Alex Williamson

Managing Principal

  • Privacy
  • Cyber Security

08 Mar, 2021

Deconstructing the principles of supply chain management

In our last article we established that outdated Third Party management techniques have given rise to an exponential increase in cyber-attacks targeting the extended enterprise. As the SolarWinds attack last year showed, careful consideration of your extended enterprise (your suppliers/third parties and their suppliers/third parties) is vital.

Established practices for third party due diligence – the ‘once and done’ procurement led approaches - are no longer adequate given the evolving threat environment. Effective, continuous monitoring, assessment, and active management of critical and high-risk third parties (and the components used to deliver services) is now needed.

We will now explore the 5 core principles we introduced in greater depth and show how they might be applied by an information security team before, during and after engaging with a prospective supplier.

1st Principle – Define  Expectations: Mandate a set of security expectations and requirements in every RFP and contract with any future partner.

A supply chain is often a complex, interconnected and interdependent web of suppliers and vendors which requires careful, coordinated management to ensure the protection of information being shared with Third Parties.

Establishing a set of security expectations for prospective Third Parties is essential. Mandating information security expectations for your supply base provides a baseline level of security assurance and with it, confidence that your suppliers will protect your information assets.

However, these should be informed by your own organisation’s security strategy, policies and importantly, risk appetite. For example, is it part of your strategy to be ISO27001 accredited? If not, would you have a coherent reason as to why it is important that your suppliers are?

It is crucial that your organisation understands the minimum-security requirements it is willing to operate at, before developing the standards you will demand of your supply chain.

As head of security at a nuclear powerplant, you wouldn’t settle for installing smoke detectors, just as you wouldn’t create a mass evacuation plan for the local town in case the corner shop you owned burned down.

Make no mistake, conducting due diligence requires time and effort from both parties. If an organisation is making security demands of its suppliers which are surplus to its real needs, it risks creating a misaligned security strategy across its extended enterprise as well as wasting effort and time. These of course could be amplified depending on the size and security maturity of the supply chain.

Ultimately, your security expectations of suppliers should ideally match and not fall short of your own security standards. Indeed, dare we say it, they should only rarely need to exceed an organisation’s security standards.

Reciprocally however, not all suppliers are equal – in scale, size, and scope of the services they are delivering. Consideration should be made of the sensitivity of the services your suppliers are providing, their security capabilities and maturity. It is important, as mentioned in our first article, that relationships of trust be adopted, if the supplier does not have the means to remediate risk can you, in partnership, mitigate existing risk?

2nd Principle – Continuous Due Diligence: Complete thorough security due diligence on any supplier or vendor before beginning any partnership and, vitally, on an on-going basis.

Historically, when an organisation partners with a supplier, due diligence has focused on financial and logistical arrangements. Security requirements have traditionally been left to Compliance and Legal teams to resolve. However, we need to move beyond the out-dated tick-box exercise which confirms a Third Party’s security accreditations and certifications at a single point in time.

Industries, businesses, and economies all change, and the context of an enterprise’s security programme or risk appetite can be drastically altered in a matter of weeks or months. See the impact of COVID-19 as but one example of the impact that unexpected events can do to global business operations!

A supplier’s commitment to both their own and their prospective clients’ on-going information security is required. Full, on-going, transparency between your enterprise and your suppliers’ security capabilities is critical to avoid business-unacceptable exposure to emerging security risk in the Supply Chain.

As such, reassessment of supplier security expectations and capabilities should form a critical component of your on-going programme of due diligence perhaps by leveraging external security rating suppliers to support continuous monitoring. Whilst best practice may vary from enterprise to enterprise and be informed by the criticality of the supplier, the foundation of thorough, continuous due diligence should be a bulwark in any enterprise’s security programme.

As evidenced by the SolarWinds hack, being able to understand your critical service providers and the services they are using to deliver their service is essential. You cannot manage what you don’t understand – being able to rapidly respond to an accelerating threat environment is key.

This is not to say that early engagement with potential suppliers is not important. Such engagement can reduce time spent on-boarding the services of a Third Party. It may even rule out suppliers before too much effort is invested.

Ensuring information security teams liaise prior to the start of contractual negotiations, may save the business both money and time.

Ultimately, assuring that a prospective supplier’s security capabilities match expectations, or can be mitigated to acceptable standards once a partnership is formally agreed is vital. It is imperative that due diligence of the extended enterprise is continually maintained and controls updated.

3rd Principle – User Awareness: Alongside providing your own employees with comprehensive security training, make sure that your suppliers’ and vendors’ employees are equally well prepared

Wholesale organisational security training is a core tenet of almost all security programmes. It can be the difference between a successful spear phishing attack and its failure, or the mitigation of a tailgating incident and a serious blunder. So why do we so regularly find that due diligence does not mandate security training requirements to all suppliers in the extended enterprise?

