Working with your supply chain can help create protect your company from cyber attacks, and build a reputation, which ultimately wins you more business.
Securing a supply chain can be hard because their complex nature makes them vulnerable, but the Government’s National Cyber Security Centre advises firms to start by talking to their suppliers and partners to understand what they are dealing with.
Building good relationships, exercising influence where you can, and encouraging continuous improvement, will improve security across your supply chain and help protect everyone connected by it.
And ultimately, as a trusted, cyber secure partner, it should help you win more business.
Charles Russell Speechlys’ Cheltenham office advises regional, national and international clients ranging from multinational listed companies, government organisations, limited companies and partnerships to entrepreneurs, private individuals and their families and its dedicated technology team includes experts on data protection and cyber security.
Salus Cyber is a certified provider of world-class cybersecurity services, based in Cheltenham. It helps clients identify and manage their cyber risks proactively and effectively and is the cybersecurity partner of choice for industry-leading organisations throughout the UK and Europe.
The University of Gloucestershire is an integral part of the county’s cyber community. It was the first institution in the country to offer cyber security degree apprenticeships, and it has undergraduate and postgraduate programmes are helping to develop specialists in this field.
Until you have a clear picture of your supply chain, it will prove tricky to establish what you will be able to have any meaningful control over. Put together a list of all your suppliers, and partners. Identify which ones are highest priority (in terms of risk) to concentrate your efforts on. Begin with your highest priority direct suppliers.
Your existing commodity suppliers might have already published information that will help you understand the security of their service. Make sure you understand the terms and conditions in your contract or licensing agreement and what parts of security each are responsible for.
Understand their current stance on security. How does that compare with what you have asked them to do? Ask them what they have asked of their subcontractors (paying particular attention to the parts of their organisation that handle your contract)? If you understand your supply chain and the risks it faces, you will be able to identify any suppliers who fail to meet expectations.
Make sure everyone in your supply chain knows the security responsibilities involved, and what subcontracting decisions you can delegate to them.
Make it clear what you require and suggest that your suppliers do the same, where appropriate. Put in place supply chain security awareness and education for staff, and work with them to ensure the process is fit for purpose.
When making decisions about commodity suppliers like cloud service providers, look for published information on their website that might help you understand whether they adequately meet your security requirements. Refer to the NCSC’s ‘cloud security guidance’ for more information on how to determine how confident you can be that a service is secure enough to handle your data.
Ask prospective suppliers to provide evidence of their approach to security, and their ability to meet the minimum security requirements you have set at different stages of the contract competition. Minimum security requirements should be proportionate to the risk for each supplier. Ensure standards are justified, achievable and will not put off suppliers.
Be prepared to recognise any existing security practices or certifications a supplier might have that could demonstrate how they meet your minimum security requirements.
Enable them to effectively manage supply chain risk to your requirements. If you are a supplier, make sure you meet the security requirements of your customers, including challenging customers and partners for guidance when it’s not provided.
If there is a security incident in your supply chain, which could affect your business or the wider supply chain, your contract should include requirements for managing and reporting such incidents.
Whether this is through performance monitoring or reporting from suppliers that may suggest the current approaches are not working as effectively as planned.
Ensure contracts clearly set out requirements for the return and deletion of your information and assets by a supplier when a contact comes to an end.
By Andrew Merrell
This article is part of SoGlos’s #CyberGlos campaign, supported by Salus Cyber, Charles Russell Speechlys and the University of Gloucestershire, to champion cyber-related business stories in Gloucestershire. Visit soglos.com/cyberglos for more information.
Wednesday 22 September 2021
Enjoy a terrifyingly fun family daytrip this Halloween half term, with SoGlos handpicking some of the spookiest places that...
With everything from orthopaedic services to men’s and women’s health, Nuffield Health Cheltenham reveals some important reasons...
With everything from embracing statement colours, to introducing beautiful patterns and furniture to your home, SoGlos rounds...
Pick-your-own pumpkins at one of these prime Gloucestershire patches, perfect for carving spooky Halloween decorations or filling...
Gloucestershire businesses will be finding it almost impossible to escape from the emphasis on cyber security for their organisations,...