Cyber security questions to ask your supply chain

August 16th, 2021 Posted in Information Security

What questions should you ask your supply chain?

Over the last decade, the traditional cybersecurity approach has seen a gradual but colossal overhaul. Cyber security used to be about protecting your company’s four walls. This was commonly known as the ‘castle and moat’ approach, whereby companies built up their cyber security defences to stop malicious actors from getting into their infrastructure, and then trusted everyone who was inside. Given this, the castle and moat approach has run its course and organisations are adopting new models of cyber security. Zero trust is an increasingly common model which, at its simplest, can be summed up in the phrase: “trust no one, verify everyone.”

However, as cloud-based services have become cheaper and easier to manage, this approach is no longer fit for purpose. For one, the traditional castle is now obsolete. With more people working remotely, and data being stored in the cloud, protection needs to expand far beyond the traditional four walls. As well as this, though, companies are increasingly inter-operating. Moreover, the international standard for information security, ISO 27001, has a dedicated section to managing supplier relationships

The increasing connectedness of businesses

In both the consumer and business worlds, digitalisation has instilled greater expectations around agility, flexibility and resilience. To meet these expectations, companies have had to start relying more on each other. In the physical world, this takes the form of outsourcing to warehouses and logistics providers. In the digital world, companies are taking advantage of outsourcing services including payroll, data storage, cloud-based software and IT management.  

In doing so, more and more data are being shared between organisations, and the digital connections between them are stronger than ever. If you think of your own company, chances are you will have several suppliers. These could provide payroll solutions, customer relationship management solutions, or even cloud storage services. Because supply chains are now more integrated, if just one of your partners is breached, then you could be too.  

This isn’t just a theoretical occurrence either. Just last month, the IT management software provider, Kaseya, suffered a ransomware attack – and so did thousands of its clients. For malicious attackers, supply chain attacks are lucrative and attractive. Rather than just stealing data from one company, they can potentially get access to multiple organisations following the first initial attack.  

No matter how large or small your business is, if one of your suppliers is breached, you could suffer the consequences. To make matters more complex, you need to bear in mind that, in the same way, your company has a supply chain, so too does your supplier. Essentially, companies are becoming a digital web of data links and connections. If a hacker gets in anywhere in that web, the scale of damage could be huge.  

This growing threat makes supply chain security an imperative for organisations of all shapes and sizes. The picture isn’t all doom and gloom either. Supply chain cyber security isn’t just about limiting damage, it’s also about boosting brand perception. If your company can provide assurance to partners and clients that your supply chain is managed, then you can build confidence and improve relationships. As well as this, to gain accreditation for ISO 27001, supply chain cyber assurance is mandated.  

Tackling the challenge

Clearly then, supply chains are more important, and data is being accessed and flowing throughout the supplier chain from you to your supplier, to their suppliers, and beyond. This creates risk. If the data includes personal data, then the risk is also legal compliance risk as you could find yourself in breach of the GDPR or equivalent data protection and privacy laws.  

Given the risk to your organisation, your customers and to people whose personal data you process you should follow these steps to identify and manage supply chain risks: 

Define your risk tolerance  

The first step in any supply chain security programme is to create a map of what your supply chain looks like. From there, you should assess the importance of each individual supplier to your operations. Importantly, too, you should think about the potential risks of each supplier. For example, if your supplier processes sensitive company data, then they are likely high-risk to your organisation.  

In line with assessing the risks, you should also think about the criteria that would make you feel comfortable to carry on your relationship with your supplier(s). This may include them meeting certain accreditations (see our guide to cyber essentials here), conducting regular penetration testing and using certain solutions to protect sensitive data.  

To help you understand more about how to assess these risks, and define working relationship criteria, we recommend you read our Supply Chain Security guide, which gives a detailed overview of best practices for working with suppliers.  

The right questions to ask your supply chain

Once you’ve established what you expect from your suppliers, it’s time to check whether or not they meet your requirements. As the National Cyber Security Centre (“NCSC”) recommends, you should begin a dialogue with your suppliers to understand their security approaches.  

To help with this process, the NCSC has developed a set of supplier-focused cyber security questions, which you can use to frame your discussion. It’s important to note that these questions are not a checklist, but more a way to bring structure to a complex topic.   

The questions align with the NCSC’s 12 supply chain security principles, which we also advise reading as you approach this topic. The questions, of course, are written for broad enterprise use. This means you may wish to tailor some of the questions, or will not find all of them relevant, depending on your company’s sector and circumstances. 

As well as the NCSC’s questions, we also advise you review NIST 800-161. This proposes an approach to supply chain cybersecurity that covers 4 stages across 3 tiers. The first two stages, ‘Frame’ and ‘Assess’, offer useful guidance that can help you to establish both your risk tolerance and the questions you need to ask.  

Evaluating the responses you receive 

Once your suppliers have answered your questions, you will then need to assess whether these answers are, first, satisfactory and, second, that they suit your levels of risk tolerance. The significance of your supplier to your business may sway your level of risk tolerance, meaning it’s unlikely you will take a blanket approach to evaluating suppliers.  

For example, factors such as if a supplier provides a unique service, the amount of sensitive data they hold, and whether they are directly connected to your IT resources will all need to be taken into consideration.   

Make the activity cyclical  

Lastly, we advise you to revisit these questions on a regular basis. Just as your business changes over time, so too will your suppliers. So, it’s important to re-assess supplier risk profiles on a regular basis. If your supplier undergoes a major IT change or your relationship with them changes in any way, then you should review your current arrangements.  

We provide a range of supply chain security services and can help you streamline your onboarding process and shorten your sales cycles. Our experts use their skills and knowledge to help you manage your supply chain’s security risk as well as our in-house developed tool, SupplyIQ, to give you visibility over the risk and access to one dashboard overseeing your suppliers.

Need to talk to us about supply chain security?

With the increasing interconnection of business, managing third-party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resources and availability of adequate expertise around this subject are proving to be a key challenge. If you need support and direction in managing your third-party supply chain,  call us for a no-obligation chat. 

We can provide several different solutions that can be tailored to your business to support the management of your supply chain security.

Request Free Consultation

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.



Matt Gerry

Written by Matt Gerry

Matt consults on information and cyber security, including incident response, security awareness and training, security gap analysis and certification advisory. Matt started his career working in large multinationals where he gained experience delivering large system implementations, leading projects, and handling key stakeholder relations. He holds an MSc in Information Security from Royal Holloway, University of London.