Supply Chain Security


Gartner Says IT Supply Chain Integrity Will Be Identified as a Top Three Security-Related Concern by
Global 2000 IT Leaders by 2017

Overview


Evolving globalization and Competitiveness of supply markets are reclassifying the manner in which current supply chains are overseen.
Organizations which outsource require adaptable and responsive supply chains which convey enhanced value to their clients, giving reasonable upper hand, which empowers long haul development, profitability and productivity. Thus, they additionally require a supply of advanced trained people equipped for creating different, bespoke and imaginative supply chain security solutions giving them the superior advantage against their competitors.

Supply Chain Strategy serves to link the marketplace, distribution network, manufacturing process, and procurement activity to service customers at a higher level yet at a lower total cost.

  • This goal demands the application of the logistics concept to relationships with suppliers, partners, customers and end users.
  • Supply chains are continually evolving; businesses product ranges are changing whilst serving multiple markets.
  • Regulations and best practice are exposed to sudden change

The requirements of a network design are information, transportation, inventory, warehousing, materials handling, packaging and service levels that are all essential considerations of the supply chain and need to be fully understood.
Key components in determining the optimum supply chain are:

  • Location and cost of manufacturing
  • Manufacture lead time
  • Delivery lead time
  • Strategic location of stock
  • Stockholding requirement
  • Order fulfilment costs
Supply Chain Management

These components need to be considered holistically and not as an individual entity. if you do not, the result will almost guarantee a sub optimal supply chain entailing hidden costs with a lack of visibility and total understanding within the various components of the business.The aim should be to reduce complexity and drive growth whilst being flexible enough to be able to adapt to change influenced by customers, economics or technology.NS Global draws on its detailed knowledge of the individual supply chain components to build up an accurate picture of cumulative costs and service level implications.We have a team of professionals who work closely with each client to assess the key market-related issues. Structured investigation, data collection and analysis are undertaken supported by sophisticated computer modelling tools.We have undertaken supply chain projects locally in the UK and Irelandbringing a wealth of experience, innovation and best practice to supply chain planning.

NS Global suggests typical Supply Chain Attacks could be:


Third party software providers


Since 2011, the cyber-espionage group known as Dragonfly (also known as Energetic Bear, Havex, and Crouching Yeti) has allegedly been targeting companies across Europe and North America, mainly in the energy sector. This group has a history of targeting companies through their supply chains.

Website Builders


Cyber-criminals also target supply chains as a means of reaching the broadest possible audience with their malware. Identifying and compromising one strategically important element is an efficient use of resources and may result in a significant number of infections.

Third Party Data Stores


Many modern businesses outsource their data to third party companies which aggregate, store, process, and broker the information, sometimes on behalf of clients in direct competition with one another.

Watering Hole Attacks


A watering hole attack works by identifying a website that’s frequented by users within a targeted organisation, or even an entire sector, such as defence, government or healthcare. That website is then compromised to enable the distribution of malware.

Supply chain consulting
Supply chain security

NCSC Recommendations


NCSC recommendedapproach for Assessing Supply Chain Security

Challenges faced by Businesses

You understand the risks suppliers may pose to you, your wider supply chain and the products and services you offers Know the sensitivity of information your suppliers hold and value of projects they are supporting.

You have a poor understanding of the risks that suppliers may pose to you, your wider supply chain and the products and services it offers. You do not know what data they hold, nor the value of projects they are supporting.

Know the full extent of your supply chain, including sub-contractors

Only know your immediate suppliers, but have limited/no knowledge of any sub-contractors.

Know the security arrangements of your suppliers and routinely engage with them to confirm they are continuing to manage risks to your contract effectively.

Have no real idea about the security status of your supply chain, but think they might be okay. Fail to review this status

Exercise control over your supply chain, exercise your right to audit and/or require upward reporting by your suppliers to provide security assurance that all is working well. An audit request would not be your first interaction with the supplier.

Exercise weak control over your supply chain, lose sight of sub-contracting, fail to exercise audit rights, do not seek upward reporting. Often, the first engagement of your security team with the supplier will be for an audit following an incident.

Based on your assessment of risks and the protections you deem are necessary, set minimum security requirements for suppliers, telling them what is expected in contracts

Fail to set minimum security requirements, leaving it up to suppliers to do their own thing, even though they might not have the security awareness to understand what is needed, or know how to do this effectively. Or set minimum security requirements, but fail to match these to your assessment of the risk – potentially making security unachievable for many of your suppliers.

Differentiate the levels of protection required to match the assessed risks to the specific contract. Ensuring these protections are justified, proportionate and achievable.

Set a disproportionate ‘one size fits all’ approach for all suppliers, regardless of the contract and assessed risks. Fail to ensure these controls are justified and achievable – potentially causing suppliers not to compete for contracts with you.

Require that the protections you have deemed necessary in each case are passed down throughout your supply chain. Check to ensure it is happening.

Leave security to immediate suppliers to manage, but fail to mandate and/or check it is happening

Meet your own responsibilities as a supplier (and challenge your customers for guidance where it is lacking). Pass your customer’s requirements down and provide upward reporting.

Neglect your responsibilities as a supplier, or ignore any absence of customer guidance. Fail to pass requirements down, and/or fail to provide upward reporting.

Provide some guidance and support to suppliers responding to incidents. Communicate lessons learned so others in your supply chain avoid ‘known problems’.

Offer no incident support to your suppliers, fail to act or spot where ‘known issues’ might impact others in your supply chain, nor to warn others about these issues – potentially leading to greater disruption: with known issues hitting many suppliers.

Promote improvements to the cyber awareness of your suppliers. Actively share best practice to raise standards. Encourage suppliers to subscribe to the free CISP threat intelligence service so they can better understand potential threats.

Expect suppliers to anticipate developing cyber-attacks offering little or no support or advice, regardless of their security awareness and capabilities

Build assurance measures into your minimum security requirements (such as Cyber Essentials Plus, audits and penetration tests). These provide an independent view of the effectiveness of your supplier’s security.

Fail to include assurance measures into your security requirements, trusting that your suppliers will do the right thing – regardless of whether they have enough knowledge or experience to know what is expected of them.

Monitor the effectiveness of the security measuresthat are in place. Based on lessons learned from incidents, feedback from assurance activities, or from suppliers about issues, be prepared to revise or remove controls that are proving ineffective

Fail to monitor the effectiveness of security measures. Fail to listen to feedback. Be unwilling to make changes, even when the evidence in favour of doing so is overwhelming.