The business world is becoming more connected and interconnected. Our companies and homes increasingly rely on items and services that are supplied or run by others. Companies cannot function without software that is owned and supported by others, messages that we send are managed by others, banks that hold our funds use other companies to manage transactions and infrastructure between us and them and companies increasingly hire contractors and consultants to provide specialist skills. All of these external services comprise IT, people and physical assets and all are vulnerable to failure or malicious behaviour.
Historically, suppliers mostly provided hardware, goods or in-house skills. However that landscape has changed. Increasingly, we see suppliers (and often their suppliers and their suppliers) securing wide and long-term access to their clients’ information, assets and people. Often that access is unmonitored and has escalated beyond its original boundary. Some examples of these large scale accesses are:
- Cloud providers, who may hold huge amounts of their clients’ data (e.g. credit information, personal data, staff records, intellectual property) in other organisations or even in other countries;
- IT contractors who deploy their staff into multiple client organisations, who may hold sensitive accesses at two competing companies simultaneously;
- Network service suppliers who provide data storage or Security Operations Centre functions at remote locations (often overseas);
- Overseas call centres;
- Vendors who supply and maintain safety or physical security (e.g. barriers or alarms) to sensitive sites;
- Third party recruitment consultancies, who hire staff on behalf of clients.
Each of these situations can put the end user’s security, resilience, compliance or stability at risk. Suppliers can cause these sorts of incidents by not managing their own security, acting irresponsibly, employing rogue staff who exploit their positions, or any number of other ways.
CPNI and the National Cyber Security Centre (NCSC) provide guidance for many of these particular examples (e.g. Cloud Security principles, or Insider Threat Study). However, these aim to help organisations secure their own systems themselves. The challenge for supply chain risks is that the risk management must usually be done by someone else i.e. the supplier.
The key to supply chain risk management is in the selection, contracting and ongoing management of suppliers and consultants – it is an ongoing process, rather than a hurdle to jump over. This has to be done carefully, in alignment with the client’s own comprehensive risk assessment, which should identify its own critical assets and articulate what risks the supplier poses to those assets through their access to them.
Organisations should recognise the importance of good communications on any significant business change that could impact on suppliers to help mitigate security risks. For further information on how to mitigate this risk and manage organisational change, please refer to the research undertaken by the Centre for Research for Evidence and Security Threats (CREST).
The Principles of Supply Chain Security
The NCSC and CPNI jointly propose a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. The guidance covers cyber, physical and people security. An infographic is also available.
Procuring the Services of a Specialist Security Consultant
Security is an essential element of any project concerning the creation, modification, improvement or disposal of a built asset. CPNI has produced guidance on aspects of sourcing, procuring, tasking and retaining specialist security consultants. It highlights issues that need to be considered ranging from acceptance of the project scope and requirements, to details of resourcing, fees structure and insurance.