Tag Archives: supply chain

Targeting of “Western” Critical National Infrastructure and how we all play a part in its defence.

I have read several opinion pieces that suggest ISIS is planning a cyber-geddon style attack on “the West’s” Critical National Infrastructure (CNI). Given the current nature of warfare and the growth of cyberwar/terrorism this seems like a logical opinion.

From the inaugural FT Cyber Security Summit in June this year:

Countries are having to defend themselves against an increasing number of attacks on their information and communications systems from unfriendly states, terrorists and other foreign adversaries. NATO, for example, in June adopted an “Enhanced Cyber Defence Policy”, outlined
in a public information document circulated by the 28-member intergovernmental military alliance at the conference.
“The policy establishes that cyber defence is part of the Alliance’s core task of collective defence, confirms that international law applies in cyberspace and intensifies NATO’s cooperation with industry,” states the document. Key aspects of the policy were discussed at
the event including the fact, reiterated by a member of the audience, that a digital attack on a member state is now covered by Article 5 of the treaty, the collective defence clause, meaning that NATO can used armed force against the aggressor.

We can all play a part in securing our CNI by securing our own networks and businesses to make them less likely to get used as mules or zombies to deliver this threat to our CNI. Back in 2011, Chatham House issued a report on cyber Terrorism and one of its recommendation back then was,

Training and development of staff in cyber security
measures should be seen as an integral part of risk
mitigation strategies.

This says staff, not IT staff or security staff just staff and this is because ‘cyber’ is a part of everyone’s day with very few exceptions. Behaviour and culture have an impact on CNI security. Through supply chains, we are all connected and through our IP enabled devices both at home and work, these connections become ever more complex and exploitable. Part of the problem as I see it is a bit of a disconnect with security at the top of many of our organisations.E&Y visuals security survey 2012 2


This is where culture is driven from and addressing this worrying knowledge gap is vital. Evidence for this lack of understanding comes from businesses themselves.


Board Compliance visual



Why every day is Data Protection Day

Excerpt from Outsource Magazine article.

Hopefully it won’t have escaped your attention that the 28th of January marked EU Data Protection Day, also known as Data Privacy Day. This awareness-raising event has moved out of the EU in real terms and activities relating to both protection and privacy happen globally.

Link to the full article here

Size Really Doesn’t Matter in Cyberspace

iStock_000015672441MediumSomething we have all long since suspected, today confirmed by Allianz – the insurance giant. Size does not matter. At least not when it comes to being a target of a malicious cyber attack.

According to Allianz, attackers are targeting large corporations by attacking their supply chains – smaller companies and SME’s that potentially offer more easily accessible ‘routes in’. Of course it is not always going to be the case but an SME perception of not being a viable target may be just that, a perception. Understanding what the real threat and therefore risk of an attack is, is vital. If you don’t fully understand what risk is posed to you and you potentially pose then you may be open to an incursion, even if you are not the prime target. You may not even know your systems have been used in this malicious manner.

So the question is, how robust is your security? Well, many large corporations are starting to demand evidence of stringent security as a matter of course. They understand some of the very real risks posed by their suppliers. According to an article in City AM today-

“Companies employing fewer than 250 employees are now almost twice as likely to be the subject of a targeted computer attack compared to 2011. By contrast, large organisations employing over 2,500 people have seen no increase in attacks over the same period”

A thorough independent and comprehensive Risk Assessment would be strongly advised in these circumstances. Being able to evidence your security posture is a positive enabler for many organisations, as it can open greater commercial opportunities up to work with larger corporations and Public bodies, however as the risk of these “piggy-back” attacks grows, these corporations are more and more likely to require evidence of the supply chain partners’ security.

Business Continuity: International Standard Excellence

How resiliant is your supply chain?

Warning (again): contains percentages that you may find rather unnerving.

Business Continuity saw the beginning of change in May this year, when the new International Standard was published.  Moving from a British standard (BS 25999) to an international one (ISO 22301) will offer benefits and reassurance to organisations with international supply chains to consider for instance. It also offers the opportunity to leverage accreditation to potentially lower insurance premiums. Indeed, insurers are increasingly seeking assurance that organisations are compliant with the BC standard before issuing certificates or agreeing premiums.It’s hard to talk about Business continuity without talking benefits. The move to an international standard should create an even greater interest in this increasingly pertinent standard.  According to the CMI Business Continuity Survey, the last three years have seen an increased number of managers in organisations implementing BC plans, from 49% to 58% and now 61%. Most encouragingly, currently 81% of those implementing an effective plan are reporting an effective reduction in business disruption. 77% felt it had improved business resilience. If that is not a clear benefit I don’t know what is!

At the other end of the scale however, we have the organisations that as yet have not fully grasped the importance of planning how to continue business in the event of a BAU threat or disaster. Research done by Norwich Union reported that businesses without an effective BC plan which experienced a disaster have a greatly reduced chance of ever fully recovering. In fact only 8% make to the five years plus mark. It gets worse, 40% never re-open and another 40% re-open but fail within 18 months. Never underestimate reputational damage. How then, can an organisation fail to include Business Continuity Planning into the very fabric of its being? Referring again to the CMI survey, 15% of managers cited a perceived lack of business benefit as a reason for not having a Business Continuity Plan. (I do hope none of these businesses are in the supply chain of any readers…)

However, a staggering naiveté emerges when we read in the same survey that 54% of businesses that do not have a plan say it is because they “rarely get significant levels of disruption in their business”. Given the fact that almost half of businesses surveyed, reported disruption from extreme weather, which cannot only have affected those who have already included it in the scope of their BC plan, surely?

There are a number of factors at work here apart from the unwillingness to acknowledge that sometimes events out of one’s control can impact a business. Also some organisations have a knowledge gap in what they think they can survive and what they can actually survive. Don’t forget reputational damage will be a key indicator in how your talented staff, your clients and your supply chain partners respond to you after a disaster. Another consideration is the best of intentions being poorly researched and  implemented, so another knowledge gap but this time in where the REAL threats and risks lie and planning for things that may be inappropriate whilst real threats are unconsidered. Add to that a good or a less than good plan being poorly implemented, tested and educated through an organisation and you have, what is known among youngsters as an epic fail.

As Business Continuity becomes an international standard, the opportunity for UK businesses to benefit increase. The ability to plan the continuance of business in exceptional circumstances should not be considered exceptional. Supply chain partners, clients, insurers and employees will come to demand this as standard, making the ISO 22301 standard all the more attractive and necessary.

Advent IM – The UKs Leading Independent Holistic Security Consultancy