12 steps to supply chain security that will help grow your Gloucestershire business

Talk of cyber security often puts the onus on you and your business, but an attack on your suppliers can be just as damaging. As part of SoGlos’s #CyberGlos campaign, we highlight 12 steps to secure your supply chain and secure more business too.

By Andrew Merrell  |  Published
Working with your supply chain can help protect your company from cyber attacks and build a strong reputation, which ultimately wins you more business.
Working with your supply chain can help protect your company from cyber attacks and build a strong reputation, which ultimately wins you more business.

Securing a supply chain can be hard, because their complex nature makes them vulnerable, but the Government’s National Cyber Security Centre advises firms to start by talking to their suppliers and partners to understand what they are dealing with.

Building good relationships, exercising influence where you can, and encouraging continuous improvement, will improve security across your supply chain and help protect everyone connected by it. And ultimately, as a trusted, cyber secure partner, it should help your Gloucestershire company win more business.

Understand your supply chain

Until you have a clear picture of your supply chain, it will prove tricky to establish what you will have any meaningful control over. Put together a list of all your suppliers and partners; identify which ones are highest priority in terms of risk to concentrate your efforts on; and begin with your highest priority direct suppliers.

Look for existing information

Your existing commodity suppliers might have already published information that will help you understand the security of their service. Make sure you understand the terms and conditions in your contract or licensing agreement and what parts of security each are responsible for.

Talk to your suppliers

Understand their current stance on security. How does that compare with what you have asked them to do? Ask them what they have asked of their subcontractors, paying particular attention to the parts of their organisation that handle your contract. If you understand your supply chain and the risks it faces, you will be able to identify any suppliers who fail to meet expectations.

Develop a common understanding with your suppliers

Make sure everyone in your supply chain knows the security responsibilities involved - and what subcontracting decisions you can delegate to them.

Build security considerations into your contract

Make it clear what you require and suggest that your suppliers do the same, where appropriate. Put in place supply chain security awareness and education for staff, and work with them to ensure the process is fit for purpose.

Consider commodity suppliers

When making decisions about commodity suppliers like cloud service providers, look for published information on their website that might help you understand whether they adequately meet your security requirements. Refer to the NCSC’s ‘cloud security guidance’ for more information on how to determine how confident you can be that a service is secure enough to handle your data.

Ask for evidence

Ask prospective suppliers to provide evidence of their approach to security and their ability to meet the minimum security requirements you have set at different stages of the contract competition. Minimum security requirements should be proportionate to the risk for each supplier. Ensure standards are justified, achievable and will not put off potential suppliers.

Avoid creating unnecessary barriers

Be prepared to recognise any existing security practices or certifications a supplier might have that could demonstrate how they meet your minimum security requirements.

Provide guidance and help your suppliers

Enable them to effectively manage supply chain risk to your requirements. If you are a supplier, make sure you meet the security requirements of your customers, including challenging customers - and ask partners for guidance when it’s not provided.

Report incidents

If there is a security incident in your supply chain, which could affect your business or the wider supply chain, your contract should include requirements for managing and reporting such incidents.

Act on any concerns

Whether this is through performance monitoring or reporting from suppliers that may suggest the current approaches are not working as effectively as planned.

Plan for when your contract ends

Ensure contracts clearly set out requirements for the return and deletion of your information and assets by a supplier when a contact comes to an end.

More on CyberGlos

More from Business