Intelligent CIO Europe Issue 53 - Page 94

David Smith , Senior Security Consultant at Evalian accessories company to achieve Cyber Essentials is probably unnecessary : they cannot access much of your data . In contrast , a HR platform will need to meet higher security standards .
Clarifying what you expect of suppliers and explaining that you will regularly review them as part of your SCRMP , helps create a more open relationship . They are more likely to feel comfortable telling you of internal security improvements and programmes .
When onboarding new suppliers , organisations should consider security as a foundational requirement , building it into their procurement processes and contracts . Security is a competitive differentiator to be considered among factors like cost . It may be tempting to go with the cheapest supplier based purely on price , but could you later be paying that difference , or more , out of lost revenue and service disruption ?
Your SCRMP should review and address threats specific to your organisation and supplier relationships . Are there concerns about your customers ’ data ? Could a loss of service from your supplier stop you from supplying your customers ? Expecting a supplier to be perfect in all areas of security is unrealistic , ensure you know the potential risks most relevant to you .
Remember that security is a cost . Excessive security requirements and arduous assurance processes are an expense to your supplier . Even if this is not immediately obvious , ultimately the cost will fall back to customers through raised prices , or reduced service elsewhere .
Protect yourself through design and standards : No supplier intends to introduce weaknesses into their customers ’ networks – it ’ s not a great business model . Despite best intentions , supply chain attacks will still occur .
We can , however , reduce the damage of these attacks by reviewing the access given to suppliers . Historically , suppliers have been granted excessive access into customers ’ networks , only to realise this mistake once the worst has happened .
Be fair , open and honest with suppliers : Everyone uses suppliers and everyone supplies someone else . We hope that those we supply to are reasonable with their expectations ; it is worth keeping this in mind when setting expectations of your suppliers .
Carefully identifying what access a supplier or product requires and implementing ways of monitoring for unusual or malicious-looking behaviour , may not stop a supply chain attack totally , but it could prevent a bad day from turning into a terrible week .
Organisations have many options to assure their suppliers , such as the right to audit within contracts , or a requirement for security standards , for example Cyber Essentials or ISO27001 .
However , the type of requirements should fit the services provided . For example , requiring an office
Ultimately , by improving your organisation ’ s approach to supply chain security , you can reduce your exposure to an attack . A solid supply chain security strategy can improve your brand ’ s reputation . When a company assures customers that their supply chain is well-managed , it boosts confidence and builds better relationships . p
94 INTELLIGENTCIO EUROPE www . intelligentcio . com