How do I test suppliers’ security measures are effective? How do I create an effective incident management process? How do I horizon scan for changes in threat or vulnerability?
How do I test suppliers’ security measures are effective? How do I create an effective incident management process? How do I horizon scan for changes in threat or vulnerability?
For accessible version of this page please visit here, it will open in new tab.
Protected Procurement - Educate
Overview
The procurement process is one of the most important aspects of an organisation’s security. But it’s also one of the least recognised.
Outsourcing reduces your control. And if you’re giving up control, you need to know it’s to someone you can trust. When appointing suppliers, cost is a major factor. The right options can save you a lot of money. But the wrong ones can cost you everything.
Each of your suppliers is critical, because every link in your supply chain adds an element of risk for your entire organisation. After all, those who are after your trade secrets will be looking for the weakest link.
In fact, suppliers may be more likely to become a target, as a successful attack on them would yield not only your data, but data from all their other customers too, all in a single blow.
Supply chain security goes beyond ‘cybersecurity’. You need a breadth of defences to protect your organisation’s profits, reputation, and even its very existence. And to really protect yourself, those same security standards need to apply to every link in your supply chain.
The kinds of threats you need to defend against include:
Geographical risk – such as the international laws some suppliers are bound by
Insider threats – from those recruited by foreign states to negligence and incompetence
Hostile ownership – where state-backed actors invest in suppliers and gain access to your information
Technological risk – where the technologies your suppliers use provide backdoor access to your data; and
Physical attacks – on a supplier’s site or on resources in transit
Building the trust you need with suppliers isn’t a one-off process. It’s a cycle of decision-making, evaluation, and auditing to ensure you’re always protected. And it looks something like this:
Decision to outsource – Evaluating the need to work with new suppliers, the threats this brings, and the ways to reduce the risks involved
Supplier selection – Assessing prospective suppliers and conducting rigorous due diligence so you know you can trust them
Contracts – Using security-focused contracts to give you confidence you’ll get the service you deserve
Supplier delivery – Working with suppliers to test and audit existing processes, as well as proactively looking for new threats
Termination – Ending contracts in a secure manner – whatever the reason for termination
And, of course, continual Oversight – Making sure supply chain security is on your organisation’s agenda, at the senior and operational level for your both colleagues and suppliers
Few fully understand the risks you have to manage, but any company who’s ever suffered a breach knows just how vital your role is.
Protected Procurement helps you to defend your organisation from supply chain security threats.
Secure your supply chain today.
Your supply chain exposes you to damaging security threats. Certain states could target you via your supply chain for their economic, political, or military gain because:
1. Your suppliers have weaker security measures in place so are easier to attack; or
2. One of your suppliers serves various organisations of interest, so targeting that supplier gives them access to several targets via a single attack
Supply chain attacks can result in the compromise of entire organisations and pose a potentially terminal risk to businesses.Hostile actorsare looking for vulnerabilities in organisations of every size across a broad range of sectors.
Supply chains are not just compromised by cyber-attacks. An insider can provide damaging access and insight, or organisations could be unwittingly handing over parts of their business to a state-controlled organisation through offshoring or foreign direct investment in their suppliers. By giving suppliers access to information without setting expectations about how it should be protected, you are exposing your business to a range of security threats.
Act now to develop your supply chain security, avoid business disruption, and protect your business.
Oversight
Governance
Implement strong and clear governance that cascades from the top downwards and ensures you are protecting your organisation as much as possible.
Integrate procurement teams into the security management process, alongside those responsible for physical, personnel and information security. Representation from teams with the tools to defend your business from both direct and indirect attacks will ensure you have holistic protection from malicious threats. Ensure supply chain risks are captured on your organisation's risk register.
Ensure senior-level visibility of the security of your procurement processes and supply chain. This should include visibility of high-risk suppliers, and those with access to sensitive information or systems.
Create clear policies to help staff identify and highlight high-risk suppliers and procurement activities to senior leaders. Regularly review all security policies and procedures with a clearly identified lead to take responsibility for them. Develop a strong security culture across your organisation.
Security culture
Your organisation's security culture is essential to protecting your organisation from threats. Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security.
Through training and regular communication, staff should feel empowered to consider supply chain security within their day-to-day work
Encourage your suppliers to ensure that key staff (e.g. procurement, security, operational) understand security risks and their roles in helping manage them. Our suppliers guidance might be a helpful tool
Promote the sharing of security information across your supply chain to enable better understanding and anticipation of emerging security threats
Establish robust procedures for dealing with poor security behaviour. Enforce security policies visibly and quickly when staff, contractors, or suppliers do not comply
Decision to outsource
What are the threats to my organisation via our supply chain?
