Part Two – The Digital Revolution (Part Three)

Economic Unit

Supply Chains:

Supply chains also present another major challenge for businesses in terms of cybersecurity, whether through third-party access to systems or phishing attacks that originate from suppliers and then affect the business itself.
While many organizations recognize that cybersecurity risks exist through their supply chains, some — particularly small businesses — often have limited formal procedures to manage these risks.

According to the Cyber Security Breaches Survey, only 11% of businesses reported that they assess the risks posed by their direct suppliers, and only 6% said they consider the risks across their entire supply chain.

Regarding supplier-related risks, the survey found that organizations manage these in a variety of ways. These include more formal approaches such as contractual clauses, obtaining external certifications (like ISO 27001), recording data flows, and meeting with suppliers.
However, there are also informal approaches, such as occasionally emailing suppliers to inquire about their cybersecurity practices.

Cybersecurity Accreditation and Insurance:

More broadly, research published by the British Chambers of Commerce (BCC) in 2022 showed that over half of businesses believed their IT systems had become more vulnerable to attack following the increase in remote working during the pandemic.
Furthermore, four in five companies stated that they currently lack robust cybersecurity measures to defend against attacks.
This, coupled with the trend toward remote work, highlights the importance of having appropriate cybersecurity protections to ensure business resilience.

Despite this, only 8% of businesses and 5% of charities reported having specific cybersecurity insurance.
While this percentage is higher among larger businesses, it remains relatively low — only 25% of medium-sized and 26% of large enterprises have dedicated cybersecurity insurance policies.

ISO 27001 Accreditation:

There are also concerns about more formal accreditation schemes, such as ISO 27001, an Information Security Management System (ISMS) standard that provides a framework for how organizations should manage risks associated with information security threats — including policies, procedures, and staff training.
Achieving ISO 27001 certification is globally recognized and demonstrates that an organization’s systems align with best security practices.

Many businesses and public-sector organizations use ISO 27001 as a benchmark for security and cybersecurity compliance, as well as a prerequisite for qualifying as suitable suppliers in procurement contracts.
Obtaining ISO 27001 can help small and medium-sized enterprises (SMEs) access greater business opportunities and grow.
While the certification is not overly expensive, it is often resource-intensive, requiring the development of extensive policies, staff training, and the establishment of internal audit processes.

Recommendations:

The government should implement a program to raise awareness and engagement in cybersecurity, particularly among small businesses. This program could include:

• Improving business and employee access to government-endorsed cybersecurity training.

• Supporting businesses in conducting cybersecurity risk assessments, including within their supply chains.

• Helping businesses understand how to report cyber breaches or incidents.

• Supporting businesses in achieving ISO 27001 accreditation.