Overview
Protected Procurement - Promo
NPSA SCS Video
[Promo video]
Overview
You work hard to keep your business secure, because you know getting security wrong could cost you everything.
That’s why you invest in the best infrastructure; why you train your people; and why you continually hone and tighten your processes.
But can you say the same for every one of your suppliers?
Each time you outsource, you give away some control over your business. External suppliers – from your managed service provider or accountant to the contract cleaning staff in your head office – are a potential risk. And they’re a risk you need to manage, because you can’t outsource responsibility.
When appointing suppliers, cost is a major factor. The right options can save you a lot of money. But the wrong ones can cost you everything.
Supply chain security goes beyond ‘cybersecurity’.
Having state-of-the-art encryption or secure password protocols won’t help if a supplier can’t spot a rogue employee aiming to exploit your data [insider]. Or if they rely on technology that is, by accident or design, unsecure [technology]. Or if they aren’t prepared for an attack on their site which could compromise your assets [physical].
What about the laws your suppliers need to comply with because of where they’re based or operate – do they put your data at risk? [geographical]
And would your supplier tell you if they took on a overseas investor, which could give another state access to your information or assets? [hostile investment]
Cybersecurity is important but a holistic approach to supply chain security is critical. [cyber].
Every time you outsource, you give away some control over your business and expose yourselves to supply chain security threats. Compromised suppliers damage reputations. And unsecure suppliers undermine profits.
If your supplier is breached, your trade secrets are at risk. So protect your business by establishing control and minimising your exposure at every stage of the relationship, with every supplier.
Protected Procurement helps you to defend your organisation from supply chain security threats.
Secure your supply chain today.
Your supply chain exposes you to damaging security threats. Certain states could target you via your supply chain for their economic, political, or military gain because:
- Your suppliers have weaker security measures in place so are easier to attack; or
- One of your suppliers serves various organisations of interest, so targeting that supplier gives them access to several targets via a single attack
Supply chain attacks can result in the compromise of entire organisations and pose a potentially terminal risk to businesses.Hostile actorsare looking for vulnerabilities in organisations of every size across a broad range of sectors.
Supply chains are not just compromised by cyber-attacks. An insider can provide damaging access and insight, or organisations could be unwittingly handing over parts of their business to a state-controlled organisation through offshoring or foreign direct investment in their suppliers. By giving suppliers access to information without setting expectations about how it should be protected, you are exposing your business to a range of security threats.
Act now to develop your supply chain security, avoid business disruption, and protect your business.
Governance
Implement strong and clear governance that cascades from the top downwards and ensures you are protecting your organisation as much as possible.
- Appoint a senior lead to take responsibility for supply chain security. Integrate procurement teams into the security management process, alongside those responsible for physical, personnel and information security. Representation from teams with the tools to defend your business from both direct and indirect attacks will ensure you have holistic protection from malicious threats. Ensure supply chain risks are captured on your organisation's risk register
- Ensure senior-level visibility of the security of your procurement processes and supply chain. This should include visibility of high-risk suppliers, and those with access to sensitive information or systems
- Create a clear policy to help staff identify and highlight high-risk suppliers and procurement activities to senior leaders. Regularly review all security policies and procedures with a clearly identified lead to take responsibility for them. Develop a strong security culture across your organisation
Threats
Attacks on your supply chain security can come from a range of sources. Ensure you are aware of the variety of potential attacks.
Could vulnerabilities in your suppliers' physical security lead to unauthorised access, destruction, or disruption of your assets either onsite or during transportation?
Case study - Aramco, March 2021: Houthi-claimed attack on a petroleum products distribution terminal in Saudi Arabia, impacting global oil supply.
Could vulnerabilities in your suppliers' cyber security indirectly provide unauthorised access to your IT systems or assets?
Case study - SolarWinds, 2020: insertion of malware into SolarWinds' Orion update, providing access to users' networks enabling data exfiltration.
What access do your supplier's employees have to your assets, and what level of personnel security checks are in place to detect and disrupt insider threats?
Scenario: Company A holds sensitive commercial data regarding a technology with military and civilian applications. A subcontractor of Company A downloads the data and sells it to competitors in the defence sector of another state.
