Manufacturing & Supply Chain

As we continue to navigate the challenges of the pandemic and the acceleration of technology to support business operations, it is evident that cybersecurity risks including third-party data breaches are becoming more common. Importantly, we are also seeing organizations starting to recognize the extensive impact that such risks can have on people, finances, and brand reputation.

Information resilience is vital for safeguarding an organization’s data (physical, digital, or intellectual property) as well as its client’s data throughout its lifecycle.

Data protection regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) require organizations to protect and secure their data and that of their clients.

With the increase in cloud adoption, remote working, third-party data breaches and data protection regulation requirements, organizational security must become a key focus to advance information resilience across all departments and employees.

Addressing third-party supplier risks

When outsourcing to third-party suppliers to support supply chain IT systems and business processes, the risks can often expand to the suppliers. It is essential that due diligence takes place in any third-party selection process and that there is an extensive third-party and supply chain cybersecurity program in place.

Accountability and responsibility for the outsourcing of data management cannot reside solely with the supplier – it must be covered and managed by both organizations.

The risks for acquiring services vary from onsite physical and remote access to information and information systems, to offsite information processing, equipment, and applications. It can include lack of information security controls, inadequate governance, risk tolerance and compliance practice issues or over reliance on supplier services and capabilities.

Building a robust third-party and supply chain cybersecurity program 

Advancing your third-party and supplier cybersecurity program and allowing for agility and rapid scaling is paramount. The process needs to include internal controls, remediation process for any cybersecurity risks, creation of KPIs to manage effectiveness and for it to be set up to identify where improvements can be achieved on an ongoing basis.

Taking a proactive approach across all the organizations third-party suppliers, including building an open and honest relationship with them to ensure communications are received in the right way, will help to strengthen information resilience.

Organizations looking to review their current processes and programs should consider addressing the following:

• Review and identify the organizations’ stakeholders who are managing third-party suppliers and supply chains. 

• Make visibility and transparency a key focus, engaging with suppliers to educate them on the purpose of the program and updating them as relevant on the purpose and risks being managed.
• Define the supplier’s cybersecurity risk tiers and their degree of care at each level.
• Review the context of the supply chain relationship and its impact on the organization.
• Carry out an external cybersecurity posture scan with policy-based questionnaire responses. Ensure that it is monitored regularly and set realistic deadlines.
• Review suppliers not adhering to organizational requirements and create a response plan with the relevant stakeholder managing the supplier ensuring that it is acted upon and not left unattended.

• Implement a simple method of communication that works for both parties across the various channels.

Keeping data secure and reducing the risk of misuse along with decreasing cybersecurity threats is a step that all organizations need to be making proactively.

By adopting cybersecurity best practice organizations can reduce the threats posed to their data and strengthen their information resilience across their supply chain.

The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance. For more information visit bsigroup.com/cyber-ie