Cyware: How Regulations Shape Supply Chain Security Strategy

Share
Dan Bridges, Technical Director – International at Cyware
Dan Bridges, Technical Director – International at Cyware, examines how regulations can shape supply chains and make them more resilient to cyber attacks

In today's interconnected global economy, supply chain security has become one of the most critical elements for businesses and governments alike to address. 

Amid growing complexity and vulnerability throughout supply chains, it becomes increasingly important to introduce regulations and frameworks to help build supply chain strategies and ensure the security and resilience of these networks. 

Here, Dan Bridges, Technical Director – International at Cyware, examines how regulations can help shape supply chains and make them more resilient to cyber attacks.

Why is it important to implement sufficient cybersecurity measures across the whole supply chain?

Supply chains are integral to today’s highly-connected digital economy. Whether it’s a sole trader, contractor or a major multinational, the modern supplier ecosystem is made up of organisations with varying levels of cybersecurity. Unfortunately, there are still many businesses that operate with inadequate security, incident response and remediation capabilities.

Effective cybersecurity will not only minimise the risk of data breaches but, in the event of an incident, will help preserve operational continuity. It also plays a vital role in ensuring organisations remain compliant with all relevant regulations and their internal governance requirements.

Youtube Placeholder

What are the consequences of insufficient cybersecurity measures? How does this impact the supply chain?

In an environment where any organisation can be targeted by cyber criminals, a single security breach at any point in the supply chain can create a cascade effect, leading to a widespread security crisis.

The consequences can be extremely serious. The 2020 SolarWinds attack, for example, is among the most significant supply chain attacks in history and occurred after hackers deployed malicious code into its IT monitoring technology. Used by thousands of commercial and government organisations worldwide, hackers used the SolarWinds software to gain access to thousands of other networks across their supply chain, enabling them to steal sensitive data. The attack went undetected for months, further increasing the severity of the incident. 

How can regulations like DORA and NIS2 shape an organisation’s supply chain security strategies?

The Digital Operational Resilience Act (DORA) details how the financial sector and third-party technology service providers in their supply chains must take responsibility for operational resilience, protecting against cyber threats and ensuring the continuity of critical services. For instance, DORA requires organisations to assess, monitor and review the security practices of their technology vendors.

The Network and Information Systems Directive 2 (NIS2) focuses on the resilience of a range of sectors, from critical infrastructure and food supply to digital providers and waste management, among others. It aims to strengthen the cybersecurity programmes of organisations in these industries and across their supply chains. Failure to comply can result in significant financial penalties of up to €10m (US$10.4m) or 2% of their worldwide annual turnover.

What other regulations are there that potentially influence supply chain security?

Other regulations include GDPR, which established data protection responsibilities for EU organisations and those trading there. This applies to businesses and their third-party suppliers and breaches in the supply chain that expose personal data can potentially lead to enforcement action. This year, the cumulative fines resulting from GDPR breaches exceeded €5bn (US$5.2bn), underlying the importance of effective data protection as part of a holistic security strategy.

There are also more focused regulations, such as the Payment Card Industry Data Security Standard (PCI DSS 4.0), which sets out security requirements for handling payment card data to protect cardholder information and prevent fraud.

Cybersecurity is crucial to supply chains. Picture: DC Studio via Freepik

What is the value and importance of collective defence strategies to supply chain security?

The various challenges associated with supply chain cybersecurity have prompted many organisations to adopt collective defence strategies, whereby they work together to share threat intelligence and best-practice approaches to maximise protection. For supply chains, this approach enables quicker detection of cybersecurity vulnerabilities and a more effective coordinated response that focuses on shared resilience. By working together, organisations can quickly respond to threats, reducing the risk of breaches taking place and, if they do, helping to mitigate their impact.

What steps should organisations take to review and improve their existing cybersecurity mechanisms?

The first point to note is that reviewing and improving cybersecurity mechanisms is a continual process, which often begins with a comprehensive risk assessment to identify areas of vulnerability across technology assets and infrastructure. Routinely evaluating and updating tools and processes ensures that security measures remain optimised to address evolving threats and meet industry standards.

Organisations should also ensure their security policies and staff training are up to date and assess the effectiveness of access controls. Armed with this insight, security leaders can invest in appropriate security tools and monitoring to plug any gaps.

Why is it important to consider the security of extended supply chains, including fourth parties and beyond?

Each and every component across an extended supply chain offers the potential for a security breach. This includes the likes of fourth-party subcontractors and service providers that are relied on by members of the supply chain. For example, if an organisation in the supply chain contracts a cloud provider who then outsources data storage to another specialist, they are considered a fourth party. A security breach at this data storage business could, in theory, propagate via the cloud provider and into the supply chain. Organisations should assess these risks as part of their procurement processes.


Explore the latest edition of Supply Chain Digital and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.

Discover all our upcoming events and secure your tickets today. 


Supply Chain Digital is a BizClik brand 

Share

Featured Articles

Supply Chains at a Crossroads as Plastic Treaty Talks Stall

The INC-5 Summit ended without a global plastics treaty amid fears that any such agreement would be hijacked by the globe’s leading oil-producing countries

Cyber Monday: Sustainability in the Digital Shopping Boom

Cyber Monday’s growth is amplifying environmental challenges, pushing brands to adopt sustainable practices while balancing consumer demand and convenience

Vauxhall Factory Closure: The Supply Chain Impact

Stellantis announced earlier this week its plans to close the Vauxhall production plant in Luton, UK, potentially resulting in up to 1,100 job losses

How is China Reshaping the Energy Supply Chain?

Sustainability

SUBMISSIONS OPEN – The Global PSC Awards 2025

Digital Supply Chain

The Supply Chain Index: Most Innovative Tech Companies

Technology