Intelligent CISO Issue 74 | Page 28

EDITOR ’ S question

RICHARD STAYNINGS , CHIEF SECURITY STRATEGIST FOR CYLERA
he latest Government ’ s Cyber

T

Breaches Survey 2024 shows that an alarming 18 % more businesses have experienced some form of cybersecurity breach or attack in the last 12 months compared to last year ’ s findings . This spike in attacks is likely behind the increase in the number of businesses implementing some form of insurance , rising from 37 % to 43 % between 2023 and 2024 .
Yet , despite this upward trend in attacks , it ’ s worrying to read that the percentage of organisations taking actions to identify cyber-risks within their organisation and supply chain has largely unchanged compared to the year before .
Still only around three in 10 businesses have undertaken cybersecurity risk assessments in the last year with again only around a third of businesses deploying security monitoring tools . While the number of companies reviewing the risks posed by their immediate suppliers hasn ’ t changed in 12 months , remaining at just over one in 10 .
Most industries tend to do a terrible job of managing the security of their supply chain .
It is concerning how rare it is still for organisations to be reviewing supply chain risk . This is an accident waiting to happen .
Organisations in the public and private sector need to do a much better job of managing third parties and in assessing third party risk . They must understand what exactly is connected to their networks and what risk each of these systems presents . This is especially a concern given the significant growth in IoT devices , which often lack cybersecurity and are rarely patched .
Most industries tend to do a terrible job of managing the security of their supply chain . Any third party vendors , whether those supplying goods in your café or your external accountant , they all need to be held to the same security standards and policies as your own organisation .
The trouble is few businesses enforce this within their contracts with third parties , making it a prerequisite to ensure that they have policies and procedures that meet our own standards , that they have quality assurance in place , staff training and access controls set up , and that they provide ISO / IEC 27001 certification – the world ’ s best-known standard for information security management systems ( ISMS ).
We can ’ t have third party vendors winning contracts for critical industry sectors such as healthcare and hospitals based simply on the lowest bid .
28 WWW . INTELLIGENTCISO . COM