The supply chain, a crucial component to the continuous and successful running of a business, whether it’s the supply of goods and services or simply they all play a part, but how well do you know them?
It’s been found that in 2018, supply chain cyber-attacks have hit two-thirds of firms – https://www.cips.org/en-GB/supply-management/news/2018/july/supply-chain-cyber-attacks-hit-two-thirds-of-companies/, these statistics are climbing year on year as more and more people move their services digital. What would happen if one of your suppliers was hit with some kind of attack, remember Wannacry? Did this affect you with the delivery of goods? What would happen if one of your main suppliers was taken out of action for 2 or 3 days, could your business continue to operate? Do you have backup suppliers which could take over?
These are all good questions which you should have answers for. One of the first questions I ask people when talking about supply chain trust is, have you investigated them before taking out their services? For example, do you know the answers to the following questions?
- Do you know where they store your personal data? Is it in the UK, US, India?
- Do you know how they secure your data and who has access to it?
- Do you know if they backup their data and have recently tried to recover this data?
- Do you know if they comply to the GDPR and Data Protection Act 2018?
- Do they have Cyber Essentials, ISO 27001 or something similar?
- If they use Cloud services (such as Azure or Amazon AWS), is the data stored in a UK/EEA data centre?
If any of the questions above are no or I don’t know, you should look at performing a supplier audit. This doesn’t have to be difficult or intrusive and the larger suppliers will have most of their information on their website for you to review.
What is a supplier audit?
A supplier audit is where you audit all your suppliers to find out how well they are processing and protecting your information as well as looking to see if they have business continuity and resilience controls in place. This can be done by creating a simple spreadsheet for each supplier and listing all the questions down and then recording the results, if there are any certificates, linking to these are recommended.
The supplier audit helps with identifying your risks within the business and helps to find into your risk register and, depending upon what you find, you may look to move supplier or re-evaluate some areas to help improve your own business continuity, should anything happen.
Some additional reading on why you should perform a supplier audit can be found below:
The National Cyber Security Centre (NCSC) have an article about the 12 principles of helping you to establish effective controls and oversight of your supply chain – https://www.ncsc.gov.uk/guidance/principles-supply-chain-security