UK businesses overlook external providers when developing cyber strategies

Large businesses in the UK could be falling short when it comes to assessing the cyber resilience of external providers within their supply chain network, according to new research.

The poll – commissioned by Citrix and carried out by OnePoll – quizzed 750 IT security decision makers in companies with 250 or more employees across the UK, to uncover the extent to which large UK businesses are prepared for cyber-attacks. The research also considered whether businesses are conducting the necessary due diligence when assessing new suppliers, and whether this affects the effectiveness of cybersecurity practices.

cyber resilience supply chain

Cyber resilience in the supply chain

When questioned about the on boarding process of new suppliers, only 35% of respondents consider the cybersecurity audit conducted by their organisation to be “very comprehensive”. Additionally, almost one in 10 (9%) state that their organisation simply asks a few questions during the initial pitch process. To add to this, just over a third (35%) of organisations polled said they have insurance to cover their supply chain providers – should they have cybersecurity concerns or a breach.

The research findings also highlight the need for improved communication between organisations and their supply base, with one in five (20%) of those surveyed confirming that they do not communicate with suppliers when testing their cybersecurity recovery process.

Confidence in cybersecurity strategy

Yet, whilst the supply chain could have been overlooked, there appears to be growing confidence within IT security teams in their own organisations. Indeed, the vast majority (93%) of IT security decision makers questioned are confident in the maturity of their own organisation’s “cybersecurity resilience” – indicating they are confident that the business will be able to effectively operate following a cyberattack.

Many respondents also consider their cybersecurity recovery strategy to be either “quite mature” (51%) or “very mature” (42%), with significant confidence that their organisation is fully prepared against a ransomware (57%), phishing (64%) and malware (72%) attack. However, less than half of those surveyed were confident that their organisation is ready to tackle a DDoS (49%) or application layer attack (49%).

The findings also suggest that cybersecurity resilience is becoming more of a priority for the wider business – not just the IT team. A quarter (25%) of respondents stated that this is an issue discussed at boardroom level within their organisation. A further one third (33%) consider this to be an issue discussed at a managerial level.

Despite this growing confidence and awareness, almost half (44%) of the respondents confirmed that their business has experienced a data breach in the last three months that required business recovery. A further one in 10 (11%) have experienced a data breach in the last week.

Cloud complications

However, IT security decision makers are still concerned that a cloud-based IT environment complicates the development of cybersecurity strategy. Three in five respondents stated that a “multi-cloud” (64%) and “hybrid-cloud” (60%) environment add further complication when considering cybersecurity. Furthermore, over two thirds (67%) of respondents cited “public cloud” as the IT environment that adds the greatest complication to the development of cybersecurity strategy.

Chris Mayers, chief security architect, Citrix, said:

“Recent cyberattacks demonstrate that the supply chain can be the weakest link for a significant number of organisations. For example, the NotPetya campaign began with an extremely effective supply chain attack, which had disastrous consequences for Ukraine’s national bank, airport and government department – proceeding to infect machines in a staggering 64 countries.

“It is therefore vital that businesses conduct the necessary due diligence when integrating a new provider into their supply chain. Considering the risk associated with a supply chain attack and conducting a cybersecurity audit of your supply base should not be a box-ticking exercise. Ask yourself this question: has my business ever rejected a supplier on the basis of audit findings? I suspect this number would be significantly lower than the amount that are confident in their supplier due diligence.

“The assessment of cybersecurity procedures should be a vital part of any contractual agreement and organisations will need to ensure that they have insurance to cover their supply base. Without these measures in place, cyber criminals will use suppliers as a stepping stone to gain access to their ultimate target – your business.”

Don't miss