State-backed hostile actors may have access to your assets and data without your knowledge © Photo by Contributor via GettyImages
State-backed hostile actors may have access to your assets and data without your knowledge © Photo by Contributor via GettyImages

The six 'hostile actors' threatening supply chains

13 May 2022

Six “hostile actors” have been identified as threatening the security of supply chains in a new guidance for procurement professionals.

The guidance, called Protected Procurement and developed by the UK’s Centre for the Protection of National Infrastructure (CPNI) and the Department for International Trade, in partnership with CIPS, highlights the danger of supply chain attacks that put “both reputations and profits at risk”.

The guidance said along with cyber-attacks, supply chains were vulnerable to insiders and physical attacks, while outsourcing was a significant part of business but “every activity outsourced gives away some control over business functions and assets which can add to risks”.

By building security into the procurement process, companies can both cut costs and manage risks before they threaten supply chains.

When suppliers have weaker security measures in place, or a broad client base serving “organisations of interest”, they become targets for hostile actors.

The six hostile actors are:

1. Alternative legislation 

Suppliers outside the UK may be bound by different laws about storage of and access to assets. This means other countries might have access to your information without your knowledge, simply due to the location of supplier’s operations.

2. Company insiders

Your suppliers’ employees or subcontractors may have access to your data and assets. Sub-par personnel security checks in your supplier’s company may fail to detect and disrupt insiders attempting access your systems and sell on sensitive commercial data, whether to competitors or another state.

3. Foreign states

State-backed hostile actors can invest in suppliers and gain access to your information. This ownership, or even just influence, can lead to unintended exposure of your assets, even when the initial agreement did not involve such an influence. Foreign states may purchase or be involved in the purchase of companies holding sensitive data for you.

4. Technological dependencies

Use of technologies by your suppliers to store and protect your data and sensitive assets is no guarantee of safety. These technologies can be linked to your company’s systems, providing backdoor access to hostile actors, or possess inherent vulnerabilities that could be exploited to expose critical assets. These assets could fall under foreign laws, too, providing states with undetectable access to your information.

5. Physical attackers

Supplier sites are vulnerable to physical attacks on the assets they hold, whether at the sites themselves or while these assets are being transported. If a supplier’s physical security is vulnerable, assets could be destroyed, disrupted, or accessed by unauthorised parties.

6. Hackers

Cyber security vulnerabilities in supplier IT systems may provide hackers with indirect access to your own systems or information. If they become infiltrated, links between your company and your supplier become direct routes of undetectable attack for hostile actors.

Every part of the supply chain adds an element of risk and hostile actors will actively look for the weakest link, said the guidance. It said protecting procurement processes was a continuous cycle of decision-making, evaluation, and auditing.

The guidance sets out the following steps procurement teams should take to mitigate risk:

a) Oversight

Top-down governance will help guide function and ensure your processes are protected. Integrate procurement teams into security management, connecting them to physical, personnel and information security managers.

Together these teams will be able to share their tools and ensure holistic protection. Importantly, supply chain risks should be made part of your an organisation’s risk register. Visibility on high-risk suppliers, those with access to sensitive information, and the overall process will enable managers to decide clear policies and create a strong security culture.

b) Outsourcing

Threats must be taken into consideration when deciding which activities to outsource. Ask how much damage supplier exposure would inflict, if the outsourced activity was compromised. Limiting this damage will be key to managing risks.

Assess security risks and assign suppliers to tiers based on the level of exposure they represent. This will allow procurement to influence embedded security protocols, and the questions around due diligence and supplier assurance to be asked.

c) Selection

Due diligence covers financial, reputational, security and reliability risks. Regular repetition of this security assessment should take place, particularly after significant breaches or changes in operation.

If suppliers meet due diligence standards, procurement can continue. If not, the team should consider using alternative suppliers, levying additional security requirements, or judging whether the additional risk is acceptable.

d) Contracts

Embedded security means building accountability and responsibility into contracts. Including security in the initial stage, cascading throughout the supply chain will save money down the line. Processes should be established for judging and ensuring standards are maintained, communication is continuous, and reviews are both independent and regular.

e) Performance

Checking and maintaining supplier performance can be done through audits and stress testing, such as tabletop and live exercises. Simulations will help understand incident management limits.

Effective crisis management should include predefined governance, clear identification of threat level, widespread familiarity with response policy, immediate availability of supplies and support and constant, secure communication channels.

f) Termination

Clauses in the case of termination should protect assets. Suppliers should not retain legacy access to assets unless explicitly specified within the contract.

☛ Want to stay up to date with the news? Sign up to our daily bulletin.

Enfield (Locality), London (Greater)
£27,430 - £34,809 per annum plus excellent benefits
Lee Valley Regional Park Authority
Winsford, Cheshire
£29,793 to £36,369
Cheshire Constabulary
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates