However large or small a business, it inevitably relies on a number of other businesses in order to deliver its goods or services to customers. That’s your supply chain. Your business relies on this supply chain running smoothly and efficiently, with no hiccups, missed deliveries or lost orders.
As we have learned from the pandemic, the uncertainty and confusion that a disrupted supply chain can have on business and the world can be life changing. So, we have to do all that we can to protect them from vulnerability.
Why is supply chain security so important?
Now is not the time to focus inward on your people, processes and systems and be all superior that you’ve got your bit covered. You cannot afford to be complacent about security. Any business is part of a bigger interconnected chain of trusted partners, accessing data and systems in order to fulfill their role and opening up the risk. One security incident at just one link in the chain can cause a chain reaction, affecting all other organizations in that supply chain.
However indirectly a suppliers’ system is connected to your own, its vulnerabilities become your responsibility. You are only as secure as the weakest link in your supply chain. This includes any third-party services your business uses and software you install — for example, a CRM system, someone building your website or an online finance or HR system. All these systems are likely to be processing personal data and/or possibly payment information. The question is do you know what they are doing with your data? And do you trust them?
The supply chain definition also includes any third-party software you include in your own software. So, for example, there is a small software library called Log4j that is used to log debugging information and can be included in your own software. If a utility like this has a vulnerability, then your system will inherit that vulnerability when you add it to your own code. The Log4Shell flaw impacts a huge number of systems on the internet and will continue to do so for many years to come.
What used to be a simple linear chain can, today, be extremely complex. As we increasingly turn to outsourcing as an effective business solution, it is ever more critical that you can trust those third parties with your data and processes and are able to ensure that the supply chain is secure and protected.
What are the risks?
It makes absolute sense to use third-party suppliers for certain aspects of the business. I am all for using experts in fields to enhance your business, rather than reinventing the wheel. However, it pays to be aware of what additional risk it can bring.
As a trusted outsource partner ourselves, we have frameworks in place to ensure data is protected and backed up and that all of our people are trained in cybersecurity. It is our duty of care to our partners and our people.
If sensitive data is entrusted to a supplier and they experience a breach, it is everyone along the supply chain’s problem. Data that is stolen, tampered with or destroyed can cause financial losses, legal action and fines, not to mention critical reputational harm.
What can we do?
Step one is clearly to understand the risk and accept that there is one. Only then can you do something about it.
Clear visibility of the supply chain is a must. You need to know who your suppliers are, be clear on what they are contracted to handle and have an understanding of what their security looks like. You need to do your due diligence, in other words, and ensure that they are taking their security as seriously as you are. This extends not just to your immediate suppliers but those that supply them or that they sub-contract to and so on.
In mapping this out, you are taking control of the supply chain. You know where your data is stored and how it is processed. And you can easily identify those that do not meet your requirements and areas in the supply chain that may need to be re-evaluated. This relies on clearly communicating your view of security and setting minimum requirements that are justified to the kind of data they are handling or retaining on your behalf and making it a contracting consideration.
If you’re using a third-party web solution, continually monitor them using tools, like SecurityScoreCard or BlackKite, that give a company a security rating. This approach isn’t comprehensive since the tool can only see systems that are exposed to the internet, but it is a good leading indicator if security starts to slip.
This brings me to the next point: Build assurances into your supply chain management — from audits and penetration tests, for example, to including security as a KPI.
Finally, supply chain security is not a static entity. New threats will arrive on an inevitably regular basis. In order to establish and maintain security, you will need to continually assess, evaluate and improve. And I predict that as the business world evolves and further embraces this new way of working, harnessing technology in our everyday lives, the security of our supply chains will only become ever more business-critical.
Look at supply chain management as a shared issue, build trusted partnerships and work together to establish a framework through which you can protect your supply chain and your business.