Securing a supply chain can be hard, because their complex nature makes them vulnerable, but the Government’s National Cyber Security Centre advises firms to start by talking to their suppliers and partners to understand what they are dealing with.
Building good relationships, exercising influence where you can, and encouraging continuous improvement, will improve security across your supply chain and help protect everyone connected by it. And ultimately, as a trusted, cyber secure partner, it should help your Gloucestershire company win more business.
Understand your supply chain
Until you have a clear picture of your supply chain, it will prove tricky to establish what you will have any meaningful control over. Put together a list of all your suppliers and partners; identify which ones are highest priority in terms of risk to concentrate your efforts on; and begin with your highest priority direct suppliers.
Look for existing information
Your existing commodity suppliers might have already published information that will help you understand the security of their service. Make sure you understand the terms and conditions in your contract or licensing agreement and what parts of security each are responsible for.
Talk to your suppliers
Understand their current stance on security. How does that compare with what you have asked them to do? Ask them what they have asked of their subcontractors, paying particular attention to the parts of their organisation that handle your contract. If you understand your supply chain and the risks it faces, you will be able to identify any suppliers who fail to meet expectations.
Develop a common understanding with your suppliers
Make sure everyone in your supply chain knows the security responsibilities involved - and what subcontracting decisions you can delegate to them.
Build security considerations into your contract
Make it clear what you require and suggest that your suppliers do the same, where appropriate. Put in place supply chain security awareness and education for staff, and work with them to ensure the process is fit for purpose.
Consider commodity suppliers
When making decisions about commodity suppliers like cloud service providers, look for published information on their website that might help you understand whether they adequately meet your security requirements. Refer to the NCSC’s ‘cloud security guidance’ for more information on how to determine how confident you can be that a service is secure enough to handle your data.
Ask for evidence
Ask prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum security requirements you have set at different stages of the contract competition. Minimum security requirements should be proportionate to the risk for each supplier. Ensure standards are justified, achievable and will not put off potential suppliers.
Avoid creating unnecessary barriers
Be prepared to recognise any existing security practices or certifications a supplier might have that could demonstrate how they meet your minimum security requirements.
Provide guidance and help your suppliers
Enable them to effectively manage supply chain risk to your requirements. If you are a supplier, make sure you meet the security requirements of your customers, including challenging customers - and ask partners for guidance when it’s not provided.
Report incidents
If there is a security incident in your supply chain, which could affect your business or the wider supply chain, your contract should include requirements for managing and reporting such incidents.
Act on any concerns
Whether this is through performance monitoring or reporting from suppliers that may suggest the current approaches are not working as effectively as planned.
Plan for when your contract ends
Ensure contracts clearly set out requirements for the return and deletion of your information and assets by a supplier when a contact comes to an end.
