On 21st January 2022, iNetwork welcomed delegates to the Mitigating Risks Down the Supply Chain event. This event focused on the ever evolving risks faced by Procurement and IT professionals and it provided an opportunity to consider how these can be identified and ameliorated. In recent years, with data protection and information security obligations, and the wider effects of both the pandemic and the global economy, organisations have been forced to look more closely at their supply chains, to understand where the risks may lie.

The event was chaired by Peter Schofield, Head of Procurement at Manchester City Council. Delegates heard from speakers from YPO, the Local Government Association, National Cyber Security Centre, North West Cyber Resilience Centre and the University of Oxford during the event and gained insight into how organisations are working to reduce risks within the supply chain and responding to the ever-evolving threat of cyber security.

Supply Chain Risks

Agnieszka Gajli, YPO, opened the event with her session, which provided an oversight of the broad range of risks that encompass the overall supply chain within Procurement. Agnieszka discussed how there are four main risk areas which impact the supply chain:

– Structural issues within the economy – labour and skills shortages and wages.
– Covid 19 Pandemic.
– Brexit.
– Global issues – energy, shipping, electronic components

There are a number of areas of the supply chain that are impacted by these risks. These include:

The Energy Sector

Within the energy sector, there are issues which are outside of our control that are having an impact on UK businesses, as shown in the below image.

The ICT Sector

The ICT Sector has experienced a number of difficulties, including component shortages, labour and fuel shortages. This has had a direct impact on IT maintenance, including loss of power, network connectivity issues and leaves businesses open to cyber attacks. Agnieszka highlighted the importance of communication with suppliers and customers, forward planning and regularly reviewing contingency plans and IT strategies as key to mitigating these risks.

The Fleet Sector

The fleet sector is another area that has been impacted significantly in recent years, leading to disruption in the delivery of goods and services. The Covid-19 pandemic and subsequent lockdowns had an effect on “non-essential” services and businesses, which directly influenced the availability of raw materials and transportation. Labour shortages have also added to the pressures faced by the sector. These factors have resulted in longer order lead times, increased breakdown response times and an increased cost due to supply shortages. Recommendations were made to consider these aspects when releasing tenders, ordering essential supplies and budget forecasting.

Facilities Management, Building and Highways Sector

There is an interconnected hierarchy of suppliers within this sector, each with a complex supply chain with a high number of suppliers. There is a shortage of many key materials, including aluminium, timber, cement and bricks and an increased demand for copper. In addition to the material shortages, there is also a gap in the labour force and an increase in fuel prices; this is having an impact on the financial stability of suppliers. There is an increased risk to this sector from climate change; weather related disruptions and disasters, such as flooding, are becoming more frequent and it is essential that these are considered alongside understanding the traceability of products, services and logistics that serve the sector.

 What can we do?

When it comes to mitigating the risks posed within the supply chain for procurement within the public sector, the key message is that effective procurement is simplistically down to effective contract management and good relationships with suppliers.

Supplier assessment: LGA Supplier Questionnaire Project

Katie Owen, Local Government Association, and David Cowan, Copeland Borough Council, provided an oversight into what cyber security entails and the work that is being undertaken within Local Government to safeguard data and establish areas of good practice.

Katie explained how Ransomware attacks can have a devastating impact on local authorities, such as the Log4j vulnerability that was identified recently, the full impact of this is yet to be determined. There is a need for a better understanding of how councils can embed cyber security within the supply chain and the LGA are working with nine councils to improve practices within local authorities. They will be launching a project to better understand the existing practices within the sector and to develop a suite of resources. Katie welcomed interest for this project, further details can be found by contacting the LGA: LGAcybersecurity@local.gov.uk

Cyber Security Risks

The LGA have worked closely with Copeland Borough Council to deliver a reusable cyber security supplier assessment tool. David Cowan provided an oversight into the existing risks posed to the public sector and their suppliers within the context of cyber security. It is crucial that security is monitored and maintained as the consequences for security breaches can be catastrophic. There are a number of suppliers within the chain and the security of this is very technical with a number of complications.

