Because supply chains are so far-reaching and complex, there are myriad opportunities for vulnerabilities to surface and bad actors to emerge. This government guidance outlines best practices organisations can follow to minimise risks in the form of a twelve-step plan:
- Make sure you understand how much of your information and which of your assets your suppliers can access and to what extent they require safeguarding.
- Look beyond your immediate suppliers to garner a clear picture of the wider network you could be impacted by, such as your supplier’s subcontractors and their current security set-up.
- Know the risks your suppliers pose to your information, assets, products and services, and make sure you have up-to-date knowledge regarding the most common forms of cyber attacks on supply chains.
- Keep your suppliers informed about your expectations around how they must protect your information and assets. This will require consistent communication to check they are still abreast of the risks and acting accordingly.
- Set minimum security standards for relevant suppliers - keep in mind that they probably aren’t necessary for every single one. The standards should be reasonable and attainable, or you’ll risk losing their interest in contracting with you.
- When contracting, include clauses and considerations around your organisation’s security - for instance, requirements around when suppliers must delete your information.
- Remember your own responsibilities as a supplier, if any, and keep lines of communication open in both directions.
- Keep your suppliers informed and updated about your security risks and support them to educate relevant staff. Be willing to share lessons you’ve learned and warn them about any potential issues.
- Be prepared to provide support in the event that a supplier faces a security breach.
- Call on your suppliers to report on their security performance and implement assurance measures like audits and penetration tests.
- Motivate your suppliers to improve their security practices, for instance, by telling them it will make them more competitive when it comes to winning future contracts with your organisation.
- Build your suppliers’ trust and use this as an opportunity to create a mutually rewarding partnership.