News out today that the chief of the UK’s communications intelligence agency GCHQ claims the country is subject to a “disturbing” number of cyber-attacks may come as a shock to many people.
But the truth of the matter is that corporate and international espionage is rife, with foreign nations, corporations and organised crime syndicates looking to infiltrate the corporate networks and access data, systems and information of the UK’s leading companies.
The reason for that is quite simple; they want access to corporate secrets, designs and business plans. They want to compromise the security of our companies for their own profit, to gain competitive or financial advantage.
The problem encountered by these attackers is that most large organisations implement measures to prevent such attacks. They spend lots of money on technical infrastructure designed to counter attempts to access internal systems, they implement information security policies and processes which reduce the risks associated with a security breach, and sometimes they even implement programmes to educate their staff on how to protect sensitive information.
They have the financial ability, the know-how and the skills to do this.
But that isn’t true for many of their supply chain companies.
Supply chain businesses – those that provide design, manufacturing and other services to larger corporations – are coming under increasing attack. That’s because they don’t have the resources and understanding that their larger clients have, and the attackers know this.
The fact is that many supply chain businesses still deal with the same sensitive information on behalf of their larger clients. This in itself makes them an inviting target but also, because of their reduced levels of security, awareness and capability, it also means they are an easier target to penetrate.
So what should such businesses do to improve security?
There are a number of steps any sensible business can take to improve security:
1. Engender a “Culture of Security” – take a top-down view with full management buy-in, showing your commitment to security and encouraging it at every level of the business;
2. Implement Policies – security policies formalise your approach to security, making your requirements clear to all staff;
3. Employ appropriate technologies – make sure you make use of the appropriate technologies for your organisation. This doesn’t have to be expensive but it can drastically reduce your risks;
4. Educate your staff – employees are your first and last line of defence, as well as often the weakest link. Educate them to protect your business interests and safeguard their own information;
5. Test your security – without testing you have no idea if your controls are working. In the context of the current topic you should at least test your internet facing infrastructure, but it is also worth implementing a programme of spot-checks to ensure your staff are maintaining security and understand their roles and responsibilities.
Analysis undertaken on behalf of the Information Commissioner’s Office in 2010 revealed that when it comes to information security, SME’s are the “soft underbelly” of the UK economy and critical national infrastructure.