There are some initial steps that can be taken to determine whether a supplier is compliant, such as the ISO 27001 certificate, however this does not mean the supplier is fully accredited; this can take up to 18 months to achieve. Within this, there are 114 Information Security Controls, divided into 14 domains. Each of these controls may need to be probed, resulting in an increased workload and demand on manpower. The Cyber Essentials PLUS accreditation shows that an organisation has been audited by a third party and their cyber security accredited.

David explained how there is some assurance within the Cloud space, however this can take up to five years to be accredited. Large scale providers, such as Microsoft Azure, AWS and Google are SOC II Type II audited and verified. Cloud Security Alliance (CSA) has a 3 STAR Level rating which supports in determining the security of the provider.

The Pathfinder Project

The Pathfinder Project was launched to develop a reusable and easy to follow question bank that can used by non subject matter experts to facilitate a supplier assessment either by a supplier or by an organisation acquiring an ICT solution. It is free to access and use and has sector-wide applicability and can be modified by each organisation. The aim is to ensure that the tools remain fresh and relevant by developing a cross-sector community of interest and representation. The LGA and the National Cyber Security Centre have both been working on solutions to cyber security with the public sector and are working in partnership to ensure their individual projects are mutually supportive. If your organisation is interested in becoming involved in the project, please contact David for further information: David.cowan@copeland.gov.uk

Supplier Support and the NW Cyber Resilience Centre

Detective Superintendent Neil Jones introduced delegates to the work that is being undertaken by the North West Cyber Resilience Centre and the support available to businesses and organisations. The NW CRC was set up in 2019 in Greater Manchester, with a further nine centres established since then. They work alongside the Police, Home Office and Local Authorities to provide support to small businesses to arm them with the knowledge, skills and tools to protect themselves from organised crime.

Over the past 12 months, 39% of businesses have identified cyber security breaches, with 27% being attacked once per week. This has resulted in an average cost of £8,460 in lost data and assets. Phishing attacks have been experienced by 83% of businesses, with a further 27% suffering from business impersonation. There has been a 30% increase in reports of fraud and cyber crime in 2021, costing victims £2.5 billion over the last 12 months.

The CRC works with local universities and employs students who are studying IT, which enables them to develop their skills and allows the CRC to provide this crucial support to small businesses at an affordable rate. The students are supported closely by Senior Security Consultants and Police within this work, which is screened, quality assured and delivered to a high standard.

Services offered

– Vulnerability assessments (Internal / external /web application).
– Security awareness training.
– Digital Footprint Investigations.
– Businesses can register for free membership and receive a package of guidance designed by cyber professionals. Set up and supported by the Home Office.
– Provides support across the supply chain, including small vendors.
– Can support in signposting procurement professionals to third party suppliers (secure).
– This is being extended across the UK, Local Authorities in Wales have encouraged their suppliers to sign up to the NCRS.

 You can sign up for membership here.

Supply Chain Security and the CUPA Initiative

Colin Williams from Mansfield College, University of Oxford, concluded the event with his session on the Commodity Usage Principles and Assurance (CUPA) Initiative. For many years the MOD has operated the ‘DIPCOG’ (Defence Infosec Product Co-Operation Group) approach that approved information security products and services for both Defence and its suppliers. CUPA is a new approach to assuring information commodity products and services. The proposed CUPA process identifies methods of assuring Off The Shelf (OTS) products and services meet the required MOD security standards. The initiative, whilst adopted by the MOD, is not owned by them. It is a joint, public-private, approach to addressing the Trustworthiness of Commodity, Off The Shelf, Products and Services, including their Specification, Realisation, Assurance, and Use.

Colin Williams likened the CUPA initiative to Trust Pilot’s Reputation scoring. It is reliant on the scoring by customers which is moderated via a CUPA Central review process that includes independent review and endorsement award. Colin gave an interesting potted history of computing technology to provide context as to why and ‘how dead ideas still walk among us’. The idea of CUPA is to learn from lessons of the past and to promote visibility within the supply chain.

Further information

This event was delivered to iNetwork members as part of the Connected Procurement and Commissioning (CPC) and the Effective Information Sharing and Security (EISS) Programmes. For more information on iNetwork’s CPC programme, please get in touch with Hannah Gains, Stakeholder Engagement Manager at iNetwork, who is the programme lead for CPC. For more information on the EISS programme, please get in touch with Shelley Heckman, who is the programme lead for EISS and the Director of the iNetwork.