The regulatory landscape for UK companies in respect of information security assurance is changing. According to the 2013 Information Security Breaches Survey by the Department for Business, Innovation and Skills, 93 per cent of large organisations and 87 per cent of small businesses experienced a security breach last year. In addition, affected companies experienced roughly 50 per cent more breaches on average than a year ago.
One of the weakest links can be the supply chain, especially where important functions have been outsourced to the cloud or to smaller service providers. Bodies like the Information Commissioner's Office (ICO)
and Financial Conduct Authority (FCA)
and even the Europen Commission are taking steps to make CEOs more rigorous with their suppliers and trading partners when it comes to risk assurance. This means, where necessary, they will not hesitate to impose tough penalties to make an example of those found wanting. At present, the ICO has the power to fine organisations up to £500,000 for failing to prevent data breaches.
The most common way to assess potential supplier risk is to issue questionnaires in spreadsheet format and distribute via email. Questions may relate to regulatory standards like ISO27001, the payment card industry data security standard (PCI DSS) as well as internal practices and requirements that are specific to each organisation. The absence of any universal standard for supplier assessment questionnaires makes the task of auditing suppliers extremely time-consuming and inefficient.
As everyone constantly audits everyone else, the administration burden quickly builds to overload. It is not uncommon to find hundreds if not thousands of spreadsheets in circulation between multiple stakeholders. At this point the spreadsheet, versatile as it is, becomes unmanageable. Auditors have to spend valuable hours sifting through the mass of data when what they really need is a quick way to check everyone's compliance status and identify immediately which suppliers represent the greatest risk.
Senior managers have for too long relied on spreadsheet questionnaires to audit their supply chain. The process is inefficient, labour intensive and runs the risk of giving results that are not fit for purpose. A cloud-based approach will streamline and automate the process. Another benefit of using a software-as-a-service platform is it is simple to implement, offers a lower point of entry and significantly reduces the risk of project failure. The approach is versatile enough to accommodate any existing processes, allows auditors to see status and progress of their programmes at a glance and incorporates business analytics to help assess which parts of the supply chain represent greatest risk.
One thing you can be sure of, spreadsheets on their own cannot be relied upon to help you spot all the risks in your supplier assurance programmes.
☛ Richard Hibbert is CEO at SureCloud