12 steps to supply chain security that will help you grow your business

Talk of cyber security often puts the onus on you and your business, but an attack on your suppliers can be just as damaging. As part of SoGlos’s #CyberGlos campaign, we highlight 12 steps to secure your supply chain and secure more business too.

Working with your supply chain can help create protect your company from cyber attacks, and build a reputation, which ultimately wins you more business.

Securing a supply chain can be hard because their complex nature makes them vulnerable, but the Government’s National Cyber Security Centre advises firms to start by talking to their suppliers and partners to understand what they are dealing with.

Building good relationships, exercising influence where you can, and encouraging continuous improvement, will improve security across your supply chain and help protect everyone connected by it.

And ultimately, as a trusted, cyber secure partner, it should help you win more business.


About the sponsors


Charles Russell Speechlys’ Cheltenham office advises regional, national and international clients ranging from multinational listed companies, government organisations, limited companies and partnerships to entrepreneurs, private individuals and their families and its dedicated technology team includes experts on data protection and cyber security.



Salus Cyber is a certified provider of world-class cybersecurity services, based in Cheltenham. It helps clients identify and manage their cyber risks proactively and effectively and is the cybersecurity partner of choice for industry-leading organisations throughout the UK and Europe.


The University of Gloucestershire is an integral part of the county’s cyber community. It was the first institution in the country to offer cyber security degree apprenticeships, and it has undergraduate and postgraduate programmes are helping to develop specialists in this field.


1. Understand your supply chain

Until you have a clear picture of your supply chain, it will prove tricky to establish what you will be able to have any meaningful control over. Put together a list of all your suppliers, and partners. Identify which ones are highest priority (in terms of risk) to concentrate your efforts on. Begin with your highest priority direct suppliers.


2. Look for existing information

Your existing commodity suppliers might have already published information that will help you understand the security of their service. Make sure you understand the terms and conditions in your contract or licensing agreement and what parts of security each are responsible for.


3. Talk to your suppliers

Understand their current stance on security. How does that compare with what you have asked them to do? Ask them what they have asked of their subcontractors (paying particular attention to the parts of their organisation that handle your contract)? If you understand your supply chain and the risks it faces, you will be able to identify any suppliers who fail to meet expectations.


4. Develop a common understanding with your suppliers

Make sure everyone in your supply chain knows the security responsibilities involved, and what subcontracting decisions you can delegate to them.


5. Build security considerations into your contract

Make it clear what you require and suggest that your suppliers do the same, where appropriate. Put in place supply chain security awareness and education for staff, and work with them to ensure the process is fit for purpose.


6. Consider commodity suppliers

When making decisions about commodity suppliers like cloud service providers, look for published information on their website that might help you understand whether they adequately meet your security requirements. Refer to the NCSC’s ‘cloud security guidance’ for more information on how to determine how confident you can be that a service is secure enough to handle your data.


7. Ask for evidence

Ask prospective suppliers to provide evidence of their approach to security, and their ability to meet the minimum security requirements you have set at different stages of the contract competition. Minimum security requirements should be proportionate to the risk for each supplier. Ensure standards are justified, achievable and will not put off suppliers.


8. Avoid creating unnecessary barriers

Be prepared to recognise any existing security practices or certifications a supplier might have that could demonstrate how they meet your minimum security requirements.


9. Provide guidance and help your suppliers

Enable them to effectively manage supply chain risk to your requirements. If you are a supplier, make sure you meet the security requirements of your customers, including challenging customers and partners for guidance when it’s not provided.


10. Be ready to provide assistance

If there is a security incident in your supply chain, which could affect your business or the wider supply chain, your contract should include requirements for managing and reporting such incidents.


11. Act on any concerns

Whether this is through performance monitoring or reporting from suppliers that may suggest the current approaches are not working as effectively as planned.


12. Plan for the end

Ensure contracts clearly set out requirements for the return and deletion of your information and assets by a supplier when a contact comes to an end.


By Andrew Merrell


This article is part of SoGlos’s #CyberGlos campaign, supported by Salus Cyber, Charles Russell Speechlys and the University of Gloucestershire, to champion cyber-related business stories in Gloucestershire. Visit soglos.com/cyberglos for more information.

Follow SoGlos on LinkedIn and sign-up to the weekly SoGlos business newsletter for the very latest Gloucestershire business news stories.

© SoGlos
Wednesday 22 September 2021

More hot lists you might like...

All aboard for a delightfully scary family daytrip by train to one of the 10 spookiest destinations on the GWR network, this Halloween.

10 of the spookiest places to visit by train from Gloucestershire

Enjoy a terrifyingly fun family daytrip this Halloween half term, with SoGlos handpicking some of the spookiest places that...

Nuffield Health Cheltenham is based in Hatherley Lane and is part of the Nuffield Health organisation.

10 reasons you might consider paying for medical treatment in Gloucestershire

With everything from orthopaedic services to men’s and women’s health, Nuffield Health Cheltenham reveals some important reasons...

Add a splash of colour or some intriguing furniture to your home this year.

6 of the biggest interior trends for your Gloucestershire home in 2021

With everything from embracing statement colours, to introducing beautiful patterns and furniture to your home, SoGlos rounds...

A Halloween day out at one of Gloucestershire’s pumpkin patches is sure to put a smile on everyone’s face – even the pumpkins!

4 pumpkin patches in Gloucestershire

Pick-your-own pumpkins at one of these prime Gloucestershire patches, perfect for carving spooky Halloween decorations or filling...

If you think your business has achieved perfect cyber security, doesn’t need to worry because it’s only small or because your IT department is so good, then think again…

9 cyber security myths debunked

Gloucestershire businesses will be finding it almost impossible to escape from the emphasis on cyber security for their organisations,...

Don’t miss

Unmissable highlights