Supply-chains are complex and in many cases it can be unclear where the security risk truly lies, and how to mitigate it. In light of this, we spoke to a leader in supply-chain risk management to get their insight and recommendations. The advice has been anonymised to protect the organization’s security.
This guidance is designed to help you reduce time spent on paperwork, spot the alarm signals and enable you to work positively and collaboratively with your supply-chain partners, rather than dictating unrealistic terms or compromising on security.
Asking your suppliers to leaf through multiple pages of a questionnaire and tick millions of boxes doesn’t prove security. Paperwork on both sides could be greatly reduced, and the saved time could be much better spent simply speaking face to face. You get the opportunity to see what the security is like around your organization’s assets – are there enough controls in place? Can anyone see what’s going on and access your data? You’ll learn very quickly how to spot the alarm bells.
It’s not only an absence of controls you should be looking for – even if there is some security in place, it might be dreadfully inadequate or out-of-date. We’ve had experiences where suppliers have fanatically enforced over-prescriptive controls around what color paper is used and obsessive password changing.
And of course, if a critical supplier refuses to let you visit, that (probably) tells you everything you need to know.
On a visit we’re looking for evidence of a security governance programme which includes both physical and personnel security measures and some data loss prevention mechanisms.
Examples of key questions:
When asking questions, make sure you’re speaking to the right people – such as compliance, legal or the back-end of the organization. If you’re sat in a room with a salesperson or account manager, it’s a red flag. If you don’t get answers to all your questions on a site-visit, we’d recommend what we call ‘the sniff test’ – invite one of your trusted independent partners to carry out an open-source intelligence review.
We have around 1000 top-tier suppliers, but the real risk can also lie beyond these in the 5000+ subcontractors, support services and extended supply chain partners.
For example, we looked into the security of our corporate travel booking service. We discovered that we were using the same service as one of our partner organizations, and that the itinerary information could be cross-referenced to determine that we had a relationship with that party. For us, this information is highly sensitive and must be protected.
We looked into the provider’s supply-chain to assess the risk posed by their own vendors – it really was illuminating. There were at least ten more suppliers ranging from car hire, rail bookings, travel expenses, hotel bookings, visa services – and these services operated out of ten countries spanning four continents. Beyond the travel services partner, there were multiple suppliers we needed assurance on from our travel partner.
This is a specific example relevant to our industry and risk factors. For others, travel plans may not be as sensitive – unless there is a major deal yet to be announced or a merger/acquisition underway.
Taking the most thorough approach to every single supply partner is not feasible, or frankly, sensible. To operate efficiently in the real world, you must take on a certain level of risk.
Much like internal network segregation, we group suppliers into tiers based on the nature of the service they provide and our appetite for risk in relation to the data they hold. For high-risk suppliers, we may visit them on a regular basis, but for lower tiers we may only visit once, or send our organization’s supply chain assessment document.
Geographical region also plays a part in this. Some regions have excellent security programs and a willingness to conform to any requirements – one supplier in India physically partitioned part of a floorplate overnight specifically to protect our data from those not working on the project.
Above all, we want our suppliers to be open and honest with us, not to hide information from us because we are bearing down on them with demands. When it comes to security, some of the smaller suppliers simply don’t know where to start.
Some years ago, I asked a small supplier when their last pen-test was – this question was met with a confused ‘What’s a pen-test?’
Needless to say, when we organised an independent test for them, it revealed that they could be compromised in – almost literally – three mouse clicks. But, this gave them the springboard they needed to act and improve security for all their customer data – not just ours.
Ways to position support to benefit your suppliers:
Many thanks to the organization for speaking with us about their approach!
Got questions about supply-chain risk? Get in touch by firstname.lastname@example.org.