UK businesses generally feel confident that they are on top of their cyber security. However, supply chain attacks remain vulnerable blind spots in their programmes, according to RSM’s most recent cyber security report.

Awareness of the risks around cyber security is at its most elevated after a series of high-profile attacks have helped build an appreciation of the risks of getting it wrong. The vast majority of respondents to RSM’s Q1 2024 cyber security survey – 94% – said they felt prepared to respond to a cyber attack.

However, cyber criminals continue to exploit vulnerabilities in third-party systems in order to inflict broader damage across the business ecosystem. Almost three-quarters (74%) of UK IT decision makers received notification of a cyber attack or vulnerability in their software supply chain in the past 12 months, according to new research commissioned by BlackBerry.

A quarter of respondents (26%) to the RSM survey admitted that they had suffered an attack on a key third-party service provider that had impacted their business financially, reputationally or operationally. Of those, 78% of the respondents who had experienced an attack in the past year reported that a supplier or third party was targeted by a threat actor.

Targeting third-party services is an especially attractive approach for criminals, as the economies of scale they could achieve with a successful attack are plentiful. RSM says businesses must be aware of the risks and potential liabilities if a third-party provider they use is compromised. Clear contractual terms are essential when engaging with third parties.

Stuart Leach, a technology and cyber risk assurance partner who leads the national cyber practice across RSM UK, said that although activity can be outsourced, responsibility and accountability for services and data cannot: “Cyber criminals understand that, in targeting third parties who host many clients, they are targeting a very attractive economy of scale. With this, businesses need to be aware of the split of roles, responsibilities with third parties and the liabilities they face if a third-party provider is subject to a successful cyber-attack.”

According to the survey, only 40% of businesses actively maintain a full list of suppliers despite the fact that, as Leach says, to mitigate third-party cyber risks it is crucial that organisations understand their cyber footprint. “This, in essence, is everywhere your data has been, everywhere your data is and where it will be in the future. Moreover, this should be considered from the perspective of data access, processing, transmission and storage,” he said.

To protect themselves, he added, it was essential to have an accurate view of all third parties to drive appropriate supplier management frameworks including due diligence at onboarding, continuous monitoring of critical parties and regular reviews of cyber security measures.

Ian Pay, Head of Data and Analytics at ICAEW, said an organisation’s cyber defences are only as strong as the weakest link. “Crucially it is not just your supplier that will suffer reputational and financial damage – if you cannot service your customers, or any customer or staff data ends up in the wrong hands, it is you who will be held responsible.

“Mitigating this risk is hard but it is vital that companies build an understanding of their supply-chain cyber risks and are willing to have robust conversations with those organisations that play a critical role in their IT infrastructure and data processing/storage. It’s also important when procuring new technology suppliers that cyber security considerations are central to the contracting process.”

Nick Wildgoose, an independent supply chain risk consultant and Fellow of ICAEW and CIPS, agrees that there is not enough understanding of the cyber supply chain. The appropriate flow of information is critical to the successful operation of a supply chain – for example, the documentation to allow appropriate customs clearance.

He says: “It is important that businesses consider cyber protections beyond those offered by end point solutions, that restrict the impact of a successful ransomware attack to the individual user where the breach occurs, rather than impacting all users. There should also be an increasing focus on the software bill of materials so that businesses better understand the code that underlies the applications they are using.”

The RSM survey polled 408 senior executives from UK middle market businesses with a turnover between £10m and £750m or financial institutions with assets under management of £200m to £7.5bn.

More support

The National Cyber Security Centre offers a range of resources to help you understand the impact of supply chain cyber security risks.

In October’s Cyber Security Awareness Month, ICAEW is running a range of articles, webinars and podcasts on the biggest issues in supply chain cyber security. In the meantime, ICAEW’s cyber security hub provides a focal point for ICAEW members looking for support in managing cyber risks