundations for a collective defence approach to defence that enables a more resilient ecosystem for all. But that’s not all.
Organisations that enable their own supplier information sharing networks, using ready-made automation platforms, will be able to revolutionise how they disseminate threat intelligence and boost real-time security collaboration and geographies. A capability that will both protect their own operations and boost the wider integrity of the extended supply chain.
Ultimately, an enterprise’s defences are only as good as its most susceptible supplier. By actively engaging in industry-wide collaboration initiatives organisations will be able to ensure that even the smallest entities in the sharing network can protect themselves, and by implication all other participants in the broader ecosystem, from serious threats and cyber risks.