Cloud and Other Supply Chain Security: What Questions to Ask

Supply chains tend to be incredibly complex. As a result, many organizations struggle with their supply chain risk assessments.

Yet the risks in the supply chain are significant – particularly with situations like MOVEit Transfer, when threat actors exploited a zero-day vulnerability in software used by thousands of organizations across the globe (and still counting).

So, how can they simplify their supply chain risk management?

Identify critical assets

The first step is to identify your critical systems, services, and data – the ones that are sensitive and/or that you couldn’t run your business without.

Then, look at what the risks to those critical assets are. Or, in the case of supply chain management, which suppliers may affect them.

Why narrow your focus to just the most critical assets?

Many organizations have a thousand or more suppliers. This becomes difficult to manage, and it’d be unrealistic to thoroughly audit all of them.

This is why focus is important.

While you may have hundreds or even thousands of suppliers, only 30 or so may be critical to your operations – in other words, just a few per cent.

So, categorize your suppliers by asking yourself questions like:

  • Which suppliers are critical?
  • Which have access to our most sensitive data?
  • Which are running systems that, if disrupted, prevent us from doing day-to-day business activities?

Concentrate on those suppliers first.

Outsourcing means sharing the risk – not getting rid of it

Organizations, and especially managers, often see outsourcing a service as outsourcing a problem. In fact, outsourcing simply changes, rather than eliminates, the nature of the risks. Some people refer to this as ‘sharing’ the risk.

This brings benefits – it can be a good way of addressing a risk. One example of this is taking out insurance.

Risks and benefits of the Cloud

Another option is to move your information into the Cloud. You’d then get the real benefit of access to technical services and functions you may not have internally – particularly not if you’re a smaller organization.

However, this isn’t a ‘free lunch.’

Such benefits also come with risks. Specifically with the Cloud, you become reliant on security measures over which you have limited or even no control.

Due diligence checks

So, before you send data into the Cloud, ask questions like:

  • Who can access the data? Just your service provider, or other third parties too?
  • If third parties can access it, what is their security like?
  • What about the provider: How strong is its security?
  • If you delete data your end, is it really deleted?

With that final point, remember that you’re dealing with virtualized servers. Those are often part of huge infrastructures backed up elsewhere. That’s very different to conventional servers, of which you can physically destroy their hard drives.

So, again, where is that information, and can you truly delete it?

Also, recognize that with the Cloud – and other service providers – there’s a trust boundary involved: You must trust the other party to do what they say they’re doing.

However, you don’t have to go on their word alone. Asking questions such as the above is a great place to start. You can also check whether they have ISO 27001 certification or similar independent assurances of their security.


Supply chains can involve significant security risks. But the better you understand your risks – in and outside the supply chain – the better you can articulate them.

Moreover, by recognizing the risks, you can:

  • Weigh them up against the benefits
  • Address them

This way, when making a decision about outsourcing, you’re looking at the full picture – not just the benefits.

Ready to reduce errors and improve completeness of your risk management processes?

CyberComply is a Cloud-based, end-to-end solution that helps you manage all your cybersecurity and data privacy obligations in one place.

You’ll gain immediate visibility into critical data and key performance indicators, and stay ahead of regulatory changes.

Better still, CyberComply allows you to automate, review, and repeat risk assessments in line with the best-practice standard ISO 27001.

We originally published this blog in November 2014.