The Importance of Ensuring Supply Chain Security
The InfoSec Consulting Series #11
By Jay Pope
Many aspects of the business world are interlinked by technology. But while this brings huge benefits in efficiency and convenience, it also poses the risk of falling victim to a cyber threat. Businesses are dependent on suppliers to deliver services, goods and systems. This can result in a complex supply chain which, in turn, makes it hard to ensure supply chain security because vulnerabilities and flaws can exist or be introduced at so many different stages. Many recent cyber-attacks have been because of flaws in third-party systems, it is, therefore, important to understand the risks involved in the supply chain and to require suppliers to implement similar systems security standards as you employ yourself.
Knowing the Risks
Only by understanding your supply chain can you start to properly assess the risks it poses. The first step towards this is knowing who your suppliers are and what their systems security measures look like.
There’s an immediate problem here because while you may be able to get information about your direct suppliers, what about their sub-contractors? Applying effective supply-chain security means asking your suppliers to take similar steps in selecting their suppliers so that you have safe systems in place at every level.
Risks can take many forms. Suppliers may have failed to take adequate steps to secure their systems; they may have staff members who are careless in their handling of information; or there may be someone in the organisation with malicious intent. While we tend to focus our concern on personal information, thanks to legislation such as GDPR, remember that other types of data, such as that relating to research & development projects, can be valuable to competitors and therefore also needs to be properly guarded.
Understanding what data, you hold and to what types of threat it may be subject is a crucial step towards keeping your systems secure. It’s therefore useful to build up a risk profile for each supplier that you deal with.
This profile should take account of the type of service or product they are providing, the nature of any information they hold or which you share with them, and the potential for damage or disruption to your business in the event of a breach of their systems. Understanding this information will help you to manage suppliers and ensure that you have key information to hand in the event of a problem
Once you understand the risks posed by your supply chain, you can take steps to control those risks. You can ensure that your suppliers understand the responsibility they must protect your information and identify any that are not meeting your security requirements.
In negotiating contracts with new suppliers, you should set out security standards to be followed, and include clauses that specifically support your security risk tolerance. These should be based upon your assessment of the risk posed and should be proportionate to the nature of the supply. For example, suppliers needing only occasional access to systems may not need to be subject to such rigorous security measures.
Security requirements should be documented as part of the contract and it should be a requirement that similar measures are applied by the supplier to its sub-contractors. If you need guidance in setting these requirements, the National Cyber Security Centre’s Cyber Essentials offers advice on the most common threats and how to guard against them.
There are certain steps that should be applied across the supply chain, but obviously, different systems have different requirements. A research & development system will need different security measures from one dealing with customer details, for example. Outsourced legal or marketing functions will warrant the Incorporation of Contractual Clauses for Controller to Processor Transfers of Personal Data sets.
At a minimum, suppliers should be asked to implement security monitoring on their systems. They should also have an incident response plan in place to deal with any breaches that arise. For systems dealing with sensitive information, you may want to look at an approach in line with ISO27001. In these circumstances, you may also wish to look at screening for staff who will handle equipment and data and provide them with training to ensure that they understand the risks and the proper, safe handling of information.
Where cloud services are used, it’s vital to understand that you can never delegate responsibility for security to the cloud provider. You must have your own measures in place to make sure data stored in the cloud is properly protected.
Finally, the world of cyber threats is a constantly changing one, so securing your supply chain can never stand still. You need to continually review your risk and adapt your security measures accordingly.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.