As your organisation grows and starts to work with more customers, suppliers and partners, you become a link in one or more complex supply chains. Being a desirable, trustworthy supplier or customer now extends far beyond delivering good products or services, providing great customer care and paying on time. Today’s way of conducting business means that you must observe good practice (and in many cases, compliance) when it comes to cyber and information security because vulnerabilities put not only your own organisation at risk … but also that of the others up and down the supply chain.
Get Safe Online's top tips...
- Ensure that your own information and cyber security and those of the other organisations up and down the supply chain prior to any information sharing. Do this at an early point in the relationship to avoid any difficulties and hold ups later.
The risks
- Customer / client, supplier and partner data is held increasingly on disparate, distributed databases, so one vulnerability could compromise the integrity of the entire chain.
- Data could also be shared between more links in the chain, for example via email or single point of access online portals.
- Every time a new organisation joins the supply chain, the greater the risk of a security breach.
- Financial safety, employee safety, intellectual property, data compliance, finances and reputation are all at stake, for all organisations in the chain.
Achieving acceptable standards in the supply chain
Therefore it is essential that every organisation in the supply chain has secure systems and practices, can demonstrate this to the others in the chain, and also has confidence in the others in the chain.
It is likely that every organisation in the chain will have different structures, business models, working practices, information infrastructures and be of differing sizes … and will also work to different standards in terms of their own cyber and information security, and how they assess those of others – including your organisation.
As a starting point, it is your responsibility to ensure that you deploy good levels of security in terms of technical safeguards, procedures and practice and employee behaviour.
You should also establish at the earliest possible point in your entry into the supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain. It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
You may be able to achieve an acceptable standard – and assess that of your partners in the supply chain -.internally or with the aid of an external consultant. The advice provided on this site is intended to help you determine the areas to be scrutinised and provides information and advice specific to those areas.