Why the conflict in Ukraine means UK businesses should scrutinise their digital supply chain

With GCHQ’s National Cyber Security Centre warning businesses to ‘bolster their defences’ against cyber attacks following Russia’s invasion of Ukraine, Gloucestershire cyber security expert, ReformIT, is urging businesses not to forget their supply chains too.

By Andrew Merrell  |  Published
With the online threat from criminals expected to increase, Neil Smith of ReformIT urges Gloucestershire businesses to scrutinise their supply chains when investing in their cyber security.
With the online threat from criminals expected to increase, Neil Smith of ReformIT urges Gloucestershire businesses to scrutinise their supply chains when investing in their cyber security.

With the Government’s own National Cyber Security Centre predicting that the threat of cybercrime may increase following Russia’s invasion of Ukraine, SoGlos spoke to Reform IT’s managing director, Neil Smith, to find out what local businesses can do to protect themselves.

About the expert – Neil Smith, founder and managing director of ReformIT

Neil Smith

Neil Smith is the founder and managing director of ReformIT, a nationwide IT support specialist headquartered in Cheltenham. Its skilled technicians can advise on all IT matters, from security, software and cloud solutions, to IT support and managed services, such as VoIP telephone services and website hosting.

ReformIT is a small business specialist, Microsoft Silver partner and Microsoft Office 365 consultant that also provides a customised range of managed IT services for business, too.

Why has Russia’s invasion of Ukraine had an impact on the digital supply chain?

In the UK, we might not be at war ourselves directly, but we are helping Ukraine and Putin will not be pleased with that one bit. Which is why the NCSC has said we can expect cyber attacks to increase in frequency as they make it as difficult as possible for us to go about our business.

You don’t need to be a company supplying guns to Ukraine to have your supply chain affected and life made difficult. Russia will hit us with focused and scattergun attacks. It does not matter whether your business is big or small.

Why the sudden emphasis on the supply chain?

There is so much emphasis on your own cyber security these days the supply chain is often forgotten about. Businesses spend a lot of time looking at their own IT security and it is easy to forget your supply chain can also make you vulnerable.

Usually, you are in constant electronic communication with a supplier – and the most common form of attack is via email. If a supply chain customer has their email account hacked you need to be ready.

A hacked email account doesn’t sound very serious?

If a customer in your supply chain has their emails hacked and the hacker gets their hands on an invoice the next thing you know the bank account details are changed, any invoices that arrive with you will still look legitimate, might get processed by your business, and before you know it the money is in an account it is not meant to be in. What started as a hacked email quickly becomes financial fraud.

What sort of questions should a business be asking itself to make sure it is doing all it can?

Ask yourself does your supply chain have the right measures in place, should a business get hacked, to help your company avoid becoming the victim?

It may be that to speed up transactions, the supplier has login details or passwords to access your systems for a faster service. Suddenly, no matter what measure you have taken, you are vulnerable.

Plan as if it will happen and then make sure a recovery plan is in place. And ask yourself is your back-ups good enough? Is it connected to your main system and does that make it vulnerable? Do you need a second back-up unconnected to your systems? How many hours will it take for you to get your business back up and running?’

Cyber Essentials is the government recommended basic level it would like to see all firms achieve to give suppliers confidence, but what about big businesses with good IT systems already in place. Should they still be concerned?

Even if yours is a big business with ISO 27001 (an international standard on how to manage IT security), it is possible you could still be doing regular business with customers which are effectively one-man bands and don’t have the resources you have.

It may be your business works with temporary contractors who may be ‘in-house’, but use their own equipment. Think about who will audit that equipment.

We deal with a major milk supplier, but many of its customers are small dairy farms – busy farmers without IT departments who have more to worry about than internet security. They still have to send invoices. Perhaps the bigger business can offer some IT support which will benefit everyone?

It is a case of doing your due diligence with your supply chain to ensure they are as safe and secure as you are. If everyone in has Cyber Essentials you can have some confidence in one another.

This is part of the education process. As responsible customers you need to look out for one another. Businesses like ReformIT are there to help, coach and guide. We can work with you to change culture and help, but it is about taking a pro-active approach and assisting.

How serious is the expected retaliation from Russia?

On an IT security level it just underlines in bold that you need to have your systems backed up. You have to plan that someone in your supply chain will open that infected email; it will get through your antivirus software; it will get through your spam filters and burn all your data.

Plan as it if will happen and then make sure a recovery plan is in place. What the NCSC advises is essentially carry out a risk assessment: Understand the risks, establish control, check you arrangements, continuous improvement.

More on ReformIT

More from Business