The UK Government’s strategy to drive growth in Small and Medium Enterprises (SMEs) is one that Leonardo fully supports, reflected by our work with a supply chain of more than 2,100 specialist companies across the UK, including over 1,400 SMEs.
However, whilst systems and services across all sectors are increasingly delivered through an ecosystem of suppliers – leading to undoubted improvements in delivery outcomes – there are greater cyber security pressures on supply chains and increased importance around the management of security systems within them.
Measures such as the UK Government Cyber Security Strategy 2022-2030 – which lists “understanding and managing risks emanating from commercial suppliers” as a key outcome – help raise awareness of the importance of cyber security within the supply chain. This is reflected in the UK Department for Science, Innovation and Technology’s 2023 Cyber Security Breaches Survey which states that “55% of large businesses review immediate supplier risks”, up from 44% a year earlier. However, the same report highlights that only “13% of businesses review the risks posed by their immediate suppliers”.
And looking to the future, Gartner’s 7 Top Trends in Cybersecurity (published in April 2022), forecast that 45% of organisations worldwide will have experienced attacks on their software supply chains by 2025 – a three-fold increase from 2021.
Creating a balanced outcome
If end customers or large prime contractors place onerous requirements on their supply chain, this can be particularly challenging for SMEs. Therefore, there needs to be a balance between security and business benefit which allows cyber risk to be appropriately managed, whilst also enabling the SME agenda with associated benefits.
One of the key challenges in assuring supply chains is understanding the entire landscape, the risks that sit within it and the mitigation plan that can be built to enable successful risk management. For complex programmes and large organisations, in particular, supply chains can be many layers deep, and understanding where to focus security effort is the key first step.
For example, supply chains can provide or hold one or more of the following, each of which has significant commercial sensitivities associated with them:
- Critical Services / Capabilities: if these are disrupted, there would be a detrimental impact
- Critical Identifiable Information: information may not in itself be sensitive, but it can identify that a particular supplier is providing a critical service
- Sensitive Information: if compromised, this would have a detrimental impact on the organisation
Mapping risk management
Therefore, any effective approach to supply chain risk management must start with a mapping exercise to understand where these aspects are held within the supply chain, and the level of risk they each carry. A tiered approach to security assurance can then be implemented to ensure that the corresponding level of security assurance is appropriate.
Security improvements can be a daunting prospect for many organisations, especially SMEs who don’t always have the capacity to employ dedicated in-house cyber security experts. Furthermore, a skills shortage around cyber and digital talent in the UK, combined with the rapid pace at which technology is moving, can make it challenging for any one organisation to maintain cutting-edge capability in all areas.
This is something Leonardo is addressing in two ways. Firstly, on the skills side we have several schemes to address this issue and ensure we have the very best talent coming through the pipeline, from apprentices to experienced hires. Secondly, we believe that to support the supply chain assurance process, a collaborative approach is critical. Working with suppliers, and, in particular SMEs, to support improved security outcomes, will open up new opportunities for both the contracting organisation and the supplier.
As a National Cyber Security Centre-assured Cyber Security Consultancy, Leonardo has a thorough understanding of how to implement effective cyber risk management for supply chains, and routinely applies this to our key programmes. Additionally, our status as an Institute for Collaborative Working (ICW) ‘Ambassador’ means we apply its best practice principles, providing experience and knowledge of collaborative working. This further reinforces the proactive approach Leonardo has taken to working with our suppliers in order to drive long-term relationships based on trust, ultimately designed to result in better security and business outcomes for stakeholders – on the customer and supplier sides.