As general knowledge of cyber security and security threats has increased in the last few years, there has been an increase in organisations investing in protecting themselves from these threats.
The challenge shown in qualitative research, undertaken by the UK government through its annual Cyber Security Breaches Survey, is that organisations have security high on their agenda but lack the knowledge, training, and time to put in the protective measures. This is evident when it comes to understanding risks posed by an organisations supply chain – only 13% of businesses and 11% of charities say they review the risks posed by their immediate suppliers.
A common question raised is “Why is this important?”. In September 2023, a Met Police data breach saw the names and ranks of staff released. This breach wasn’t through a hole in their security, but a breach at one of their suppliers who was responsible for printing warrant cards and staff passes. Organisations share a lot of data with their supply chain so it is very important they understand the potential risks this could result in them facing.
There are technical and organisational controls that businesses can implement with their supply chain to understand this risk and make informed decisions about who to work with.
1. Understanding and documenting what data is being shared with the supply chain
Under the UK GDPR, this should be documented in the form of a Data Processor Agreement (DPA) between the organisation and the supplier. More information on what should be included in a DPA is available on the Information Commissions Office (ICO) website.
2. Understanding and documenting how the supply chain will use shared data –
This is included in the DPA but it should always be a topic for discussion when picking a supplier. Knowledge about “data controllers” and “data processors” is often a specialist area but an open discussion can give a good idea what else that supplier might plan to do with the data shared with them. For example, would they market their services directly to customer data you give them?
3. Understand where the supplier will store shared data –
Just because it is stored in the UK that does not mean it might be subject to other law enforcement agencies. For example, the US Government, under the Cloud Act, could request data stored in the UK from Microsoft/Amazon/Google as they are US-owned businesses.
4. Understand how the supply chain will protect shared data –
Third-party questionnaires may seem like a good idea but, in most cases, they are purely a tick-box exercise. Often, the people completing them and reviewing them are not experts in security so the value of using them as a tool to help you understand the risks that supplier poses is low. It is always best to look to independently verified accreditations, such as Cyber Essentials Plus, ISO27001, and SOC, as you can be confident experts in those areas have completed those assessments.
Although safe to share some information and data with Supply Chains, it is important to gain full control and understanding of what is being shared with them. It is recommended to find information about how the supply chain use, share, and store shared data prior to signing a formal contractual agreement.
Sharp offers many Businesses Cyber Security Solutions to suit organisations of all sizes.