Mitigating Supply Chain Risk

Published on 14/06/2022

According to the UK Government Cyber Security Breaches Survey 2022, “only 13% of businesses assessed the risks posed by their immediate suppliers, with organisations saying that cyber security was not an important factor in the procurement process.”

When it comes to Cyber Security, the majority of our efforts are usually focused on what we can do internally to protect our organisations. However, as the finding above demonstrates, supply chains are a key area of consideration when it comes to minimising your organisation's attack vectors. 

As supply chains grow, evolve and become more complex, the need to secure your supply chain increases. The larger and more complex your supply chain becomes, the easier it is for vulnerabilities to be introduced and the harder it becomes to detect them.

To provide clearer oversight of your supply chain and help you establish control, SES has laid out a simple 4 step process: 

1. Understand Where Your Risks Lie

It is important to understand the risk your external suppliers present to minimise it. Some questions to answer include: 

  • What is their level of involvement in your supply chain? Is the involvement nominal? Or are your suppliers deeply ingrained into the process of delivering your product or service?
  • What measures do your suppliers take to secure their organisation against cyber threats? Are they Cyber Essentials / Cyber Essentials Plus certified? Do they engage in regular external auditing of their security? Do they have an Incident Response Plan in place? 
  • What would the impact be if one of your suppliers failed to properly secure their system and your customers' information ended up releasing because of this?

2. Gain Control Of Your Supply Chain

Once you have an in-depth understanding of your supply chain, you will be able to analyse where the potential risks lie and gain control. This will involve: 

  • Identifying suppliers which continually fail to meet your security expectations. 
  • Identify critical assets which exhibit over-reliance on a single supplier. This will demonstrate where you need to build further diversity and redundancy into your planning.

Setting and documenting minimum security standards for your suppliers to adhere to will help you maintain your security posture and ensure you remain compliant with relevant regulations. 

It is essential that your suppliers, along with anyone they subcontract to understand their responsibility to provide appropriate protection for your information, products and services and the implications of failing to do so. Producing guidelines for the suppliers you intend to onboard will provide them with a security benchmark they need to achieve to work with you. Prospective suppliers should also provide evidence of their approach to security and their ability to meet the minimum security requirements you have established. 

3. Check Your Arrangements 

In addition to providing clear guidelines on security standards for organisations which are part of your supply chain, it is also important to check that these arrangements are being followed correctly. This can be achieved in several ways. 

  • Requiring suppliers who are integral to your supply chain to provide reports of their security performance and build the right to audit into all contracts with them.
  • Build justified assurance requirements into your security requirements for suppliers. These can include Cyber Essentials and Cyber Essentials Plus, Penetration Testing and external auditing of your suppliers' security. 
  • Establish key performance indicators to measure the security of your supply chain management practices on an ongoing basis. 

4. Continuous Improvement

As your organisation grows and your supply chain evolves, your security must evolve alongside it. 

Whilst it is important to allow time for your current suppliers to make the necessary improvements to their security to avoid ruining existing relationships. It is also important that your suppliers provide timescales and plans on how they intend to make the required changes. In some instances, they may need your assistance to help them implement the necessary changes. 

Provide advanced warning of any changes you are planning to make to your products and services and encourage existing suppliers to continue improving their security arrangements, emphasising how this might enable them to compete for and win future contracts with you. This will also help you to grow your supply chain and choice of potential suppliers. 

This article is intended as a simple guide which will help you improve the security of your organisation's supply chain and improve your organisation's overall security against malicious threats. To speak to our specialists about how you can implement the points featured in this article or discuss any other security queries you may have, please get in touch to speak to one of our specialists. 

© SES Secure Limited and ses-escrow.co.uk, 2022. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content
 

Stay updated with SES by signing up for our newsletter

Find out how SES can help your business
Contact us

Contact us

If you would like further information, discuss your requirements, get a free no obligation quotation or just a friendly chat on how we could possibly help please fill in the details below and one of our team will get back to you as soon as possible.
Tick the box to receive regular updates and industry insights