How do I determine the level of security to expect from our suppliers?
Threats
Attacks on your supply chain security can come from a range of sources. Ensure you are aware of the variety of potential attacks.
Physical
Could vulnerabilities in your supplier's physical security lead to unauthorised access, destruction, or disruption of your assets either onsite or during transportation?
Case study - Aramco, March 2021: Houthi-claimed attack on a petroleum products distribution terminal in Saudi Arabia, impacting global oil supply.
Cyber
Could vulnerabilities in your supplier's cyber security indirectly provide unauthorised access to your IT systems or assets?
Case study - SolarWinds, 2020: insertion of malware into SolarWinds' Orion update, providing access to users' networks enabling data exfiltration.
Insider
What access do your suppliers' employees have to your assets, and what level of personnel security checks are in place to detect and disrupt insider threats?
Scenario: Company A holds sensitive commercial data regarding a technology with military and civilian applications. A subcontractor of Company A downloads the data and sells it to competitors in the defence sector of another state.
Geographical
Do you understand the laws by which suppliers outside the UK might be bound regarding access and storage of your assets?
Scenario: Company A holds sensitive data in a data centre owned by Company B. Company B decides to relocate the data to a data centre in Country X, which is then able to access that data.
Hostile ownership
Could suppliers owned, controlled or influenced by a foreign state lead to unintended exposure of your assets?
Scenario: Law Firm A holds sensitive data as part of due diligence for early stage investment by VC Company B. Law Firm A is purchased by an entity in Country X, offering potential access to that data by Country X.
Technology
Could you be exposing your critical assets by relying on technology with inherent vulnerabilities that could be exploited by hostile actors?
Scenario: a range of sensitive sites procure CCTV equipment with a cloud-based recording capability run from servers in Country X, which requires any company within its jurisdiction to provide access to all data and communications.
Remember: Introduce appropriate policies and processes so that staff are alive to the threats and guard against them by embedding security across your procurement process - from supplier selection, to contracts, through to termination.
Exposure
If a future supplier is compromised, how much damage would they be able to inflict?
Will they have access to commercially sensitive information that could undermine your commercial success?
Will they have access to your organisation's IT systems and sensitive information?
How easily would you be able to detect a compromise of the supplier?
Would a compromise be easily detected and acted upon, or could it be exploited over a significant period unnoticed?
Consider how to reduce unnecessary or high-risk sharing of sensitive data or access to sensitive systems.
Eliminate - If a specific activity you planned to outsource provides suppliers with an unacceptable level of access to business-critical assets, deliver the activity in-house
Mitigate - If a specific activity you planned to outsource exposes more of your business-critical assets than you are comfortable with, reduce the assets shared to minimise your exposure
Accept - In some circumstances, businesses may find it difficult to set security expectations for suppliers that dominate the market. You should still embed as much security as possible across procurement processes
Security expectations
Once steps have been taken to limit exposure, use the residual exposure alongside the contextualised threat to assess the impact on your business if your supplier is compromised. Assign a security level to the acquisition and ensure that security measures in the contract are justified, proportionate and achievable.
Will the supplier have access to sensitive data?
Will the supplier have access to business-critical assets?
Will the supplier have access or connection to the organisation's IT network?
What level of privileges will they have?
Would a breach via the supplier adversely impact the organisation's reputation?
Would a breach via the supplier adversely impact the organisation's business operations?
Would a breach via the supplier cause significant financial or legal consequences?
Is the supplier a single point of failure?
Based on the assessment, assign a required security level to the acquisition. The assigned security level influences the security controls that need to be embedded throughout the rest of the procurement process. Strict security demands are not proportionate for suppliers who, if compromised, would pose little risk to your business. However, those suppliers with access to sensitive data or whose compromise would otherwise have significant consequences would need to meet more stringent security demands. See below for an example of a red-amber-green impact model. This will inform the due diligence and supplier assurance questions you should be asking.
Due diligence should cover financial risks, reputational risks, reliability and security. Conduct security due diligence on all prospective suppliers to assess how trustworthy and vulnerable to compromise they are. Repeat regularly, especially following any security incident, breach, or significant change in operation or contract.
Supplier assurance questionnaires are a self-assessment by the supplier of their security profile and enable your organisation to determine whether the supplier:
Is sufficiently secure to resist an attack
Meets your security expectations based on the assigned security level
As this is a self-assessment, these security expectations must be reinforced through contracts and auditing. Contracts should stipulate the security standards expected of suppliers, with termination clauses if they are not met, and audits should be used to confirm that the expected security standards are being met.
