Performing supplier due diligence is an integral part of every supplier relationship to ensure you’re mitigating any potential risks for your company and the rest of your supply chain.
Managing supply chain risk nowadays is no easy feat, with some companies working with thousands of suppliers. But the size and complexity of these supply chains make it all the more critical that companies properly review both potential and current suppliers on an ongoing basis.
Doing supplier due diligence can help organisations gain better visibility of their supply chain and stay on top of any security issues that might leave one of their suppliers vulnerable to a breach. Failure to do so may result in supply chain attacks like that of SolarWinds or Kaseya.
Whenever your company is planning to work with a new supplier, properly vetting them becomes a key step in the process. You want to make sure that the supplier company is legitimate and equipped to deliver the required services.
1. Check General Business Details
Some of the first few things you can do as part of this due diligence is to research the company. You can start by checking its details on Companies House or verifying its VAT number here. Checking business registrations, location, contact details and any public documents will help to prove the company’s legitimacy which is essential before anything else.
2. Get a second opinion
Just as you read reviews for any new business you buy from as a consumer, you’ll want to speak to some of the supplier’s existing and past customers to get a sense of the quality of service they offer and reduce any potential reputational risks.
There’s usually plenty to find publicly online about a company so you can be as detailed as you like with this, looking at reviews, testimonials and even social media mentions of the company. Of course, if there is nothing but complaints, this is probably not a supplier you want to work with.
3. Verify accreditations and other certificates
If the supplier claims to have any sort of accreditation or certification, you should check with the body or organisation that awarded it to ensure that it is legitimate and still valid. This is especially important if it’s something you have made part of your supplier requirements.
4. Check financial information
Companies you do business with should be financially sound, so part of your supplier due diligence will involve checking these financials. Review credit history, insurance details, financial reports and important tax documents before onboarding any new supplier.
Assessing Security Risks
Software supply chain attacks targeted 3 in 5 companies in 2021 with over half of those facing a significant or at least moderately impactful attack. Just one weak link in your supply chain can make your company vulnerable to these sorts of attacks, which is why it’s essential to be diligent about assessing a supplier’s security posture, including their processes and policies, before entering into a working relationship.
When a company uses a supplier, it will often share customer and business data so that the supplier can carry out the required services, but the more accessible this data becomes, the more vulnerable it is.
Neglecting data protection and cyber security practices during the procurement process happens due to a lack of due diligence but it’s not worth the potential fallout should your supplier’s security, or lack thereof, cause a cyber incident.
Conducting risk assessments and performing this due diligence will go a long way towards protecting your company and wider supply chain from these kinds of attacks.
Check Suppliers are Compliant with Data Protection Legislation
If you’re handling the personal data of those within the EU, you must be compliant with the General Data Protection Regulation (GDPR). This will extend to any companies you work with that have access to that data.
Checking the GDPR compliance of your suppliers is essential if you want to avoid a hefty fine from the ICO (infringements of GDPR policy can result in fines of up to 4% of a company’s annual turnover!).
Documenting practices and procedures in the form of written policy is a great way of communicating these internally to your company workforce, but they also demonstrate your commitment to cyber security to companies you might work with.
It’s a good idea to ask your potential supplier which, if any, policies they keep to get a sense of whether they follow best practices and have good cyber security awareness.
They might have password policies, home working policies, patching policies, or incident response and business continuity plans. You may like to ask what the company’s process is for maintaining and updating these policies too.
As previously mentioned, the more people that have access to data, the more vulnerable it is. If you’re sharing data with a supplier, it’s a good idea to get an understanding of their access control policies.
Who will be granted access to your data? Will any sub-contractors of theirs require access too? Keeping an up-to-date list of users will help you keep track of how that data is being accessed and make it easier to carry out disaster recovery should a breach occur.
Set Your Own Baseline
If you want a quicker way of establishing how secure your potential supplier is and what their approach is to cyber security, you may wish to lay out your own security requirements in a supplier policy, that every supplier you work with must meet.
These requirements can be ongoing throughout your working relationship, for example, you might require your suppliers to undergo annual penetration tests or vulnerability tests and share the reports with you.
Using an existing security standard or framework is a straightforward way for potential suppliers to demonstrate they meet the requirements and expectations set out.
Common ones include Cyber Essentials, ISO 27001 or NIST, but there may also be more specific standards to point to depending on the industry your company operates in.
Ongoing Supplier Due Diligence
Supplier due diligence is not just a tick box exercise for onboarding a supplier, it’s an ongoing process. New supplier risks and vulnerabilities can develop at any time so it’s a good idea to have a process for regularly monitoring and re-assessing suppliers your company works with.
Commit to periodic reviews with each supplier to ensure supplier policies and contracts are still being adhered to and any new information or changes have been accounted for.
By conducting supplier due diligence your company can assess and reduce the strategic, financial, regulatory, and reputational risks that can come into play when a new working relationship develops. By performing this due diligence early on and keeping it going throughout the partnership, you give your company added protection and security and ultimately save costs and improve the satisfaction of your customers.