Collaboration between parties is taking place at an increasingly rapid and global level due to increasing digital capabilities. However, the current corona crisis clearly demonstrates the impact of a global epidemic on supply chains. Whereas the impact of limited supplies was evident early on, other consequences are now becoming apparent. Consider the exponential decrease or increase in orders and related changes in supplier selection. The corona crisis is acting as a catalyst for many organizations to rethink these types of strategies and processes. One such reconsideration, partly due to the increasing influence of ICT aspects, involves ensuring information security & privacy when selecting a supplier.
Virtually all organizations have relationships with multiple suppliers. In addition, many organizations are somewhere in the middle of a chain, which in turn makes them suppliers themselves to other organizations. All of this goes on continuously, and this supply chain, or supply chain, which comes in various guises and depths, has always been essential to business continuity.
Where the changes of and especially within organizations have taken place to an increasingly digital environment, this has not passed suppliers, and thus, the supply chain, by either. This digitalization is causing an increase in cybercrime (hacks, ransomware, phishing, or the like) at organizations and, by extension, often affects an entire supply chain among suppliers.
Managing supply chains specifically, as a separate part of business operations, has become increasingly important for business competitiveness in recent years. The global(er) and digital(er) nature of the supply chain, as well as its complexity, increases the likelihood of digital problems entering organizations from within the supply chain, which in turn may be transmitted throughout the chain. If an organization's supply chain consists of one supplier that supplies the organization directly to the end user, the likelihood of an outside (criminal) breach will normally be smaller in numbers than in the case where the chain consists of a large number of (international) organizations.
Added to this is the fact that the focus, which for quite some time has been on supply chain optimization to minimize costs, has reduced buffers. As a result, absorbing delays and disruptions is becoming increasingly difficult.
For many, the corona crisis has accelerated the demonstration that existing strategies and processes are not always effective enough. Responding to this in a timely manner requires (progressive) insight into the likelihood and impact of risks on vital organizational units throughout the supply chain. A proven way to gain insight into this is to apply risk management.
Risk management is a continuous process in which, with respect to an objective - in this case, securing chain risks - risks are identified, assessed and dealt with. If an organization views the supply chain as an integral part of risk management, it implicitly provides a sound basis for reasoned selection of measures appropriate to a given risk profile.
To better arm yourself against possible attacks, risk arising from the supply chain is a real risk to consider. How great the risk is must be assessed and depends in part on the risk appetite of suppliers. After all, the greater the risk they accept, the greater the likelihood of a risk at the customer organization. The maturity of an organization regarding its risk policy also plays a major role. Is one very far along in being "in control" of risks, or is there hardly any awareness at all. This too you should investigate. Not only with your own organization, but also with your suppliers.
In doing so, you should realize that you often deal with multiple supply chains and therefore need to conduct multiple studies. After all, your organization will do business with multiple suppliers, and they are all in turn part of a "separate" supply chain.
In addition to the aforementioned suppliers, the supply chain may be larger than you think, because you are also dealing with more or less universal suppliers. Consider, for example, your website builder, who technically may touch or have touched almost everything within your organization and may have left something behind. There may also be things in other software within your organization that you would rather not have brought in.
But, how do you know when your vendor, from an information security perspective, is the right one? For starters, it's important to understand the risks you face, what you yourself are transferring to your supplier and how you would secure it yourself. For example, consider transferring critical information or providing access to your infrastructure and critical systems. It is also important that your supplier offers insight into its own risks and what measures have been taken to mitigate them. You can ask your (future) supplier and yourself at least the following:
Is the information I transfer to my supplier or the process my supplier is part of critical to my business operations?
Is this adequately protected?
How will continuity be ensured?
Where will my critical information be stored?
What vendor systems, processes and infrastructure are critical?
How will the continuity of this be ensured?
Are measures taken and infrastructure of both parties comparable?
Are employees knowledgeable?
Which suppliers does the supplier itself work with?
By getting a good answer to the above questions, among others, you will get a clear(er) picture of the state of affairs regarding parties within your supply chain(s) and the possible risks about information security within your supply chain(s). If you take these matters into account, you can, when you engage with a supplier, set appropriate requirements about the security of information at that supplier in order to protect your own organization via that route.
