Page 29 - PWM2025_NOVEMBER EBOOK
P. 29
TECHNOLOGY REPORT
on premises rather than in the cloud. vulnerable because they often lack dedicated cyber security Contracts help
“This is due to historically large file resources, and cyber criminals frequently target smaller busi- Good contracts are another angle to
sizes and the fact that much of the print- nesses precisely because they are seen as easier to breach”. consider according to Longster – and
ing equipment and their systems require Longster also worries. He understands that cyber threats from he’s not solely referring to compliance
local servers.” outside an organisation are likely to be more difficult to detect and with law and data protection provisions.
However, this equipment represents control. That said, he comments that “knowing who your direct
large capital investments that firms want and indirect suppliers are, what they provide, how they provide it, Rather, he’s talking about contracts with
and what data they hold and have access to will help you to iden-
a return on. The issue for Watkins is that tify which are your critical providers and better manage the cyber suppliers.
many of these servers run on unsup- security threats to your business”. He says that contracts should include
ported operating systems that no longer This is why he says firms should map their supply chain as it will – and this will vary according to the risk
receive security updates from software help determine what measures can easily be enforced via con- profile of the supplier relationship – a
providers, and which are expensive to tracts and it’ll put a firm “in a position to respond more rapidly to commitment to minimum security
replace. “This,” he says, “increases the supply chain-related cyber incidents and regulatory require- measures, security service level agree-
vulnerability of the print sector to ran- ments.” He says that the National Cyber Security Centre (NCSC) ments and maintenance of security
somware encryption style threats.” has guidance on the subject: ‘Mapping your supply chain’. accreditations; an obligation to maintain
The matter is well illustrated by the Carry out supply chain due diligence disaster recovery and business continu-
government’s cyber security breaches Longster recommends management assess whether suppliers ity plans; the customer’s right to carry
survey 2025 – something that James have an appropriate level of cyber resilience and data hygiene. He out audits on the supply chain to test
Longster, a partner in the Technology & says that this is especially important “if personal data is being pro- resilience, including, where appropri-
Commercial Transactions department cessed by the supplier; conducting due diligence is a legal require-
at Travers Smith, highlights. ment under UK GDPR”. ate, penetration testing; a process for
He says that in relation to supplier- He would also have suppliers complete a security question- cyber incident reporting, cooperation
linked attacks, “the survey found that naire, which IT and procurement staff need to be trained to fully and response requirements; an exit
strategy with obligations on the supplier
assess, so that vulnerabilities can be addressed. Here he poses a
just 45% of large businesses reviewed
Cyber risks: Are suppliers the the cyber security risks posed by their couple of questions that firms should ask of themselves: “If your to delete and return data on termina-
systems are to be integrated with a supplier’s, how easily can a
tion; and provisions to allocate risk and
immediate suppliers – in comparison to
threat be contained? And how regularly are systems checked for
21% of small businesses. This is a drop
from 55% in 2023. Only 25% reviewed vulnerabilities and what is the back-up plan if those systems are cost for cyber incidents and data
breaches and set requirements for cyber
compromised?”
weakest link? the risks of their wider supply chain”. government’s ‘Cyber Essentials’ (available from the NCSC) and insurance.
Watkins takes a similar line, noting that schemes such as the
It’s interesting – or rather concerning
Further to this, Longster says that to
– that Watkins thinks that not many
ISO 27001 consider supply chain risks. He says: “Firms should
“help manage your wider supply chain,
print firms consider the chance of sup-
plier-borne attacks. carefully vet their suppliers – even annually – to ensure that they there must be appropriate controls over
understand the risk and are applying due diligence accordingly.”
subcontracting, including, where neces-
Some do, he says: “Especially those Unfortunately, he sees too many businesses outsource the prob- sary, mandatory flow-down of contrac-
with more mature cyber security pos- lem and so feel they have passed on the risk. tual requirements”.
tures. However, it’s not always top-of- Human error is cited time and again as the primary cause of
mind for every organisation. Third-party cyber security breaches, with phishing remaining the most preva- Watkins doesn’t disagree and talks of
risk is one of the most overlooked areas, lent type of attack. due diligence which he says should not a
On this Longster says: “Marks & Spencer confirmed that the
yet many attacks begin with a compro- attack on their systems was a consequence of human error within one-off process: “Pre-contract exercise
mised supplier or contractor.” their supply chain. Just as you train your staff on the range of cyber and contracts should be actively man-
He makes the point that even those incidents that can arise and include steps to limit human error aged and, where necessary, enforced
with robust internal controls have their and technological issues, check whether your suppliers do the throughout the relationship. Audits,
cyber risk exposure extended to every same.” governance and reporting must be exer-
organisation they connect with digitally. It may be appropriate for suppliers to provide independent cised, and business continuity and disas-
Thankfully, Watkins has noticed that third-party assessments, audits, or certifications depending on ter recovery tested, regularly, and not
cyber awareness is improving across the requirements and the level of risk. just when things go wrong.” To this he
board but sats that “there’s still a com- Watkins is seeing a wide spectrum of preventative activity. He adds measures that prevent any unau-
mon misconception that cyber threats says: “Some businesses are investing in strong security controls, thorised or unintended access to infor-
training, and backup strategies. But others may still be in the
are only aimed at larger, high-profile mindset of ‘it won’t happen to us’ until it does. Unfortunately, we mation and systems, and any
organisations”. often see organisations reach out to us only after they’ve had an unnecessary sharing of data – all of
He clearly cannot speak for every incident.”
BPIF member but says that both large It’s not surprising that he’s very keen on proactive planning and which must be policed, and changes to
and small businesses are being affected. risk management as it is “always more effective and less costly systems and data flows should be tracked
He adds that “smaller firms can be more than reactive firefighting.” and recorded.
www.printweekmena.com November 2025 PrintWeek MENA 27
