Questions to ask your supply chain

Important security questions to ask your supply chain

August 16th, 2021 Posted in Business Continuity, Information Security

Do you know what questions to ask your supply chain? Marcus Chambers, senior security consultant at Evalian, outlines the important security measures to consider when working with third-party suppliers.

Over the last decade, the traditional cyber security approach has seen a gradual but colossal overhaul. Cyber security used to be about protecting your company’s four walls. This was commonly known as the ‘castle and moat’ approach, whereby companies built up their cyber security defences to stop malicious actors from getting into their infrastructure, and then trusted everyone who was inside. 

However, as cloud-based services have become cheaper and easier to manage, this approach is no longer fit for purpose. For one, the traditional castle is now obsolete. With more people working remotely, and data being stored in the cloud, protection needs to expand far beyond the traditional four walls. As well as this, though, companies are increasingly inter-operating. 

The increasing connectedness of businesses

In both the consumer and business worlds, digitalisation has instilled greater expectations around agility, flexibility and resilience. To meet these expectations, companies have had to start relying more on each other. In the physical world, this takes the form of outsourcing to warehouses and logistics providers. In the digital world, companies are taking advantage of outsourcing services including payroll, data storage, cloud-based software and IT management.  

In doing so, more and more data are being shared between organisations, and the digital connections between them are stronger than ever. If you think of your own company, chances are you will have several suppliers. These could provide payroll solutions, customer relationship management solutions, or even cloud storage services. Because supply chains are now more integrated, if just one of your partners is breached, then you could be too.  

This isn’t just a theoretical occurrence either. Just last month, the IT management software provider, Kaseya, suffered a ransomware attack – and so did thousands of its clients. For malicious attackers, supply chain attacks are lucrative and attractive. Rather than just stealing data from one company, they can potentially get access to multiple organisations following the first initial attack.  

No matter how large or small your business is, if one of your suppliers is breached, you could suffer the consequences. To make matters more complex, you need to bear in mind that, in the same way, your company has a supply chain, so too does your supplier. Essentially, companies are becoming a digital web of data links and connections. If a hacker gets in anywhere in that web, the scale of damage could be huge.  

This growing threat makes supply chain security an imperative for organisations of all shapes and sizes. The picture isn’t all doom and gloom either. Supply chain cyber security isn’t just about limiting damage, it’s also about boosting brand perception. If your company can provide assurance to partners and clients that your supply chain is managed, then you can build confidence and improve relationships. As well as this, to gain accreditation for ISO 27001, supply chain cyber assurance is mandated.  

Tackling the challenge

Clearly then, supply chains are more important, and data is being accessed and flowing throughout the supplier chain from you to your supplier, to their suppliers, and beyond. This creates risk. If the data includes personal data, then the risk is also legal compliance risk as you could find yourself in breach of the GDPR or equivalent data protection and privacy laws.  

Given the risk to your organisation, your customers and to people whose personal data you process you should follow these steps to identify and manage supply chain risks: 

Define your risk tolerance  

The first step in any supply chain security programme is to create a map of what your supply chain looks like. From there, you should assess the importance of each individual supplier to your operations. Importantly, too, you should think about the potential risks of each supplier. For example, if your supplier processes sensitive company data, then they are likely high-risk to your organisation.  

In line with assessing the risks, you should also think about the criteria that would make you feel comfortable to carry on your relationship with your supplier(s). This may include them meeting certain accreditations (see our guide to cyber essentials here), conducting regular penetration testing and using certain solutions to protect sensitive data.  

To help you understand more about how to assess these risks, and define working relationship criteria, we recommend you read our Supply Chain Security guide, which gives a detailed overview of best practices for working with suppliers.  

The right questions to ask your supply chain

Once you’ve established what you expect from your suppliers, it’s time to check whether or not they meet your requirements. As the National Cyber Security Centre (“NCSC”) recommends, you should begin a dialogue with your suppliers to understand their security approaches.  

To help with this process, the NCSC has developed a set of supplier-focused cyber security questions, which you can use to frame your discussion. It’s important to note that these questions are not a checklist, but more a way to bring structure to a complex topic.   

The questions align with the NCSC’s 12 supply chain security principles, which we also advise reading as you approach this topic. The questions, of course, are written for broad enterprise use. This means you may wish to tailor some of the questions, or will not find all of them relevant, depending on your company’s sector and circumstances. 

As well as the NCSC’s questions, we also advise you review NIST 800-161. This proposes an approach to supply chain cybersecurity that covers 4 stages across 3 tiers. The first two stages, ‘Frame’ and ‘Assess’, offer useful guidance that can help you to establish both your risk tolerance and the questions you need to ask.  

Evaluating the responses you receive 

Once your suppliers have answered your questions, you will then need to assess whether these answers are, first, satisfactory and, second, that they suit your levels of risk tolerance. The significance of your supplier to your business may sway your level of risk tolerance, meaning it’s unlikely you will take a blanket approach to evaluating suppliers.  

For example, factors such as if a supplier provides a unique service, the amount of sensitive data they hold, and whether they are directly connected to your IT resources will all need to be taken into consideration.   

Make the activity cyclical  

Lastly, we advise you to revisit these questions on a regular basis. Just as your business changes over time, so too will your suppliers. So, it’s important to re-assess supplier risk profiles on a regular basis. If your supplier undergoes a major IT change or your relationship with them changes in any way, then you should review your current arrangements.  

Need help?

With the increasing interconnection of business, managing third-party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resource and availability of adequate expertise around this subject is proving to be a key challenge. If you need support and direction in managing your third-party supply chain,  call us for a no-obligation chat. 

 

Marcus Chambers 250 x 250

Written by Marcus Chambers

Marcus is a senior security consultant specialising in cyber security; including strategy, security transformation, risk management, incident response and supply chain assurance. His career started in the British Army where he delivered multifaceted operational solutions often in austere settings. Since leaving the military, Marcus has worked in senior security consulting roles, across numerous sectors. He has three Masters degrees including an MSc in Information Security from Royal Holloway, University of London; he holds ISACA's CISM and CGEIT certifications; is a Chartered Engineer and a graduate of the British Military's esteemed Advanced Command and Staff Course.