Collective defence in cyber-security

Dan Bridges at Cyware describes how regulations are shaping supply chains

Sprawling supply chains are an inevitable outcome of today’s highly connected digital economy. From a sole trader or contractor to a large multinational, a supplier ecosystem often comprises all sizes of organisations.

With varying levels of cyber-security, in some cases defences can be woefully inadequate as well as lacking effective incident response and remediation capabilities. And, unfortunately, it only takes just one vulnerability anywhere in the ecosystem, which an attacker can exploit, to breach a system. Then, the bad actor or malware can daisy-chain rapidly from that system into the other corporate networks linked to it, causing widespread havoc. 

Yet, despite these evident dangers, UK organisations remain surprisingly complacent about the security arrangements of their suppliers. Very few impose mandatory standards, according to the government’s 2023 Security Breaches Survey. Only around a quarter of medium businesses (27%) and just over half of large entities (55%) review the cyber-security risks posed by their immediate suppliers. 

What’s more, it’s rarer still for organisations to consider the potential ramifications from their extended supply chain - including fourth parties and beyond - leaving many UK companies wide open to attack.

The relevance of DORA

The EU, however, is already taking an unequivocal stance on supply chain risks, particularly in the areas of finance and critical infrastructure. Its Digital Operational Resilience Act (DORA) details how the financial sector must take responsibility for operational resilience, protecting against cyber-threats and ensuring continuity of critical services. It emphasises the need to manage cyber-security risks associated with third-party service providers, requiring organisations to assess, monitor and review the security practices of their vendors. 

DORA leaves no room for doubt about the punishments for non-compliance, perhaps paving the way for stricter legislation across more industries. It makes clear that if a financial institution experiences a cyber-security breach as a consequence of failing to follow security best practices, significant penalties will be inflicted. These won’t be limited to the organisation itself, as senior executives could face repercussions personally, including criminal charges.

How regulations can help shape strategies

Importantly, regulations like DORA can serve as resources to help any organisation shape its supply chain strategies and inform associated security policies. Another useful example, the Network and Information Systems Directive 2 (NIS2) focuses on the resilience aspect of critical infrastructure, aiming to strengthen the cyber-security programs of operators of essential services. Then there’s GDPR, which continues to set the bar for the security, privacy and integrity of personal data and the rights of data subjects.

There are also independent bodies focusing on specific areas, such as the Payment Card Industry Data Security Standard (PCI DSS 4.0), which lays out security requirements for handling payment card data to protect cardholder information and prevent fraud.

These security and compliance regulations and standards have the common goal of instilling cyber-security best practices across industries and geographies. They support a growing trend towards collective responsibility, vital to improving the security of extensive supply chains where organisations may operate as both customers and suppliers. 

By championing a collective approach to defence, all organisations could benefit from improved early threat detection, enabling better coordinated incident response and mitigation. Sharing resources and best practices would be especially helpful to smaller entities that may have less IT expertise and restricted budgets. 

Building collective defences

However, there are several prerequisites to observe before embarking on a collective defence strategy. It requires clear policies, laid out within a legal framework, to protect confidential data and the interests of participating organisations. Also, trust between parties is key to getting buy-in from stakeholders and is vital for success.  

Next steps include reviewing existing defence mechanisms and identifying gaps. Necessarily, solutions must be compatible with current IT environments and security tools wherever possible. Plus, it’s important to update and standardise security protocols, upgrade applications to latest versions, and deploy relevant APIs to ensure integration is as seamless as feasible.

The collaborative process of sharing expertise, tasks and responsibilities can also help to foster longer term and sustainable partnerships. Security teams can bring to the table their specialist knowledge of other solutions, such as automation tools for SOAR (Security Orchestration, Automation, and Response). These types of automation platforms can streamline security operations, reduce alert fatigue, and accelerate threat containment.

Additionally, cooperation encourages learning and creates a community of like-minded professionals who can pool efforts and offer valuable support to each other when combatting new threats. 

Regular reviews and security testing are vital components of a collective strategy to keep pace with the ever-changing cyber-security landscape. With attack techniques constantly evolving, adaptability remains crucial for optimising defences.

Protecting the most susceptible

Investing in supply chain security and compliance is essential to maintain business continuity. Taking guidance from regulations, like DORA and NIS2, can help standardise supply chain strategies, creating the foundations for a collective approach to defence. This will help ensure a more resilient ecosystem for all those participating. But it needn’t stop there. 

Organisations can build their own supplier information sharing networks using ready-made automation platforms, to protect not only their own operations but also extended supply chains. Active engagement in such initiatives could revolutionise threat intelligence dissemination, bringing about real-time security collaboration across industry sectors and geographies.

Early warning of imminent dangers could empower even the smallest entities in the sharing network to shield themselves from serious threats - and in so doing, protect all other participants. As, after all, an enterprise’s defences are only ever as good as its most susceptible supplier. 

Dan Bridges is Technical Director - International at Cyware

Main image courtesy of iStockPhoto.com and serts