Advice on assessing security risks in your supply chain

Supply-chains are complex and it can be unclear where the security risk lies and how to mitigate it. We spoke with a leader to get their insight and recommendations.

Supply-chains are complex and in many cases it can be unclear where the security risk truly lies, and how to mitigate it. In light of this, we spoke to a leader in supply-chain risk management to get their insight and recommendations. The advice has been anonymised to protect the organization’s security.

This guidance is designed to help you reduce time spent on paperwork, spot the alarm signals and enable you to work positively and collaboratively with your supply-chain partners, rather than dictating unrealistic terms or compromising on security.

Don’t just tick a box – visit your supply partners personally

Asking your suppliers to leaf through multiple pages of a questionnaire and tick millions of boxes doesn’t prove security. Paperwork on both sides could be greatly reduced, and the saved time could be much better spent simply speaking face to face. You get the opportunity to see what the security is like around your organization’s assets – are there enough controls in place? Can anyone see what’s going on and access your data? You’ll learn very quickly how to spot the alarm bells.

It’s not only an absence of controls you should be looking for – even if there is some security in place, it might be dreadfully inadequate or out-of-date. We’ve had experiences where suppliers have fanatically enforced over-prescriptive controls around what color paper is used and obsessive password changing.

And of course, if a critical supplier refuses to let you visit, that (probably) tells you everything you need to know.

What to look for and key questions to ask your suppliers

On a visit we’re looking for evidence of a security governance programme which includes both physical and personnel security measures and some data loss prevention mechanisms.

Examples of key questions:

  • What level of independent testing do you do? When was your last pen-test? Who performed it?
  • How do you manage risk from your third party suppliers? How do you ensure conformity with your standards?
  • How and where is your hardware and software designed, managed and maintained?

When asking questions, make sure you’re speaking to the right people – such as compliance, legal or the back-end of the organization. If you’re sat in a room with a salesperson or account manager, it’s a red flag. If you don’t get answers to all your questions on a site-visit, we’d recommend what we call ‘the sniff test’ – invite one of your trusted independent partners to carry out an open-source intelligence review.

Illuminate your supply-chain beyond your top suppliers

We have around 1000 top-tier suppliers, but the real risk can also lie beyond these in the 5000+ subcontractors, support services and extended supply chain partners.

For example, we looked into the security of our corporate travel booking service. We discovered that we were using the same service as one of our partner organizations, and that the itinerary information could be cross-referenced to determine that we had a relationship with that party. For us, this information is highly sensitive and must be protected.

We looked into the provider’s supply-chain to assess the risk posed by their own vendors – it really was illuminating. There were at least ten more suppliers ranging from car hire, rail bookings, travel expenses, hotel bookings, visa services – and these services operated out of ten countries spanning four continents. Beyond the travel services partner, there were multiple suppliers we needed assurance on from our travel partner.

This is a specific example relevant to our industry and risk factors. For others, travel plans may not be as sensitive – unless there is a major deal yet to be announced or a merger/acquisition underway.

Adjusting your approach to the level of risk

Taking the most thorough approach to every single supply partner is not feasible, or frankly, sensible. To operate efficiently in the real world, you must take on a certain level of risk.

Much like internal network segregation, we group suppliers into tiers based on the nature of the service they provide and our appetite for risk in relation to the data they hold. For high-risk suppliers, we may visit them on a regular basis, but for lower tiers we may only visit once, or send our organization’s supply chain assessment document.

Geographical region also plays a part in this. Some regions have excellent security programs and a willingness to conform to any requirements – one supplier in India physically partitioned part of a floorplate overnight specifically to protect our data from those not working on the project.

Encourage good security practice with your suppliers

Above all, we want our suppliers to be open and honest with us, not to hide information from us because we are bearing down on them with demands. When it comes to security, some of the smaller suppliers simply don’t know where to start.

Some years ago, I asked a small supplier when their last pen-test was – this question was met with a confused ‘What’s a pen-test?’

Needless to say, when we organised an independent test for them, it revealed that they could be compromised in – almost literally – three mouse clicks. But, this gave them the springboard they needed to act and improve security for all their customer data – not just ours.

Ways to position support to benefit your suppliers:

  • Offer free consultancy through giving them a threat briefing
  • Offer to sponsor an independent pen-test with your trusted partner
  • Offer to sponsor accreditation, membership of a security association, or access to trusted security advice

Many thanks to the organization for speaking with us about their approach!
Got questions about supply-chain risk? Get in touch by



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.