Where would you be without your suppliers? Well, you simply wouldn’t be able to deliver your products and services with the speed, functionality and effectiveness that your customers need. You need them and they need you.
Unfortunately, whatever your industry or the size of your company, working with third-parties is always going to present its risks, particularly in terms of cybersecurity. Suppliers that are exposing vulnerabilities can wreak havoc for your organisation and supply chain. Making sure these vulnerabilities are addressed before they cause a problem should be a number one priority for your business.
Luckily, there are plenty of things you can do to reduce the risk with your suppliers. We’ve put together the top 5 ways you can mitigate the threats and improve your overall supply chain security.
Conduct Risk Assessments
So you know your supplier presents a potential risk to your security, but how do you uncover what these are?
It's important to carry out risk assessments as a natural part of the contracting process when you take on a new supplier, to ensure you identify and address any issues quickly and effectively. Every third party should be vetted, no matter how big or small their role in your supply chain, but naturally certain suppliers will require more formal risk assessments and higher expectations might need to be met to ensure your supply chain is secure.
To establish how great a security risk each supplier is to you, you'll have to consider a few different factors:
Data Sharing
Are you sharing your data with the supplier? Are they sharing it with their own suppliers or clients?
Data Sensitivity
Are the information and assets you're sharing with that supplier very sensitive e.g. customer data?
Frequency of Business
How often are you working with the supplier? Are they part of your immediate supply chain or are they an ad-hoc supplier you rarely use?
Supplier Security
What policies and processes does the supplier currently have in place to assure security? Do they have security controls in place and are they following cybersecurity best practices?
These are just some of the general considerations when assessing the level of risk your supplier poses to your business and supply chain. By determining the probability of compromises and breaches, you can begin to address any supply chain security issues and decide what requirements you need to set each supplier for working with you.
❗️Extra Tip❗️When you are conducting risk assessments, it can be a good idea to separate your suppliers or potential suppliers into risk categories to make the following stages easier. Place them into high, medium or low risk based on your risk criteria.
Impose Security Requirements
The next logical step after evaluating your Supply Chain risk is deciding what level of security you need your suppliers in each risk category to maintain. These requirements should be properly outlined in your Supplier policy when contracting new suppliers.
Your expectations will likely vary depending on the type of contract and how serious a risk they are, so it's important when setting them to bear in mind the risk assessments you've done, as well as making sure they're realistic and achievable for that supplier.
There are lots of different security expectations you might set for a supplier, from GDPR plans to Social Media and Internet Usage policies, Data Management to Cybersecurity Training. Often, a business will require a certain standard to be met, which can be demonstrated by achieving a certification. Popular options include ISO27001, NIST or Cyber Essentials.
Cyber Essentials is a particularly useful standard when working with suppliers in different risk categories as there are two levels of the certification. Your more high-risk suppliers can achieve the Cyber Essentials Plus certification, involving a qualified Certification Body actually checking IT & security controls as well as carrying out vulnerability analyses on the company's infrastructure. It's not always easy to manage a whole supply chain so we offer a free-of-charge certification service for your Supply Chain, working with you to introduce suppliers to Cyber Essentials and help them to achieve the standard.
Practice What You Preach
To improve your supply chain security, you should obviously require your suppliers to meet appropriate security standards, but your business should be meeting them too.
A good, trusted relationship with suppliers involves transparency, so show your suppliers that you are meeting any security responsibilities you are enforcing upon them. You are just as much a part of your Supply Chain as all your suppliers so it is important to uphold good cybersecurity measures as well as instructing suppliers to do the same.
Similarly, ensure your suppliers are supported if they need to take action in order to meet your security requirements, whether that be directing them to the right Certification Body or Security Software Provider or just providing general guidance and information as and when it's needed.
Cybersecurity Training
Cybersecurity is a people problem as much as it is a technology one. With human error still the main cause of cyber attacks, making both your own employees and those within your suppliers' organisations aware of common cyber threats and how to respond to them can do wonders for your Supply Chain Security.
You can make employee cybersecurity training part of the security requirements within your supplier policy or just encourage awareness by distributing helpful collateral, resources and general cybersecurity advice throughout your Supply Chain. KnowBe4 is a great platform for businesses to access security awareness training.
You want might want to make sure that any supplier taking on new personnel, ensures they are made aware of the company's security policies as well as the expectations you have set for that supplier. Any employee that could be handling your data or accessing your systems is a risk if they are not properly trained in cybersecurity best practices.
Some useful cybersecurity training topics could include:
- Spotting different cyber threats
- How to respond to threats
- Importance of password security
- Use of email, internet and social media
- How to handle company data
Secure Transfer of Data
As modern-day businesses, we collect, retain and share an incredible amount of data. Some of this data is fairly unimportant and some of it is very sensitive and personal in nature - this is the kind of data that's valuable which means cybercriminals are always looking for a way to get to it.
Naturally, many of your suppliers will need to access or hold certain data to be able to properly deliver the products and services that you need from them, so it is vital that information is transferred securely and only accessed by those authorised.
So how do you do this?
Data classification can help you establish control over data flowing through your supply chain. You want to make sure that sensitive data is stored, labelled and deleted as per the specific requirements of the organisation.
Identify and Locate Data
Make sure you know where all your data is stored electronically, including within your suppliers' systems and data backup systems.
Classify
There will be different kinds of data that your business deals with and shares with third-parties, ranging from publicly accessible data all the way to highly sensitive personal data like payment information or health records.
Determine Value
Look at all the data you share and consider its importance. What would be the consequences if this data got leaked, tampered with or deleted? Would you face regulatory fines? Incur revenue losses? Would it impact you operationally?
Managing your data well and knowing exactly what's being shared with which suppliers will make it much harder for important information to fall into the wrong hands.
You'll also need to ensure you have a secure channel for transferring data to your suppliers, encrypting the data to minimise risk and preventing data loss in transit.
So to conclude...
Securing your Supply Chain isn't going to happen overnight.
It's an ongoing process that requires regularly reviewing the way you do things, making sure you're evolving the process as your business, industry, and the world of cybercrime does the same.
Establishing control over your Supply Chain by assessing each supplier's risk level and setting security requirements that are proportional is the best way to improve your supply chain security and reduce your chances of being targeted in a supply chain attack.
Most importantly, remember that being part of the same supply chain means you're interconnected - their security gaps are your security gaps and vice versa. Clear communication with your suppliers and raising their awareness around the importance of good cybersecurity will reinforce a common interest to reduce the cyber threat for your supply chain.