Expert advice from CPNI on how to protect your supply chain
Keeping your business secure includes considering your suppliers and complete supply chain. This starts with the right approach to procurement and contracts. Here, CPNI offers advice on how to embed security from the outset.
Targeting supply chain is nothing new
The risk of hostile actors targeting companies through their supply chain is not new. The 2020 targeting of SolarWinds with malicious code implanted in their customer’s software, an event that was quickly recognised as one of the biggest cyber security breaches of the 21st century, was just one recent example of how a supply chain can be exploited for malicious intent.
2022 demonstrated how fragile the global supply system can be to disruption. This experience highlighted the economic and societal importance of secure supply chains.
Market and geopolitical pressures have made the protection of organisational supply chains a priority. It is also critical that cost pressures on supply chains do not result in security requirements and standards being neglected or ignored. Getting security right from the start within your supplier procurement and contracts can end up saving money overall.
Reducing supply chain risks
Building your confidence in your suppliers starts at the very beginning of your procurement efforts. At the Centre for the Protection of National Infrastructure we have developed the Protected Procurement campaign, in partnership with the Department for International Trade and the Chartered Institute of Procurement and Supply, to help embed security into the procurement process from the outset, rather than relying on resource-heavy supply chain mapping after the fact. This guide gives your business the information you need to reduce the chances of supply chain risks developing and, for those that do, having the right contractual clauses in place to mitigate them.
Supply chains provide an opportunity that some states could seek to exploit to target businesses. While a resilient and diverse supply chain is important, this should not be prioritised above ensuring security is embedded throughout that chain. While you can take precautions, this does not stop a state targeting a 4th-tier supplier.
Some states may seek to exploit these supply chains, primarily to conduct intellectual property theft to advance their economic, technological, or even military advantage. You may not consider your technology to have applications to a state in these areas; however, some states may target you or your supply chain to fast-track their own capabilities and development.
Targeting does not just happen in the form of cyber-attacks. A company may be vulnerable to insider threats, physical attacks or even to unsecure or otherwise compromised technologies. In addition, the data your suppliers are holding may be held in overseas jurisdictions; some countries can legally compel companies to provide access to their data holdings. As such, it is key to align the procurement process with security protocols. While cost issues will always be at the fore when making procurement decisions, this should not be done at the expense of security.
Getting your contracts right from the start may well end up saving you later, when incidents occur in the future. Our Protected Procurement guidance focuses on the things you need to consider at the outset of the procurement phase to help reduce your risks through the supplier lifecycle.
While there is clearly a range of threats out there, there are some simple questions to ask yourself to start embedding security into your supply chains. It is key to consider:
- The domestic laws that an overseas supplier may be bound to and what risk this may pose to your data.
- How can the employees and contractors of your suppliers access your data? Are there appropriate access controls and protective monitoring in place?
- Can a state-backed entity invest in your supplier and buy access to your data?
- How secure is the technology your supplier is using? Is there a backdoor that can be exploited to access your data?
- How is the physical security at your suppliers’ sites, and how secure would your data or resources be in transit?
Going forward into 2023 we recommend embedding the following three principles into your approach to supply chain security:
- Eliminate – if a specific activity you planned to outsource provides suppliers with an unacceptable level of access to business-critical assets, deliver the activity in-house if possible.
- Mitigate – if outsourcing exposes more of your business-critical assets than you are comfortable with, reduce the shared assets to minimise your exposure.
- Accept – in some circumstances you may find it difficult to set security expectations for suppliers where they dominate the market. In this instance, do what you can to embed as much security as possible throughout your procurement process.
For more information and further practical advice to embedding security principles into your supply chain, please consult the Protected Procurement guidance on our website.
Always remember, vulnerabilities in your supply chain can compromise your reputation, your profits, and your products. It is vital to take responsibility for the security of your own supply chain and make sure that your suppliers are as security aware as you are. Where supply chains are concerned, you are only as strong as your weakest link.
Centre for the Protection of National Infrastructure
For further articles from CPNI: