The majority of organisations rely upon suppliers to deliver products, systems and services. It is important then to have a good awareness of supply chain cyber security. Today we aim to look into this in more detail to help in that endeavour. We will also outline some good practices small-to-medium organisations can adopt. Those with national security requirements must do more and our experts are on hand to offer guidance on that also. Contact us if you fall under that category and we’ll be glad to help.
Supply chains
These can be large and complex, with multiple suppliers delivering many different things. Securing the supply chain can therefore be very difficult. Vulnerabilities can either be pre-existing or introduced, and all can be exploited at any point in the chain, causing untold disruption.
Unfortunately, a great many organisations fail to place enough emphasis on securing their supply chains. The fact is, few businesses even set minimum security standards for suppliers.
In recent times there have been numerous high profile attacks on supply chains and this trend is growing. The need to take action is then of vital importance.
National Cyber Security Centre: 12 principles
Our friends at the NCSC have produced a set of guidelines to help organisations to gain the necessary level of control over the supply chain. Here we list those out under the 4 stages they have set out:
Understanding the risks
The first 3 principles are based around the gathering of information. This is crucial in order to understand how your supply chain works and what is required to control it.
- You must understand what needs to be protected and the reasons why
- Who sits within your supply chain? What security measures do they have in place?
- Then you’ll need to assess the risks posed by the arrangement of your chain
Establishing control
Taking control of the supply chain is critical and the next 6 principles lay out how to achieve this.
- Your view of the security needs must be communicated to all suppliers
- Establish minimum security requirements for the suppliers and communicate this clearly to each one
- Ensure that all your contracts contain security considerations; then require your suppliers to do the same
- You must meet all requirements beholden to you as a supplier and consumer
- Raise awareness within your supply chain
- Offer support for security incidents
Checking your arrangements
This stage is all about building confidence within the supply chain in the measures you have set out.
- The supply chain management must have security assurances built into it, such as cyber security certificates and penetration testing where required
Ensuring continuous improvement
The supply chain will evolve and therefore so should the security efforts.
- Encourage continued improvement and work with your suppliers to ensure this happens
- Build trust with all of your suppliers
In conclusion
Supply chain cyber security must be a key focus area for organisations large and small. Cyber-attacks against the supply chain are growing in number. They are ever-evolving too, which means your security frameworks need to do the same. Attacks can target third party software providers and data stores, as well as websites. The NCSC offers further reading on this with supply chain attack examples.
CRIBB Cyber Security is working harder than ever before to raise cyber awareness. As ‘frontline experts’, we are all too familiar with the damage and disruption cyber-attacks can cause. That is without even considering theft, fraud and insiders. You must have an IT security strategy in place, even if it ‘only’ contains the basic steps. You can read more CRIBB articles on key aspects of cyber security in our blog. Some of our most popular pieces are listed below but do contact us if you would like to have a deeper discussion.