________________________________________________________________________________________________________________________
Don ’ t let risk be in the eye of the beholder The further you go down your supply chain , the less likely it ’ s going to be shored up against risk . This could be down to the size of the supplier , or to the regulatory or cultural context of where it is located . Whether it ’ s SMEs with limited budgets to spend on security defenses or large consultancies that ’ d rather retain more of their bonus than shell out on better cyber defenses , it ’ s essential to be explicit in detailing your security and privacy requirements to all suppliers .
Make security contractual While some sectors in the UK , including financial services and healthcare , have mandates to ensure information governance over their supply chain , many organizations in non-regulated industries are still not including it in their supplier contracts . But there is no good reason not to ! Making cybersecurity requirements contractual not only impresses the gravity of your security requirements on suppliers but holds them accountable for upholding them .
... the security risk of the supply chain is of growing concern
Dynamically manage your risk The sheer number of different vendors and suppliers that organizations interact with means it ’ s impossible to manually manage the risk posed by third , fourth , fifth and nth parties . Vendor risk management platforms are key to proactively checking suppliers are meeting your security requirements , assessing the risk posed , and having up to date information when news of a vulnerability or vendor breaks .
Establish a supplier breach checklist A supplier breach checklist is a practical tool for businesses managing multiple suppliers , which not only helps identify potential risks , but can also inform an effective response strategy when a breach happens . The checklist should start with the immediate need to identify and notify the supplier or vendor , before addressing the scope and impact and communicating this to relevant stakeholders – for example , affected customers , stakeholders , regulatory bodies , and the relevant authorities – and ensuring all impacted parties are taking necessary steps to address the breach and prevent future incidents .
Put in place a risk manager Assessing and managing risk across your supply chain is a full-time role , from running risk analysis and introducing the relevant protocols , to managing compliance , and determining who is ultimately accountable . In a small company , a senior director or C-level leader must take on the responsibility of managing the company ’ s risk processes . In a larger organization , it is the board ’ s responsibility to put the right team in place and ensure policy adherence .
Get on the front foot As the business landscape becomes increasingly interconnected with organizations employing third-party suppliers and vendors , each of which has its own supply chain in tow , proactively managing the risk of the supply chain is key . Getting on the front foot with suppliers to both secure your supply chain and understand the steps should an event occur will help reduce your overall exposure . ■
For a list of the sources used in this article , please contact the editor .
22