Due diligence and supplier assurance questions combined allow an organisation to assess how trustworthy and secure prospective suppliers are, and how this compares to the assigned security level.
Suitability assessment
Collate information from the independent due diligence and the SAQ to evaluate if the supplier meets the necessary security standard given the security level.
If the supplier does, then proceed with the procurement process. If not, you should consider:
Whether to award the contract to them but create a statement of security assurance to articulate expected activities the supplier should undertake to reach the required level of security. Use this to raise performance and monitor achievement against security objectives
Contracts should hold suppliers accountable for their security responsibilities. Suppliers should also have cascading security standards throughout their supply chain. Including security at the initial stage of any contract will save you money later. Always seek your own independent legal advice for your specific requirements.
Security clauses
Include these security provisions within contracts:
Articulate the security standards you expect and expected delivery deadlines where supplier's current security profile does not meet required standards
Exclude security standards from any force majeure clause to prevent the supplier relinquishing security responsibilities following an extraordinary event
Require timely notification of any change to security standards compared to those expressed in response to the supplier assurance questions, with a provision for termination of the contract in the event of unacceptable security measures
Require timely notification of organisational or environmental changes with implications for the security of the service provided
Require timely notification of offshoring of storage, process, or access to your assets (including data), with a provision for termination of the contract in the event of offshoring
Require timely notification of any change of ownership or investment which provides a new entity with material influence over the supplier's business, with a provision for possible termination of contract in the event of change of ownership or influence
Require timely notification of any subcontractors who might have access to your assets, with a provision to restrict the subcontractor's access to your asset if requested
Require timely notification of any security breach or newly identified security vulnerability
Require an independent review and corrective action following any breach in a key security performance indicator
Specify the right to audit the supplier's security stance on a regular basis, and following any security incident, breach, or significant change in operation or contract
Require evidence of compliance with contractual controls
Articulate the following within termination clauses:
Audits can be conducted in many ways - independently, directly, or by self-auditing. How you choose to conduct an audit should be proportionate to the risk. Prioritise audits based on risk assessment to optimise resource allocation.
Identify the audit scope and establish an audit plan
Conduct the audit and testing aspects of the audit evidence to validate
Analyse, review and identify gaps or opportunities to improve
Report findings
Aim to align security objectives with your supplier
Integrity test your supply chain
Investigate poor performance quickly and fix it before it becomes a contractual breach
If you are not auditing an organisation, monitor its certifications, security reports and open-source information
Stress testing
Test your supplier's security measures are effective, and perform under pressure through tabletop and live exercises.
Measure the effectiveness of a stress test via the difference between:
time to survive (the maximum time a supply chain can meet demand after a disruption) and
time to recovery (the time it would take for full recovery after a disruption)
Use simulations of low probability, high impact events to understand the limits of your incident management process.
Establish an effective incident management process to improve business resilience, support business continuity, and reduce financial impact.
Agree an incident management process with your suppliers, with clear requirements for reporting timescales
Be prepared to provide support and assistance to suppliers where security incidents have the potential to impact your business or the wider supply chain
Communicate knowledge gained from security incidents to all your suppliers to help them from falling victims to known and manageable attacks
Establish a high level and strategic crisis management policy aimed at containing any crisis by limiting damage and ensuring recovery.
Clearly identifying what constitutes a crisis versus an incident
Widespread familiarity with the crisis management policy and processes
Ensuring critical preparedness activities and supplies are available pre-event or as soon as possible post-event to aid recovery
Ensuring communications channels are prepared and security-focused
A crisis may impact on your supply chain. To avoid crises being exacerbated by supply chain security incidents, you should address three overarching risks:
Exploitation of the changing situation by hostile actors
Baseline security measures being neglected due to competing priorities
Failure to establish and implement incident and crisis management capabilities
Interference from adversaries is a credible threat during times of crises. The most effective countermeasure to misinformation is to ensure that external communications are impactful and efficient.
Horizon scanning
Changes in threat, vulnerabilities, best practice, and technologies may impact your supply chain security.
Scan for and share threat information throughout your supply network
Invest in technology that provides supply chain visibility
Be aware of developments in your operations abroad
Termination clauses within contracts should outline the assets to be recovered and protective measures to be undertaken
Termination clauses can be enacted either at the end of the contract term, or should the contract be terminated by agreement, breach, or the law of frustration. Include termination procedures within your security plan, so staff understand the process which should be followed
Implementation:
Ensure that the termination process is followed as outlined in the contract and your security plan
Ensure that suppliers do not retain legacy access to your assets unless explicitly specified within the contract