Headlines that the two largest UK intelligence agencies, GCHQ and MI5, have reported that the UK is under "disturbing" and "astonishing" levels of cyber-attack may come as a shock to many people.
But the truth of the matter is that corporate and international espionage is rife, with foreign nations, corporations and organized crime syndicates looking to infiltrate the corporate networks and access data, systems and information of the UK's leading companies.
The reason for that is quite simple; They want access to corporate secrets, designs and business plans. They want to compromise the security of our companies for their own profit, to gain competitive or financial advantage.
The problem encountered by these attackers is that most large organizations implement measures to prevent such attacks. They spend lots of money on technical infrastructure designed to counter requests to access internal systems, they implement information security policies and processes which reduce the risks associated with a security breach, and sometimes they even implement programs to educate their staff on how to protect sensitive information .
They have the financial ability, the know-how and the skills to do this.
But that is not true for many of their supply chain companies.
Supply chain businesses – those that provide design, manufacturing and other services to larger corporations – are coming under increasing attack. That's because they do not have the resources and understanding that their larger clients have, and the attackers know this.
The fact is that many supply chain businesses still deal with the same sensitive information on behalf of their larger clients. This in itself makes them an inviting target but also, because of their reduced levels of security, awareness and capability, it also means that they are an easier target to penetrate.
So what should such businesses do to improve security?
There are a number of steps any sensible business can take to improve security:
1. Engender a "Culture of Security" – take a top-down view with full management buy-in, showing your commitment to security and encouraging it at every level of the business;
2. Implement Security Policies – security policies formalize your approach to security, define acceptable use and technical standards which enhance security and help to make your requirements clear to all staff;
3. Employ appropriate technologies – make use of appropriate technologies for your organization. This does not have to be expensive but it can drastically reduce your risks;
4. Educate your staff – employees are your first and last line of defense, as well as often the weakest link. Educate them to protect your business interests and safeguard their own information;
5. Test your security – without testing you have no idea if your controls are working. In the context of the current topic you should at least test your internet facing infrastructure, but it is also worth implementing a program of spot-checks to ensure your staff are maintaining security and understand their roles and responsibilities.
6. Report your findings – make sure whatever the output of your security program that the results and test results are reported back to the right people and teams. This ensures that issues are dealt with correctly and risks are properly handled.
Analysis undertaken on behalf of the Information Commissioner's Office revealed that when it comes to information security, SME's are the "soft underbelly" of the UK economy and critical national infrastructure.
We all need to take responsibility for security, particularly if we want our businesses to thrive both nationally and internationally.