Do you understand the laws by which suppliers outside the UK might be bound regarding access and storage of your assets?
Scenario: Company A holds sensitive data in a data centre owned by Company B. Company B decides to relocate the data to a data centre in Country X, which is then able to access that data.
International suppliers must comply with their home country's laws. Ensure your processes and oversight consider the local legal frameworks in which international organisations operate. This could include laws and regulations that require organisations to share information and data with their state. Take this into account when considering offshoring.
Could suppliers' owned, controlled or influenced by a foreign state lead to unintended exposure of your assets?
Scenario: Law Firm A holds sensitive data as part of due diligence for early stage investment by VC Company B. Law Firm A is purchased by an entity in Country X, offering potential access to that data by Country X.
Could you be exposing your critical assets by relying on technology with inherent vulnerabilities that could be exploited by hostile actors?
Scenario: a range of sensitive sites procure CCTV equipment with a cloud-based recording capability run from servers in Country X, which requires any company within its jurisdiction to provide access to all data and communications.
Remember: Introduce appropriate policies and processes so that staff are alive to the threats and able to guard against them by embedding security across your procurement process - from supplier selection, to contracts, through to termination.
Exposure
If a future supplier is compromised, how much damage would they be able to inflict?
- Will they have access to commercially sensitive information that could undermine your commercial success?
- Will they have access to your organisation's IT systems and sensitive information?
- How easily would you be able to detect a compromise of the supplier?
- Would a compromise be easily detected and acted upon, or if unnoticed could it be exploited over a significant period?
Consider how to reduce unnecessary or high-risk sharing of sensitive data or access to sensitive systems.
- Eliminate - If a specific activity you planned to outsource provides suppliers with an unacceptable level of access to business-critical assets, deliver the activity in-house
- Mitigate - If a specific activity you planned to outsource exposes more of your business-critical assets than you are comfortable with, reduce the assets shared to minimise your exposure
- Accept - In some circumstances, businesses may find it difficult to set security expectations for suppliers that dominate the market. You should still embed as much security as possible across your procurement processes
Procurement
Enact these measures to ensure security is embedded throughout your procurement processes:
- Decision to Outsource - Use your threat and exposure assessments to determine whether to outsource or deliver activities in-house
- Supplier Selection - Assess prospective suppliers through security due diligence and the use of security supplier assurance questions
- Contracts - Enforce security expectations by using appropriate security clauses within contracts
- Supplier Performance - Use audits and stress testing to check your supplier's security measures are effective and meet expectations
- Termination - Regain control of your assets from suppliers at the end of a contract
Be aware that suppliers may outsource services you procure to others. If so, it is important to understand the impact any outsourcing may have on the security of your assets.
Security culture
Your organisation's security culture is an essential component of an effective security regime. Lead by example - a good security culture relies on visible endorsement and engagement from the top.
- Empower, train and communicate regularly with your staff about supply chain security in their day-to-day work
- Encourage your suppliers to ensure that key staff (e.g. procurement, security, operational) understand security risks and their roles in helping manage them
- Promote the sharing of security information across your supply chain to enable better understanding and anticipation of emerging security threats
- Establish robust procedures for dealing with poor security behaviour. Enforce security policies visibly and quickly when staff, contractors, or suppliers do not comply
Incident management
Establishing an effective incident management process will help improve business resilience, support business continuity, and reduce financial impact.
- Agree an incident management process with your suppliers, with clear requirements for reporting timescales
- Be prepared to provide support and assistance to suppliers where security incidents have the potential to impact your business or the wider supply chain
- Communicate knowledge gained from security incidents to your suppliers in order to help them avoid falling victim to known and manageable attacks
A crisis may impact on your supply chain. To avoid crises being exacerbated by supply chain security incidents, you should address three overarching risks:
- Exploitation of the changing situation by hostile actors
- Baseline security measures being neglected due to competing priorities
- Failure to establish and implement incident and crisis management capabilities
Interference from adversaries is a credible threat during times of crises. The most effective countermeasure to misinformation is to ensure that external communications are impactful and efficient.