SMEs and the supply chain

White Paper, June 2014

Introduction

Security of the supply chain, particularly the smaller companies in the supply chain, is of growing concern across the economy. As large companies improve their defences, there is evidence of increasing attacks on trusted members further down the supply chain.

IAAC and IASME held a joint workshop on 21st May 2014 to bring together representatives from both large and small companies to discuss this issue. The workshop started with overviews of the BIS Cyber Essentials initiative and the MoD supply chain initiative before wider discussion. Slides from those presentations are appended to this report.

Discussions surfaced a number of key themes to be considered by supplier and customer alike,. The group explored a range of mitigations, complementary to existing work led by BIS and other government departments.

1. Use of Cloud

A range of businesses, of all sizes, areincreasingly moving to Cloud platforms, often for reasons of cost. Concerns about cloud platforms include:

  • Unsecured clouds being used out of ignorance
  • Valuable data residing overseas
  • Not knowing where the data is stored or its transit path
  • Potential for loss of data
  • Outsourcing of platform, services and infrastructure by cloud providers.
  • Even secure data centres can outsource the management and access to a third party, most commonly to an overseas company to allow 24 hour staffing.

Mitigation: Companies, particularly smaller firms, frequently lack the expertise to understand what they are procuring with cloud services. Guidance regarding key questions – and the answers to expect – would be invaluable, both for firms procuring cloud and for smaller firms to provide assurance to larger customers that they have engaged the cloud responsibly.

2. Incentive for small companies to work securely

There are currently very few drivers for small companies to work in a secure way for their own ends. Although small companies would like to be secure, they do not see the business case - even issues such as IP protection are only narrowly understood. Many smaller firms work on a month-by-monthor - at best - quarterly basis. They face many more urgent short term threats to their business when compared to security breaches. Even larger companies have been seen to take an attitude that ‘it does not matter if no one knows’.

Until small companies see a strong business driver which affects them in the near term they will not see a business case for investing the time and money into operating securely.

The meeting explored options for regulation. It was recognised, however, that there is no government appetite. Moreover, there is a risk that such regulations or standards would be designed for large organisations and would be difficult or expensive for a small company to achieve. Boundaries will therefore more likely be set by customers.

In some cases, large companies are reluctant to specify compliance to an assurance standard across all suppliers. This is to allow flexibility to work with a small company which has a unique product but which does not meet assurance criteria. When requiring assurance to an IA standard it must be fit for purpose.

Mitigation: There are opportunities for partnership working with small companies to help them to achieve secure ways of working. For example, customers might require adherence to a certain information assurance standard before the supplier can be awarded the contract. The workshop also explored partnership working, and the introduction of offset costs, as in point 4 below.

3. Low technical understanding in many SMEs

SMEs frequently do not have the technical understanding to set their systems up securely. They need affordable and realistic advice. Even when seeking expert advice, this same lack of expertise means that small companies can find it hard to judge which are the best products and services.

Mitigation: CESG and G Cloud currently offer assurance about products and services but these currently tend to be the more expensive services and less applicable to small companies. There is an opportunity to benchmark other, lest costly, options that would suit the SME market. There may also be room to consider extending the existing IA ‘voucher’ scheme aimed at SMEs, particularly for those sectors considered sensitive and most vulnerable.

4. Relationship between large companies and the small companies in their supply chain

Members of the workshop felt that, as it is in the best interest of the larger companies to have a secure supply chain with timely honest reporting of data breaches, the relationship throughout the supply chain could be developed into more of a partnership with trust developing between the different companies. At present, the imposition of IA standards by a larger customer may be felt as an overhead by the smaller supplier

Mitigation: Where a customer might seek to impose IA standards upon a smaller firm, it might consider lending its own IA expertise not only to inspect the IA behaviours of the smaller entity but also to help it improve its over-all IA performance. This might include an offset for the costs of accreditation, where applicable. Smaller companies already able to demonstrate a level of IA compliance would, of course, be able to present a more competitive offer – so also addressing the need for commercial incentive identified at item 2 above.

5. Coordination of requirements

There is a concern that small companies who work for a variety of different customers will have the time and expense of being accredited to different schemes.

Mitigation – the establishment of a common benchmark or standard was recognised as valuable, provided it was not too onerous.

6. Current Government Initiatives

The workshop was given an overview of the Cyber Essentials Scheme introduced by BIS and of the plans for securing the supply chain from DCPP and MoD.

BIS and CESG are developing the Cyber Essentials Scheme that focuses on 5 technical controls. Theaim is for this to be written into government contracts over the next two years. The Cyber Essentials Scheme is, in effect, a minimum standard BIS and CESG would like all small companies to reach regardless of their position in supply chains.

In parallel, the Ministry of Defence is working on an assurance methodology which will be specified by project, the aim being to secure by project on a risk basis. Although this will only be required of a company directly contracted to the MoD , that company will be expected to flow these requirements down their supply chain.

There was some debate about why different parts of the government appear to be approaching supply chain security in different ways.

Feedback on the Cyber Essentials scheme included the following comments:

  • Some companies might focus on compliance with the scheme rather than on security per se;
  • Criteria may be too technical for many businesses to comprehend;
  • The current requirements suggest a snapshot view only;
  • The scheme may not be cost effective towards the small end of the supply chain;
  • No business driver - as yet - for companies to become accredited to the scheme;
  • Not resonant with modern working/developments. This comment related in particular to the on-site vulnerability test, in an economy in which growing numbers of companies work in a distributed way from homes and rented offices across the UK;
  • Similarly, the scheme excludes cloud and memory sticks;
  • The 10 steps guidance was popular with business but did not include supply chain aspects.

Mitigations: There is room to deepen the already close working between government departments. Standards developed for sensitive manufacturing organisations may not translate readily to technical or other expert fields. There is room for self assessment with continuous monitoring either for firms individually or in partnership. A further iteration of the 10 steps, to include supply chain considerations and off-site working would be helpful. IAAC would be prepared to offer its facilities, alongside IASME, to help develop such guidance.

Cyber Essentials is being piloted among a number of companies. The Workshop suggested this should include SMEs in a typical supply chain. There might also be merit in GDS running a trial on their Colophon, (i.e. the suppliers used by GDS for publication of their digital media) to ensure their SMEs also meet the Cyber Essentials criteria. The engagement of GDS in such pilots would also enable any challenges to be ironed out at an early stage, within government, before being gravitated across the wider economy.

The workshop noted, however, that absolute security is an unattainable (and, frequently, unworkable) goal. It was therefore equally important for SMEs to understand how to prepare for system failure and to develop recovery plans. This should ensure a degree of resilience, including when using the Cloud. It would also enable the engagement of the insurance sector through the introduction of Cyber Essentials.