Your employees may have access to top-of-the-line resources on all manner of security threats with cyber awareness rivalling only that of your own CISO (if so, full credit to your incumbent information security team on that front!). However, it is astonishing how frequently organisations fail to secure insights into their Third Parties’ security awareness. The benefits of your own employees’ security awareness can be severely undercut if suppliers are failing to educate their own workforce about potential security threats they may encounter.

With 88% of organisations around the world facing targeted spear phishing attacks in 2019, your business’ security is reliant upon not just the awareness of your staff, but the mindfulness of your Third Parties’ too. As such, before partnering with another organisation, you should gain an understanding of what information security training policies are in place and the training their staff complete. If they fail to meet your requisite levels of comprehension, you could suggest the use of supplier security workshops, or a joint awareness programme to ensure that your extended enterprise operates at a universal, minimum standard of security awareness.

4th Principle – Aligned Incident Response: Ensure all information security teams/SOCs are aware of all data access points and what constitutes an anomalous or unauthorised entry.

In addition to requiring company-wide awareness of potential cyber-attacks, there is a very good reason you pay your information security professionals, SOCs and operational teams. They constitute an organisation’s front-line defences against security threats and just as within any battle, you need your troops prepared for all eventualities.

Clear, concise processes are your information security team’s best friends; preparing remediation roadmaps and playbooks for worst case scenario incidents form the cornerstone of any organisation’s business continuity plan.

It is vital that an enterprise’s information security team establishes appropriate communication points between all Third Parties to ensure decisive action and swift resolution should an incident require it. As a minimum, playbooks must define what constitutes a critical security notification on Third Party, or internal, systems. They should have clear governance, detailing the specific actions, requirements, and expectations which suppliers must follow to prevent data loss or corruption within the extended enterprise. Ideally, within the extended enterprise, a ‘joint’ response plan can be developed.

5th Principle – Monitor Suppliers of Suppliers: In addition to using multiple layers of protection and authentication for access to systems, servers, and data, ensure wholesale awareness of a supplier’s sub-contracted services

Keeping an up-to-date inventory of your organisation’s security tools and vendors is Information Security 101. After all you can’t protect what you don’t know, and you can’t protect what you do know if you don’t know what defences you have and what shape they’re in. Monitoring and maintaining this database will be second nature to CISOs the world over.

Given our now accepted ‘extended enterprise’ we should also exercise this common sense when completing due diligence and auditing our supplier network. It is crucial to continually review your extended enterprise’s security tools and suppliers.

We will continue to bang this drum – as part of your extended enterprise, it is your responsibility to scrutinise and vet your suppliers thoroughly and on a continuous basis. To do this effectively this should include what protective measures they already have in place and where their own vulnerabilities may lie.

Ensuring your organisation has conducted and continues to conduct, appropriate due diligence, in alignment with your risk appetite, along with securing wholesale awareness of all your suppliers’ sub-contracted services might end up being a difficult, arduous task. However, ultimately, it is a necessary one to ensure protection of you and your stakeholders’ information, because if you don’t do it, a cyber-attacker might take advantage (SolarWinds?).

Safeguarding a supply chain is not an easy job and it requires on-going management commitment and perseverance to protect it adequately. However, by adopting these 5 principles and getting to grips with the fundamental components underpinning each of them, you can refine and mould your organisation’s Third Party security on strong foundations. These will ensure you are well-equipped to deal with the ever-increasing threats faced by so many businesses today. Mandating a set of security expectations from the beginning, building a trusted relationship, in addition to early engagement with their security teams will save your organisation time, money and resources. If you do not build strong security foundations now, you may find yourself ruing a foreseeable incident in the future.

Alex Williamson

Managing Principal

Alex started his career in the Royal Marines commanding operational information communications systems units overseas, in the UK and on a contingency basis. After leaving the Royal Marines Alex worked in both consultancy and operational roles most recently focusing on supporting clients establish and establish their information and cyber security and resilience capabilities. With a passion for helping companies prepare themselves to deliver business and information resilience key areas of expertise include:

  • Understanding resilience and contingency
  • Tactical implementation of strategic intent
  • Financial Services, Government, Life Sciences

Event 10 Mar, 2022

Cyber Security, Data, Ransomware

Ransomware Readiness

10 Mar, 2022

Event 01 Feb, 2022

Cyber Security, Data, Ransomware

Ransomware Readiness Webinar

Join this Chaucer Live Session where we will look at how to respond, recover, and survive a ransomware attack.

24 Feb, 2022, 01:00pm – 02:00pm


Blog 06 Jul, 2021

Privacy, Cyber Security, Data, Ransomware, Information Security

Handling a ransomware data extortion attack

06 Jul, 2021