Supply chain management is becoming more and more important in the Netherlands. As a result of increasing automatization and the degree of information exchange between the different parties in the supply chain, supply chain partners, the need for good cybersecurity is increasing as well. A lot of companies, big and small, will discover that they are important, if not essential, to Dutch society in the near future.
This is the result of the European NIS 2 directive, which will have to embedded in Dutch legislation before mid-2024. One of the subjects in the directive is the attention paid to the supply chain’s cybersecurity. That means that, in addition to establishing your own cybersecurity, you will also have to assess the level of cybersecurity of your business partners. For NIS 2, but most importantly for your own security.
Just in time
How does ransomware enter a company? Currently, that is increasingly often through the supplier’s entrance. Because now that a lot of large organizations have strengthened their own cybersecurity, criminals are looking for weak links in the supply chain.
To do so, they happily make use of trends such as just in time production. A growing number of organizations is allowing suppliers direct access to their business systems, to see what and when they will have to supply. That saves time and manpower. Not just that, it decreases the chances of errors as well.
But if a cybercriminal can infiltrate such a vendor, their client is put in danger as well. Even if they have their own security in order pretty well.
These threats are growing so rapidly that there will now be intervened at the European level. Effectively securing the supply chain is becoming mandatory. Your vendor’s security from here on becomes your own responsibility as well.
Organizations that are found lacking in this regard can be punished with fines up to 10 million or more. In fact, executives can be held personally responsible.
That raises the question: what can you do to secure your supply chain?
Suppliers are not just companies that deliver parts or manage systems: cloud providers like Google and Microsoft are considered as such too. The main difference is that you have to follow their rules instead of the other way around.
Not all cloud providers offer the same amount of possibilities for cybersecurity. With Amazon you will have to organize a lot yourself. But Google and Microsoft’s **services* require expertise in order to make use of them effectively. Under NIS 2 this becomes your responsibility as well.
As you can tell: there is a lot to do. One and a half years is quite a short period of time for that. And not all of it is easy. Professional support is therefore recommended, especially when it comes to legal agreements on cybersecurity that have to be confirmed on paper.
Luckily the most recent version of the ISO 27001 standard for cybersecurity also pays attention to the supply chain. Due to increased threats it has now become more strict. In the past a pick-and-choose approach could suffice, whereas for all areas of attention it is now a matter of comply or explain. Having said all of this, it is almost certain that security auditors are going to be very busy.
But as said before: it is very much needed. Dealing with suppliers in a safe manner must really become a habit. Because NIS 2 protects our society. But the principles which it is based on protect your company.