The security of every business is dependent on the security of its suppliers.  From the PCs on peoples desks, to the servers in cloud, the firewalls in the office and the experts that connect to your network to tune your database or manage your servers.  A security failing at any of these suppliers could allow malicious actors or malware into your business.

What steps can you take to secure your supply chain and be confident that your suppliers are taking their cybersecurity every bit as seriously as you are?

Define the risks

You cannot control the risks you don’t know about, so the first phase is to understand the risks in your supply chain – both the things you buy and the services you hire that have access to your data or your network.

How much is it worth?

Begin by defining the sensitivity of the contract – the impact it could have on you and your customers if something goes wrong.  This is heavily influenced by the value of the information or assets that your suppliers will hold, have access to or handle during the contract.

Who is involved?

Next make sure you know who the suppliers are – not just the people you contract with directly but also their suppliers and sub-contractors.  How far down the supply chain you need to go will be a judgement call based on the risk and value of the contract.

For each supplier, assess the maturity and effectiveness of their current security arrangements – then you know if you need to ask them to make a change.  For example, are they PCI-DSS compliant or Cyber Essentials certified?

For an existing arrangement, has your supplier already put in place the security protections you asked for – and have they asked the same of their direct suppliers who could impact your contract?

Clarify the access (logical and physical) that your suppliers already have or will have to your premises, systems and data – and the controls that are in place to grant and revoke that access.

Finally understand how your immediate suppliers manage and control access to your systems and information assets both for their own staff and any sub-contractors.

What are the risks?

Now you should be in a better position to understand the risks posed by your suppliers and supply chain.  Is there a risk from malicious code being injected into source code (like happened to SolarWinds), or from people stealing data, or relaxed access controls which could be exploited by a malicious third party to ultimately gain access to your network.

Now you have a handle on the risks, you can define appropriate mitigations and develop a plan to get them implemented.  Some of the actions you will take, some you will require your suppliers to take.  Where you are asking your supplier to do something, ensure the contract provide a mechanism for you to validate they are doing what you asked.

Take Control

As your understanding and visibility into your supply chain improves, you will be able to identify any suppliers who fail to meet the security requirements you have asked of them and any critical assets or suppliers which you are overly reliant on.

We need to talk

Make sure your suppliers understand how seriously you take this stuff.  Ensure they understand their responsibility to protect your data and systems and the implications if they fail to do so.  (Hint: make sure the contract make provision for this).  Where you delegate some decision making to suppliers on security matters, ensure the criteria are clear for those situations they can handle themselves and which ones you want to be made aware of.

Set the bar

Set the bar, your minimum security requirements for your suppliers, at a level which is justified, proportionate and achievable (which includes being affordable within the commercial arrangement).

Establish a clear process for your supply to gain agreement to vary from the agreed standard and how compensating controls are agreed.

Put it in the contract

Supply Chain security needs to be part of your ‘business as usual’ process, not an afterthought.  So, build security considerations into your everyday contract and procurement processes.  Don’t forget to consider supplier off-boarding as well and how the end of a contract or the transfer of a service from one supplier to another is handled.

When considering any evidence that suppliers need to provide of their compliance, ensure it is proportionate to the value and duration of the contract and not so onerous that good suppliers decline to do business with you.

The best outcome is working with a supplier who has the same security mind-set as you and the security terms of the contract do not require much if any change in daily behaviour of your supplier – because they were already working that way.

Walk the talk

Where you are acting as a supplier, ensure you meet your own contractual obligations at all times – not just when the client is looking at you.  Report up to your client on the status of your security projects and pass down any changing requirements to your own sub-contractors.

Welcome any insights your customer might offer on your security practices and speak to them early about any challenges you have – so you can agree a remediation plan that works for both of you.

If your customer is not providing the guidance you need, be prepared to challenge them to provide it so you can both have the confidence that the measures in place are appropriate.

Raise awareness

Security Awareness training is not just for your staff – it is for the whole supply chain.  Talk to your suppliers in language they understand about security risks and encourage them to train key staff (in security, manufacturing, and procurement roles for example).  Perhaps joint training sessions with your own team will help build a unified view that security is everyone’s problem to solve.

Help when it goes wrong

Something will go wrong.  Provide support for your suppliers when this happens if a security incident in their business could threaten your supply chain.

Make disclosure timelines and expected levels of detail clear in the contract, especially if personal data is involved and have a clear plan for meeting the tight GDPR timescales for reporting a breach to the Information Commissioner if needed.

Learn from the problems and share these lessons with your wider supply chain.

Trust but verify

Build a ‘right to audit’ into your contracts with your suppliers and ensure they do the same down the supply chain to their sub-contractors.

Include regular reporting of key security metrics into the contract which can help minimise the cost and disruption of regular supplier audits – when you can see from the KPI that things are going as they should, you need to verify less frequently.

Everyone can have more confidence in your supplier’s security arrangements if they adhere to a well know security framework such as Cyber Essentials – or Cyber Essentials Plus if pen-testing is justified.  For a more encompassing security framework IASME Governance provides a similar level of assurance for ISO 27001 but is simpler and usually cheaper for small and medium sized organisations to implement.

You can do better

Encourage a culture of continuous improvement in your suppliers security operations – and your own. Provide advice and guidance to your suppliers to help them improve and avoid creating unnecessary barriers to their improvement.  Security projects take time to complete, provide your suppliers with the time they need to do the job properly – asking them to share their plans with you and keep you updated on their progress.

Supply chain security is a shared issue – partner with your suppliers in a way that means both your businesses are more secure and resilient to cyber risks.

Further reading

Supply Chain Attack examples from the NCSC

NCSC Guidance on Assessing Supply Chain Security

NCSC Guidance on Risk Management

Centre for the Protection of National Infrastructure (CPNI) – Personnel Security Maturity Model

CPNI Insider Risk Assessment

CPNI Operational Requirements