Supply chain management is an essential component of any data protection and cyber security programme.
A BlueVoyant report found that 97% of organisations have been impacted by a breach in a supply chain.
In many cases, this involves the loss of personal data, but it could affect business processes in some circumstances.
For example, if an organisation were forced to halt production because of an attack, it would impact the lead organisation and potentially create a ripple effect through the supply chain, causing disruption and delay.
For that reason, supply chain data breaches often result in much more damage.
According to Ponemon Institute’s Cost of a Data Breach Report 2021, organisations spend 9% more on average responding to third-party incidents than breaches directly affecting them.
So what can your organisation do to enhance its cyber security supply chain risk management? In this blog, we look at three issues you must address.
1) Data flow mapping
The first step toward effective supply chain security is understanding what information flows through it.
After all, you can’t adequately protect sensitive data if you don’t know what information you have to begin with.
You can address this via a data flow mapping exercise.
Data flow mapping is essentially an activity that demonstrates all the sensitive information processed and how it moves through your organisation and the supply chain.
The process contains records of data items, the format it’s stored in, how it is transferred (e.g. post, internal, external) and the location that it is kept.
Only once you have this information will you begin to understand your most significant risks and the sorts of security measures that you and the third party must implement to prevent data breaches.
2) Assessing suppliers’ security arrangements
Your organisation should be used to conducting internal cyber security risk assessments, but you should also be taking steps to review your suppliers’ risk management processes.
If you’re sharing sensitive information with another organisation or relying on its ability to provide a service, you need evidence that the supplier addresses security risks.
This isn’t simply to prevent the possibility of a data breach, though it is also beneficial from a compliance standpoint.
Under the GDPR (General Data Protection Regulation), data controllers can be held equally accountable for security incidents that occur at data processors.
This is particularly true if the data controller doesn’t provide adequate instruction on the necessary actions to protect sensitive data.
Although most organisations require that third parties agree to a contract that states specific cyber security measures, you should take the extra precaution of conducting risk-based due diligence and, where appropriate, auditing the organisation’s practices.
3) Meeting your responsibilities
Organisations shouldn’t only focus on suppliers’ steps to bolster their security practices. They must also consider their responsibilities to managing cyber security supply chain risks.
For example, given the damage that a data breach can cause throughout the supply chain, you should support third parties when they suffer a data breach.
This means creating an incident response plan that prioritises effective communication throughout the supply chain.
You should understand what information you need to provide suppliers in the event of a breach; equally, you need to identify what details you need from a third party if it is breached.
Another thing to consider is how communication channels might be affected in the event of a security incident.
For example, if a ransomware attack cripples your systems, how will you inform your suppliers of the incident?
In addition to the immediate aftermath of an attack, your incident response plan should account for correspondence with regulators.
If you or the supplier is required to report the incident in line with its GDPR compliance requirements, you must gather relevant information about the breach within 72 hours of discovering it.
If organisations within the supply chain operate in different countries, it could mean dealing with more than one regulator.
Therefore, you must know in advance what your reporting requirements are and what each regulator expects.
Supply Chain Audit Service
If your organisation is looking for guidance completing its supply chain audit, DQM GRC is here to help.
With our Third-Party Risk Management and Supply Chain Audit services, our experts will design a support and audit programme around the third party’s risks and controls and discover how effective its security mechanisms are.