BLOG: INFORMATION SECURITY IN THE SUPPLY CHAIN
Sharing information with suppliers increases the risk of information being compromised and cyber-attacks. But it is essential for the continuity of your organisation. But, what are the risks that arise, challenges and the black hole organisations face, what types of suppliers are there and how to secure information in the supply chain? All these topics and questions are addressed in this blog.
During the past years, we discovered that more and more of valuable and sensitive information – from intellectual property such as engineering drawings to customer details – are shared with suppliers who don’t make the same investment in protecting it. When information is shared in the supply chain, direct control is lost and there is an increased risk of its confidentiality, integrity or availability being compromised. A compromise anywhere in the supply chain can have just as much impact as one from within the organisation. That is the reason I want to address this topic for my blog this month.
But risks in the supply chain are challenging to identify and difficult to quantify which can be disruptive to the relationship with suppliers. There are three key challenges that organisations may face from sharing information in their supply chain:
- Lack of awareness of the sensitive information that is shared in contracts.
- Too many contracts to assess individually.
- Lack of visibility and controls as information is shared in the supply chain.
It isn’t about who is in your supply chain, but it is who has information and are they protecting it as you’re doing, or even better.
Beyond the direct suppliers, organisations face a black hole; When suppliers share information with their suppliers, the risk is extended further up the supply chain. There is no easy way to develop even a modicum of control over what happens to the information beyond the suppliers the organisation contract with. But if there is an incident, the impacts can be just as damaging
Types of suppliers
There are different types of suppliers, the “traditional” suppliers (e.g. supplier of goods), outsource providers, suppliers with remote access and cloud service providers. Suppliers with Remote Access increases the risk of stagnation. If they have remote access to your core systems, they or a cybercriminal can ensure with one “wrong” click, a stagnation of your organisation process. Cloud computing can ensure co-mingling; Co-mingling occurs when more than one organisation’s information is located on the same physical server, virtual server, database or hard disk.
All these types of suppliers should be addressed differently and according to the possible risks and importance of the supplier.
As you can see is it very important to protect your sensitive information in the supply chain, to ensure your business’s continuity. To protect and control your information in the supply chain, a process should be established.
Supply chain security process
First, you should start with creating awareness in the organisation and fund the supply chain security process. Without this, there will not be any support for this process.
Second, all suppliers should be identified and categorized according to the sensitivity and criticality of the information they have. Then examine the suppliers by the relationship they have with the company and identify indirect suppliers. Find out if there are any key commercial, governmental, legal and regulatory factors which arise when sharing information with suppliers. If your organisation has too many contracts to address individually, a different approach is necessary.
Then, determine the requirements the suppliers should have according to the critical and sensitive information. Target the contract and assess the extent to which suppliers meet the required arrangements/requirements. Once the contract is in place, the information security performance of the supplier should be monitored and evaluated. If the supplier is too important, but can’t commit to all the requirements, determine and provide alternative arrangements. Note: If a contract is terminated, it is important that the information and the assets are deleted/send back.
Information security is an ongoing process. Suppliers should be monitored; a new supplier must be identified, and new risks should be mapped.
Do you want more information about security management in the Supply Chain or your organisations performance? Do not hesitate to contact us!