Supplier assurance has long been a component of a company’s procurement process. You need to know that you can rely on a supplier, that they are dependable and financially sound. The procurement team will assess financial risk, insurance, standards, supply chain and continuity. They will determine the risk of working with a prospective supplier and whether a long-term working relationship can be established.
Cyber Security was often considered irrelevant or was overlooked, however several high prominence data breaches reported in the press over the past few years have made many procurement teams start including Cyber Security in their supplier assurance programs. Often the IT department is tasked with carrying out a one-off Cyber Security assessment of a supplier and feeding back to the procurement team with either a positive or negative result. This approach does not accurately portray a true image of a supplier’s Cyber Security assurance.
A more comprehensive starting point is to consider the impact criteria to assess how much inherent risk each supplier presents in cyber security terms. Do they process any personal or confidential data? Do they have access to your networks or systems? Do they have access to any APIs on your cloud-based systems? What level of harm will affect your business if a supplier suffers a breach and data loss? With these questions a cyber impact level can be determined, which will then determine the path to follow for cyber assurance.
Suppliers with the highest cyber impact should be adhering to the highest standards set out in ISO27001 or IASME Governance and should be assessed accordingly. Suppliers with lower impact should be demonstrating that they at least match the standards set by Cyber Essentials and should be assessed according to this framework. Using standards-based assessments gives the supplier the responsibility of demonstrating the level of cyber security controls they have in place, avoiding the need for hours of audit work.
There also needs to be a system in place to monitor suppliers ongoing compliance with cyber security standards. Repeat assessments should be carried out at least annually to ensure that suppliers are maintaining standards, or more often if there are concerns with an individual supplier or if improvement needs to be demonstrated.
The impact of the Covid-19 pandemic and the rush to provide remote working solutions for staff has only heightened the potential risk of cyber attacks to suppliers. Some companies may have already had secure solutions in place for remote workers, however many others had to act quickly to put systems in place without full consideration of the cyber security risks involved. Many will leave things as they are and not revisit their implemented solution to ensure it complies with security standards. This only increases the importance of including cyber security in your supplier assurance program.
For more information on how we can help to manage your Supplier Risk, please contact us on 0161 706 0244 or email info@cybersecurityspecialists.co.uk to speak with a member of the team.
Our Supplier Assurance Service can be delivered independently or as part of our CS360 Managed Security Service.