Overview
Do you understand the security threats to your business, and how these could impact your customers?
Learn More
Do you have well-developed and practised incident management and business continuity plans?
Learn MoreYour customers are increasingly concerned about supply chain disruption to their business. They will be increasing their expectations in terms of security to protect themselves. Give your business competitive edge by delivering security as part of your service.
Do not be the weak link in your customer's supply chains. Act now to develop your security and give yourselves a competitive advantage.
Oversight
Governance
Implement strong and clear governance that cascades from the top downwards and ensures you are protecting your organisation and your customers.
- Appoint a senior lead to take responsibility for the security of your customer's assets and information. Establish who has responsibility for the physical, personnel, and cyber security of both your business and your customer's assets and information. If these roles are allocated separately, ensure there are clear and regular links between individuals concerned
- Regularly review all security policies and procedures with a clearly identified lead to take responsibility for them. Develop a strong security culture across your organisation
Security culture
Your organisation's security culture is an essential component of an effective security regime. Lead by example - a good security culture relies on visible endorsement and engagement from the top.
- Empower, train and communicate regularly with your staff about security in their day-to-day work
- Ensure that key staff (e.g. procurement, security, operational) understand security risks and their roles in helping manage them
- Promote the sharing of security information with your customers to enable better understanding and anticipation of emerging security threats
- Establish robust procedures for dealing with poor security behaviour. Enforce security policies quickly and visibly when staff, contractors, or suppliers do not comply
- Workplace Behaviours Campaign | NPSA - guidance on how to run a workplace security behaviours campaign
- Security culture | NPSA - how to measure security culture and identify if the right measures are in place to support it
- Employee vigilance campaign | NPSA - encourages staff to become an active part of their organisation's security regime
- My digital footprint | NPSA - includes best practice on secure sharing of information
- Think Before You Link | NPSA - practical advice on how to identify, respond to, and minimise the risk of being targeted by hostile actors online
Threats
Attacks targeting your business, and your customer's assets, can come from a range of sources. Ensure you are aware of the variety of potential attacks.
Could vulnerabilities in your physical security lead to unauthorised access, destruction, or disruption of your customer's assets, either onsite or during transportation?
Case study - Aramco, March 2021: Houthi-claimed attack on a petroleum products distribution terminal in Saudi Arabia, impacting global oil supply.
Could vulnerabilities in your cyber security indirectly provide unauthorised access to your customer's IT systems or assets?
Case study - SolarWinds, 2020: insertion of malware into SolarWinds' Orion update, providing access to user's networks enabling data exfiltration.
What access do your employees have to your customer's assets, and what level of personnel security checks are in place to detect and disrupt insider threats?
Scenario: Company A holds sensitive commercial data regarding a technology with military and civilian applications. A subcontractor of Company A downloads the data and sells it to competitors in the defence sector of another state.
Have you considered what your geographical exposure means for your security?
Scenario: Company A holds sensitive data in a data centre owned by Company B. Company B decides to relocate the data to a data centre in Country X, which is then able to access that data.
When taking investment, have you considered the influence this may have over your business?
Scenario: Law Firm A holds sensitive data as part of due diligence for early stage investment by VC Company B. Law Firm A is purchased by an entity in Country X, offering potential access to that data by Country X.
Are you exposing your customer's assets by relying on technology with inherent vulnerabilities that could be exploited by hostile actors?
Scenario: a range of sensitive sites procure CCTV equipment with a cloud-based recording capability run from servers in Country X, which requires any company within its jurisdiction to provide access to all data and communications.
Remember: Introduce appropriate policies and processes so that staff are alive to threats and can escalate security risks to an organisational risk register. Ensure your organisation is up-to-date on relevant current and emerging threats, vulnerabilities, security best practice, legislation, and technologies.
Risk management
Take a risk management approach to managing your business and your customer's assets. The approach you adopt should outline the processes, techniques, and tools your organisation will use to protect your assets and those of your customers.
- Protective Security Risk Management | NPSA - guidance to help identify vulnerabilities and the potential impact of exploitation
- Operational requirements | NPSA - process outlining the actions and investments required to protect critical assets against security threats
Security measures should focus on the threat specific to your organisation. These measures should cover physical, personnel and cyber security. Ensure you have a clear process in place for communicating these measures to key staff, contacts, stakeholders, and customers.
Ensure there are physical security controls in place at the sites used to process or store your customer's assets (including data) which cover:
- Perimeter security
- Access control
- Principle of least privilege
- Records of site access
- Physical guarding
- Incoming mail and delivery screening
- Protection and maintenance of equipment and cabling
- Asset management and classification
- Secure areas for the storage of sensitive assets
- Tamper indication for protected assets
- Secure destruction of sensitive material
- Visitor control
Ensure you have visibility of the origin of the technologies that you rely on to deliver your service, or use to access, process, or store customer's assets and information.
Visit NPSA's website for resources to help develop your organisation's physical security controls.
