Authored by Securious.
Is there a weak cyber security link in your supply chain?
Supply chain risk management involves identifying, assessing, and mitigating potential disruptions impacting your supply chain. This is crucial for cyber security, as weak links in your supply chain can be exploited by attackers.
Traditionally, supply chain cyber security risk management has been managed with security questionnaires – particularly when onboarding new suppliers. However, this approach is proving to be increasingly ineffective…
The challenge of static questionnaires
Security questionnaires are a common onboarding practice, but they have limitations:
- They offer a one-time snapshot, failing to capture a supplier’s ever-changing security posture
- They can be easily manipulated by unscrupulous suppliers
- Manually reviewing them is labour-intensive and susceptible to human error
That’s not to say questionnaires don’t have a role and should not be used. They play an important part in standardising onboarding processes and ensuring clear requirements around suppliers’ security.
However, they may provide a false sense of confidence if they aren’t repeated regularly or aren’t complemented by other requirements that can better build an accurate and holistic picture of a supplier’s cyber security.
What can you do to better understand and improve your supply chain’s cyber security?
1) Build strong working relationships with your suppliers
Open communication and trust with suppliers are essential: transparency allows you to be more confident in their cyber security practices and identify potential issues. Strong relationships also make communication and collaboration during disruptions easier, so you can work together to find solutions.
2) Make sure you’re asking each supplier the right questions
Many organisations struggle to ask effective questions in their questionnaires. Generic questions that aren’t tailored to the specific risks associated with the supplier’s role in the supply chain aren’t helpful – nor are those focused solely on policy existence rather than implementation.
3) Dig deeper for a richer picture
Open-ended questions and requests for documentation can reveal more about a supplier’s security posture than yes/no questions, and verifying answers with evidence or independent audits strengthens your assessment.
We would also suggest that you consider things like scope when asking about the accreditations and certifications suppliers have in place. For example, yes, they might have ISO 27001, but is the service they’re providing covered in the scope?
4) Regularly review your suppliers’ cyber security
Security questionnaires completed during onboarding are likely to become outdated quickly. Instead, make sure you are regularly (eg annually) reviewing their cyber security – we’d suggest taking a risk-based approach in terms of how often this is done and what level of evidence you require.
It’s also important to conduct a review whenever there is a significant change within the supplier’s organisation that may affect their cyber security – you need to understand what impact this might have and act accordingly. We would also recommend a requirement that they notify you of such changes, eg change of ownership, loss of compliance standards, etc.
5) Be prepared for things to go wrong
Sadly, things do go wrong and cyber incidents do happen – even to organisations with a good cyber posture. You need to be prepared for this and make sure you have a business continuity plan and an incident response plan in place. You should make sure you have a shared responsibilities matrix that explains which people and organisations are responsible for which areas, along with containing key information, such as their contact details.
Any suppliers that provide a key function to your business pose an operational threat, should they be hit with an attack. So having a plan for what you’ll do if their service is compromised is vital.
Is your supply chain leaving you open to attack?
Supply chain due diligence isn’t an easy task – but it is increasingly important. So if you want to make sure your supply chain isn’t leaving you open to attack, or want to be able to provide clients or customers with appropriate reassurance, get in touch with the team at Securious with any questions you have on [email protected].
About Pete Woodward
Pete Woodward is Cofounder and CEO at Securious. He has over 20 years cyber and data security experience and has advised hundreds of organisations in the UK and internationally.
Pete has a military background and has worked on security projects in the public and private sectors. His experience is backed-up with leading security and auditing accreditations, such as PCI QSA, 3DS, CISSP, MCIIS, ECSA(P), and BSi ISO Lead Auditor.
