- Customer / client, supplier and partner data is held increasingly on disparate, distributed databases, so one vulnerability could compromise the integrity of the entire chain.
- Data could also be shared between more links in the chain, for example via email or single point of access online portals.
- Every time a new organisation joins the supply chain, the greater the risk of a security breach.
- Financial safety, employee safety, intellectual property, data compliance, finances and reputation are all at stake, for all organisations in the chain.
Achieving acceptable standards in the supply chain
Therefore it is essential that every organisation in the supply chain has secure systems and practices, can demonstrate this to the others in the chain, and also has confidence in the others in the chain.
It is likely that every organisation in the chain will have different structures, business models, working practices, information infrastructures and be of differing sizes … and will also work to different standards in terms of their own cyber and information security, and how they assess those of others – including your organisation.
As a starting point, it is your responsibility to ensure that you deploy good levels of security in terms of technical safeguards, procedures and practice and employee behaviour.
You should also establish at the earliest possible point in your entry into the supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain. It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
You may be able to achieve an acceptable standard – and assess that of your partners in the supply chain -.internally or with the aid of an external consultant. The advice provided on this site is intended to help you determine the areas to be scrutinised and provides information and advice specific to those areas.