- Perimeters and access control - guidance on doors, windows, gates and video analytics systems
- CCTV - range of guidance including human factors in control rooms
- Security lighting - guidance on operational requirements and performance
- Building Information Modelling - guidance on designing in for security and information sharing
- Screening and mail deliveries - comprehensive guidance and specification
- Screening people and their belongings - guidance and common options to use
- Screening vehicles - measures for deterrence
Ensure there are personnel security controls in place for employees who will have access to your customer's assets (including data) which cover:
- Background verification checks and pre-employment screening
- Staff clearances
- Security awareness training requirements
- Senior responsibility for people risk
- Clearly defined and documented security roles and responsibilities for employees and contractors
- Disciplinary processes for employees and contractors who have committed a security breach
- Return of assets and revocation of access rights upon the termination of employment
- Personnel security monitoring
Visit NPSAs website to find resources to help develop your organisation's personnel security controls.
- Personnel security - In Hindsight - YouTube - video illustrating insider threat
- Ongoing Personnel Security | NPSA - explains the insider threat and advises on mitigation measures
- Holistic Management of Employee Risk (HOMER) | NPSA - pragmatic guidance and framework of measures, including the role of corporate governance in managing people risk
- Pre-employment screening | NPSA - good practice guide for use by those with responsibilities for security pre-screening
- Contract staff | NPSA - good practice guide for personnel security and contractors
Provide your customers with assurance about your cyber security posture through Cyber Essentials, Cyber Essentials Plus, or an equivalent cyber security certification.
Consider getting cyber insurance to help protect your business from cyber threats.
Visit NCSC's website to find more resources to help develop your organisation's cyber security controls.
- About Cyber Essentials - NCSC.GOV.UK - about Cyber Essentials
- 10 Steps to Cyber Security - NCSC.GOV.UK - guidance on how organisations can protect themselves in cyberspace
- Cyber insurance guidance - NCSC.GOV.UK - cyber security considerations for organisations thinking about taking out cyber insurance
Legality and transparency
Act in compliance with UK law, such as visa requirements and data handling under the General Data Protection Regulation (GDPR). Report any cyber security incidents which result in a personal data breach to the ICO and ActionFraud.
Be transparent with your customers about historic security breaches and the steps your organisation has taken to develop your security posture in response. Ensure your customers are aware of any international laws that you are also required to comply with by virtue of the jurisdiction your organisation falls under.
Make customers aware of any subcontractors who will have access to their assets or information, and the security expectations which you place on those subcontractors.
- Report a breach | ICO - details of incidents which must be reported to the Information Commissioner's Office (ICO)
- Action Fraud - National Fraud & Cyber Reporting Centre
Incident management
Your risk management framework should enable you to cope with a security breach or incident and return to normality quickly. Well-developed, practiced business continuity plans are a desirable quality in any prospective supplier.
Establishing an effective incident management process will help improve business resilience, support business continuity, improve customer confidence, and reduce financial impact.
- Agree an incident management process with your customers, with clearly defined reporting timescales
- Clearly articulate to your customers where you require support and assistance when security incidents have the potential to impact customer business or their wider supply chain
- Use learnings from security incidents elsewhere in your customer's supply chain
- Small Business Guide: Response & Recovery - NCSC.GOV.UK - small business guide for cyber incident response and recovery
- CREST (crest-approved.org) - scheme for public and private organisations for incidents not of national significance
Supply chain security
Consider the security of your own supply chain. Embed security across your supplier lifecycle to reduce the risks to your business. Your supply chain is only as strong as its weakest link.
Protected Procurement - Promo
NPSA SCS Video
[Promo video]
Overview
You work hard to keep your business secure, because you know getting security wrong could cost you everything.
That’s why you invest in the best infrastructure; why you train your people; and why you continually hone and tighten your processes.
But can you say the same for every one of your suppliers?
Each time you outsource, you give away some control over your business. External suppliers – from your managed service provider or accountant to the contract cleaning staff in your head office – are a potential risk. And they’re a risk you need to manage, because you can’t outsource responsibility.
When appointing suppliers, cost is a major factor. The right options can save you a lot of money. But the wrong ones can cost you everything.
Supply chain security goes beyond ‘cybersecurity’.
Having state-of-the-art encryption or secure password protocols won’t help if a supplier can’t spot a rogue employee aiming to exploit your data [insider]. Or if they rely on technology that is, by accident or design, unsecure [technology]. Or if they aren’t prepared for an attack on their site which could compromise your assets [physical].
What about the laws your suppliers need to comply with because of where they’re based or operate – do they put your data at risk? [geographical]
And would your supplier tell you if they took on a overseas investor, which could give another state access to your information or assets? [hostile investment]
Cybersecurity is important but a holistic approach to supply chain security is critical. [cyber].
Every time you outsource, you give away some control over your business and expose yourselves to supply chain security threats. Compromised suppliers damage reputations. And unsecure suppliers undermine profits.
If your supplier is breached, your trade secrets are at risk. So protect your business by establishing control and minimising your exposure at every stage of the relationship, with every supplier.
Protected Procurement helps you to defend your organisation from supply chain security threats.
Secure your supply chain today.