Most organisations rely on at least one third party supplier to deliver products, systems and services, utilising additional organisations and their capabilities to deliver enhanced service offerings. (A key reason SES have partnered with UKFast – read the article here)
However, as supply chains grow and become more complex with multiple suppliers delivering different aspects of your product, securing your supply chain can become difficult as vulnerabilities can be introduced and exploited at any point in the supply chain which can cause significant damage and disruption to your business and even compromise you or your internal systems directly.
According to the Cyber Security Breaches Survey 2016, only 13% of businesses set security standards for their suppliers. With the rise in high profile attacks and breaches in recent months this is a very worrying statistic.
In addition, the introduction of GDPR legislation has meant that companies could now face fines of up to €20m or 4% of global annual turnover, for the loss of Personally Identifiable Information (PII) for which you are the data controller. Yet another reason to ensure the security of your supply chain.
To help you establish effective control and oversight of your supply chain, SES has created a four step process which can be found below:
It is difficult to establish any control over your supply chain until you fully understand it.
Begin by reviewing your suppliers and the level of protection they need to provide for your information or assets, for the products and services you deliver and for the wider supply chain. What would the impact be if one of your suppliers failed to secure their system and your customers information was released? Or one of your supplier’s members of staff failed to properly handle or manage your information?
Once you have a better understanding of your supply chain and gain better control over it, you will be able to analyse the strategic risk. This will help you to:
Ensure that your suppliers understand their responsibility to provide appropriate protection for your information, products and services and the implications of failing to do so. If you allow your suppliers to subcontract your work then ensure that they require their subcontractor to adhere to these security requirements.
Setting and documenting minimum security requirements for your suppliers to adhere to, maintains your security posture and compliance. It is important to produce guidance to help suppliers you intend to on-board to manage these engagements.
Prospective suppliers should provide evidence of their approach to security and their ability to meet the minimum security requirements you have established.
Finally, whilst it is reasonable for your suppliers to manage security risks in accordance with the contract, you should be prepared to provide support and assistance where security incidents have the potential to affect your business or the wider supply chain.
In addition to providing clear guidelines on security standards for organisations which are part of your supply chain it is also important to check that these arrangements are being followed correctly. This can be achieved in a number of ways.
As your organisation grows and your supply chain evolves it is essential that your supply chain evolves with you.
Allow time for your current suppliers to achieve any necessary improvements to their security to avoid jeopardising existing relationships, but require your suppliers to provide you with timescales and plans to demonstrate how they intend to achieve the required changes.
Keep your suppliers notified of changes you are planning to your products and services and encourage existing suppliers to continue improving their security arrangements, emphasising how this might enable them to compete for and win future contracts with you. This will also help you to grow your supply chain and choice of potential suppliers.
This list is intended to serve as a simple guide to help you improve the security of your organisations supply chain and improve your organisations overall security against malicious threats. To speak to our specialists about how you can implement the points featured in this article or to discuss any other security queries you may have, please get in touch to speak to one of our specialists.
© SES Secure Limited and ses-escrow.co.uk, 2019. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content