“No man is an island, no man lives alone.” – John Dunne
All organisations have a supply chain, a reliance on others for a variety of products and services. From complex software solutions, to logistics, to pens and paper; they are a constant in every day. But what do you do when they fall down due to cyber-attacks? How likely is your supply chain to succumb to cyber criminals? Do you know your supply chain’s cyber resilience?
Before we discuss a solution, let’s look at the cyber challenges at hand. When onboarding a third-party supplier, it is essential to perform due diligence. In the past, this would have involved the supplier’s financial position. This would have also involved reviewing their reputation as a quality supplier. Can you trust them as part of your supply chain? The digital age now requires changes to these questions and to ask one more – are they a risk to your systems and data?
The rise in supply chain attacks has been astronomical, with a 430% increase in 2021 alone. The recent attack on Advanced Software caused the temporary shutdown of NHS 111 services, and pulled social care providers back to pen and paper for months.
“So KryptoKloud, what should I be asking my third-party suppliers?”
Here are some key considerations for cyber due diligence when onboarding a third-party supplier:
Reputation: Research the supplier’s track record regarding cybersecurity. Look for any previous security incidents or breaches associated with the supplier. Assess their commitment to cybersecurity and their ability to meet industry best practices.
Security Policies and Procedures: Review the supplier’s security policies and procedures to ensure they align with your organization’s standards and best practice. Evaluate their approach to risk management, incident response, data protection, access controls, and employee security awareness training.
Compliance and Certifications: Determine if the supplier complies with relevant industry regulations and standards, such as Cyber Essentials, ISO 27001 or certifications specific to your industry.
Data Protection and Privacy: Assess the supplier’s data protection and privacy practices. Determine how they handle sensitive data, such as personally identifiable information (PII) or intellectual property. Verify that they have appropriate measures in place to protect data confidentiality, integrity, and availability.
Supply Chain Security: Understand the supplier’s own supply chain security practices. Ensure they conduct due diligence on their subcontractors and vendors to maintain the integrity of the supply chain.
Incident Response and Business Continuity: Inquire about the supplier’s incident response capabilities and their ability to recover from cybersecurity incidents. Evaluate their business continuity plans to ensure they can continue delivering services in the event of disruptions or breaches.
Physical Security: If the supplier has physical infrastructure or data centres, assess their physical security measures to protect against unauthorised access, theft, or physical damage.
Ongoing Monitoring: Establish mechanisms for ongoing monitoring and assessment of the supplier’s cybersecurity posture. Regularly review their security practices, conduct audits or assessments, and request security reports or updates.
Following these steps allows your team to feel confident in your supply chain’s cyber resilience. However, this requires expertise in both cyber due diligence and the mechanisms involved within the supply chain. This is a heavy demand on resources, meaning that this can be overlooked.
The team here at KryptoKloud have been listening to the concerns of clients and working towards an effective solution. With our extensive cyber due diligence pedigree, we are now proud to launch our brand-new 3rd party supply chain service –
Audited Due Diligence Engagement Report
We developed this innovative service through a combination of our years of extensive experience, alongside alignment with internationally recognised security and data protection frameworks. With an extensive review of the above topics (alongside many more), we ensure that you and your board clearly understand each supplier’s cyber risk to you.
If you would like to learn more about how to effectively and efficiently manage your 3rd party supply chain in the digital age, contact us here.