Documentation
Support
In this article
What should the Board do?Build cyber security into every decisionWhat should your organization do?Identify your full range of suppliers and partners, what security assurances you need from them, and communicate this clearlyConsider the implications if your supplier is compromisedWhat does good look like?Q1. As an organization**, how do we mitigate the risks associated with sharing data and systems with other organizations?**Q2. As an organization**, how do we ensure that cyber security is considered in every business decision?**Q3. As an organization**, are we confident that we are fulfillling our security requirements as a supplier?**Q4. As a Board, do we have a clear strategy for using suppliers, and have we communicated it?
Home
General
Board Member Guidance

Collaborating with suppliers and partners

Edited

There are four reasons why cyber security is a key consideration when collaborating with suppliers and partners:

  1. You increase the number of routes and external touch points in your organization. So if any of them are compromised, you are also at risk.

  2. You may be targeted as a way into the organization you are supplying.

  3. Your suppliers may be targeted as a route into your organization.

  4. You may be sharing sensitive or valuable data or information that you want suppliers to protect.

Being able to demonstrate a good level of cyber security is increasingly a key component of supplier and provider contracts, and is already a requirement for many government contracts.

What should the Board do?

Build cyber security into every decision

All organizations will have a relationship with at least one other organization, be that the provider of your email service, or the developers of the accounting software you use, through to your traditional procurement supply chain. Most organizations will be reliant on multiple relationships. Each of these relationships will have a level of trust associated with them, normally some form of access to your systems, networks or data. There are three key things you therefore need to ensure:

  1. That this access doesn’t provide a route for an attacker to gain access to your organization, either through deliberate action or unintentional consequence.

  2. That any partner or supplier is handling any sensitive data appropriately and securely.

  3. That any product or service you buy has the appropriate security built in.

Cyber security risk should be a key consideration in any decision on new relationships or collaborations. This includes decisions on suppliers, providers, mergers, acquisitions and partners.

What should your organization do?

Identify your full range of suppliers and partners, what security assurances you need from them, and communicate this clearly

Review your current supply chain arrangements to ensure you are setting out your security needs clearly and identifying the actions you need to take as a result. If you yourself are a supplier, ensure you meet the security requirements set for you by your customer as a minimum.

Ensure that the security requirements you set are justified and proportionate and match the assessed risks to your operations. Also be mindful of the current security status of your suppliers to give them time to make the necessary improvements.

Get assurance

Security should be built into all agreements from the start, and you should have confidence that your security needs are being met. Dependent on your relationship with the supplier or provider and your resources, you could seek assurance of this through testing, auditing or adherence to accreditation standards.

Consider the implications if your supplier is compromised

No matter how comprehensive your security agreements with your partners are, and no matter how well they implement their controls, you should assume that your partners will be compromised at some point. You should plan the security of your networks, systems and data accordingly with this assumption in mind. This is also worth considering in your security agreements; what are you expecting of them and their response? Do they have to notify you? Do they have to assist you if you are consequently also compromised?

What does good look like?

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes ‘good’ cyber security in terms of supply chain security.

Q1. As an organization**, how do we mitigate the risks associated with sharing data and systems with other organizations?**

You should:

  • Have a good understanding of your suppliers, what data and networks they have access to and have a process for keeping this up to date.

  • Set clear expectations of how your partners protect your data and access your systems.

  • Build security into all relationships and agreements from the start

To do this you might:

  • If you have a very large number of supply chain companies, agree processes with your main suppliers on how they sub-contract any work, specifically what obligations they have to inform you.

  • Choose organizations that can demonstrate the security of their defenses. For example, larger organizations will have carried out regular pen tests and responded to the findings to understand their residual vulnerability.

  • Limit services exposed and information exchanged with other organizations to the minimum necessary.

  • Implement user and system authentication and authorization before access is granted.

  • Audit any sensitive actions or data exchange/access.

Q2. As an organization**, how do we ensure that cyber security is considered in every business decision?**

Security should be embedded in your culture and strategy, and should therefore be consciously considered in any decision regarding procurement, mergers or acquisitions. If there is a process for making those decisions, security can be explicitly identified as a relevant consideration and any conclusions recorded.

Q3. As an organization**, are we confident that we are fulfillling our security requirements as a supplier?**

If you are a supplier to other organizations you are exposed to an increased risk. Both a reputation risk (if your product causes your customer to be compromised) and also operational risk (since you now provide access to more, and potentially more valuable, organizations). You should:

  • Know how you would respond should your organization be compromised, putting at risk partner networks you are connected to, or customer data you may hold.

  • Have a good understanding of your customers and the impact they may have on your threat profile.

Q4. As a Board, do we have a clear strategy for using suppliers, and have we communicated it?

If procurement and supplier decisions are devolved below the Board, have you clearly described:

  • What risk you are willing to accept in using suppliers? For example, if your organization is compromised through a supply chain attack you may not be exposed to the same level of reputation risk as if you were directly compromised, but you may be exposed to the same level of financial risk.

  • What are your expectations of suppliers’ security, and how much you are willing to pay for better security? For example, if company A is more expensive but also more secure, how much cheaper would company B need to be to make it the better option?

  • What opportunities you are trying to exploit? This should be supported by an awareness of what you are able to cater within your organization and what you will outsource. For example, if you assess it’s not feasible to support your own data storage, do you take advantage of the competitive cloud data storage market?

  • What your appetite is for working with partners or suppliers overseas?