Map your supply chain to prevent cyber risk

26 May 2023

The National Cyber Security Centre (NCSC) has issued new guidance about how organisations can better protect their supply chains against risk.

The move comes after it found just one in ten firms review the potential risks their direct suppliers pose.

Commenting on the guidance – which primarily urges firms to map their supply chains for cyber risk – NCSC deputy director for government, Ian McCormack, said: “Cyber attacks resulting from vulnerabilities within the supply chain can result in devastating, expensive and long-term ramifications for affected organisations, their supply chains and their customers.”

He added: “Despite these risks, many companies lose sight of their supply chains.”

According to the NCSC, better mapping of supply chains helps eliminate cyber risk by providing insight into the cyber security considerations that could be enforced through contracts. It also says this makes firms more prepared to respond to supply chain related cyber incidents.

Amongst its recommendations it calls for firms to:

1. Identify important information 

Procurement teams should – it argues – make a full inventory of their suppliers and contractors and establish how they relate to each other.

It says firms should also establish what services are being provided by what suppliers; should store information about when suppliers were last assessed; and plan for when the next assurance assessment is due.

Additionally it suggests firms should also hold information about all certifications, including ISO certification and product certification.

However, it noted that this information can be an attractive target for hackers, so any such data needs to be held in a secure repository. 

2. Contract terms

The guidance advises procurement teams to introduce better terms into contracts to ensure the above information required is provided as standard.

It says terms could include: 

  • Incident management responses and requirements to map timeframes for responding to a cyber security breach
  • Requiring data is protected through authentication and encryption
  • Regular cyber audits of suppliers

3. Plan for risk 

The NCSC recommends firms create a playbook to deal with situations where an incident may occur, so procurement teams are ready to coordinate efforts across the extended supply chain. This includes coordinating efford amongst any third parties, such as law enforcement, as well as regulators and even customers. 

It further recommends that procurement teams document what new measures need to be undertaken by procurement needs as a result of any supply chain mapping.

According to the DSIT 2023 Security Breaches Survey, just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion for the wider supply chain is half that figure (7%).

☛ Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates