The supply chain is never too far down on the agenda of potential security threats...and even more so during the COVID-19 pandemic.
Risks are certainly exacerbated by the crisis, the normal checks and balances might not be possible - on-site assessments are out the window, and the usual evaluations might no longer be accurate.
On this week’s teissPodcast, we spoke to Steve Durbin, Managing Director of the Information Security Forum (ISF), who outlined the information and privacy risks to watch out for in the supply chain during our current global crisis.
In case you didn’t have time to listen to the podcast, here’s a brief summary of the points raised below.
Should companies alter the way they approach risk?
Steve says that the risk appetite of an organisation is determined by the business.
“Security has a role to play by providing the right input but it comes down to a straightforward decision on the part of the business leaders as to whether or not they want to accept a certain degree of risk or whether or not they want to mitigate a certain degree of risk,” says Steve.
“Right now during the current pandemic, organisations and suppliers are going to have to reach an element of compromise in some areas,” Steve stresses. You can’t expect to have the same level of security as you might have had before.
His advice is to focus on the “critical information assets”: what is it that you absolutely need to keep confidential?
Once you look at the critical assets, then ask yourself, are we going to accept that risk or can we mitigate some of that risk? Then have a sensible conversation with the business leaders and with the suppliers.
Engaging a new supplier in a hurry?
Right now, the correct and traditional vetting processes might not be possible, so how should one conduct the right checks and balances when assessing a new supplier?
Where possible you should seek online alternatives to verify certain controls have been implemented and proof of compliance.
Steve also recommends you look at who else they are supplying to. Suppliers are often overwhelmed by requests, so instead, why not investigate who they’re supplying to - is it an organisation you're familiar with? Do you believe they share the same security principles? It’s an effective, alternative approach to evaluating a potential supplier.
How can companies maintain visibility of their supply chains now?
Visibility of the whole supply chain is sometimes challenging to achieve. What’s the best way of maintaining visibility now?
“It’s about having that ongoing dialogue,” Steve says. Obviously something which is easier among those who’ve developed those relationships beforehand and spent time nurturing a degree of trust.
Communication is also key - sharing information, sharing best practice and sharing that level of awareness of where the challenges lie, Steve adds.
No such thing as too much communication?
During these tense times, it might make sense to communicate even more than usual with your suppliers. Steve doesn’t agree that that’s always the best approach.
“You should be communicating regularly, but more importantly, you should be communicating when it’s relevant,” he advises. Bombarding people with information which doesn’t add value is pointless.
Every time you communicate with your people, consider whether it's adding any value.
Ask yourselves, “Is there something in there that you're contributing that people had not perhaps thought about? Do you really need to share that communication?” If you can answer yes to these questions, then absolutely reach out.
ISF Top Tips for Supply Chain Security During the COVID-19 Outbreak, which is worth reading. To listen to Steve discuss the topic in more detail - do listen to his interview on the teissPodcast.