Organisations are increasingly dependent on managed services, third-party or open-source technology and many other types of suppliers. And during periods of heightened cyber risk or a shifting geopolitical landscape, it's essential to protect your supply chains against potential vulnerabilities that can impact your industry and the societies you serve.
For example, in 2023 there were several high-profile supply chain breaches, most notably, the vulnerability at file transfer service MOVEit. At that time,
EMSISOFT (an anti-virus software distributor) reported the running count of supply chain breaches as 2,730 impacted organisations, affecting over 94 million individuals since data was transferred from MOVEit.
The rapid increase in supply chain attacks prompted the UK's
National Cyber Security Centre (NCSC) to release new supply chain security guidance in recent years, setting out 12 Supply Chain Security Principles. The principles are divided into four separate stages focusing on understanding the risks, establishing control, checking your arrangement and continuous improvement.
So how do we manage this ever-increasing risk?
We believe that supply chain security and third-party risk management (TPRM) is an organisation-wide responsibility and not solely a security team’s risk to own or manage. Read on for our step-by-step guide to safeguarding yours.
Step one: collaboration and close working relationships
Close collaborative relationships are essential across security, procurement, legal, data protection, IT, business continuity, and operation teams.
Having all the right people on hand and well-aligned builds strength in numbers to raise awareness and highlight the importance of supply chain security. For example, our Third-Party Supplier Assurance Forum brings together business units across our organisation, subsidiaries and joint ventures to help define and direct our third-party risk management strategy. The forum has already facilitated several improvements within our policies and processes, ensuring that mitigation of risk remains high on the agenda across our organisations.
Step two: identifying the risks
As supply chains continue to grow in complexity and number, it’s not always practical to focus attention on every single supplier. We've found that it’s more efficient to prioritise the suppliers who pose the greatest risk. Pinpoint the suppliers that have access to your most valuable assets and provide services that are essential to your organisation, as they have the potential to have the biggest impact should they be compromised or become unavailable. The NCSC and National Protective Security Authority (NPSA) offer useful advice on establishing 'impact levels' or 'tiers' within your supply chain.
Onboarding assessments and supplier reviews will help to maintain your external certifications. However, they aren’t sufficient for complete protection of your most valuable assets. More organisations are turning to external tools and services to supplement their processes and strengthen their monitoring schedule.
Step three: effective continuous monitoring
It can be a significant challenge to effectively monitor large or complex supply chains.
This requires considerable resources and/or the use of a supporting management tool or service, which can be either internally developed or externally procured. Running such a process without a tool or service, whilst still common, is declining due to the size and inefficiencies of supply chains. This approach often relies on ‘point in time’ (snap-shot) self-assessments by suppliers, however, whilst this may tick a compliance box, the accuracy and effectiveness of this type of process are questionable.
BlueVoyant's 2023 Global Insights report stated that around a third (32%) of the surveyed organisations in the UK are likely to be using a continuous monitoring solution, whilst 38% are likely to be using a security ratings solution, both higher than the global average. If you aren’t using these types of services or tools, or developing your own, there’s a risk of falling behind. It’s crucial to consider using these tools to ensure you’re fully prepared and ready to respond, so you can minimise the impact by identifying and addressing risks appropriately.
Step four: readiness to respond
Being ready to respond is arguably the most important capability you can have at your disposal. This involves establishing resilience, testing recovery plans with critical suppliers, and identifying concentration risk in your supply chain. Know your suppliers, the services they provide, the level and method of access they have to your assets, the impact on your organisation or your clients, and the appropriate point of contact for each of your suppliers.
A big challenge is expanding this information to your fourth- and fifth-party suppliers, but whatever you decide is the best approach, this information must be readily available and up to date if you are to respond quickly and effectively.
Building resilience in the face of supply chain threats
The growing size and complexity of supply chains, and increasing dependencies on third-party services, combined with the capability of threat actors and increased global tensions, means there is a much higher possibility of a supply chain attack.
Strong technical controls underpinned by strong policies and processes can play a part in reducing the likelihood and impact of a successful attack, but it’s crucial that you’re ready to respond and can do so quickly and effectively, therefore minimising impact.