The key to the crown jewels; why supply chain security is essential under GDPR

Posted July 20th, 2017 by Paul Sandford

Why supply chain security is essential under GDPRData breaches have shifted from being a rare occurrence to an almost daily challenge for businesses across the UK. In today’s climate of insecurity, industry giants across multiple sectors have been affected, ranging from Tesco and TalkTalk, to as of this month, The AA. While media attention is often focused on high-profile organisations, the security threat is affecting all parts of the supply chain, with almost two thirds of businesses in the UK reporting a cyber-attack or breach in 2015/16. To help manage the growing threat, the UK Government introduced the Cyber Essentials scheme, a set of best practice security recommendations to minimise the risk of cyber-attack.

Security is rising up the agenda for many organisations and an area currently under scrutiny is the use of third-party systems. The use of poorly-secured endpoints, ranging from IoT devices to poorly manufactured or installed CCTV technology is still common, providing backdoor access to a company’s network for any given attacker. In an environment where a company’s data represents its crown jewels, businesses must ask themselves whether they can really afford to trust an unknown party in their business. Are the systems and processes in place to avoid letting an unsecured third-party supplier into their supply chain, or are they exposing themselves to unnecessary and significant risk – operational, reputational and financial in nature?

The potential cost of weak links in supply chain security

Representing a timely replacement for the Data Protection Act, the GDPR (General Data Protection Regulation) is set to be introduced in May 2018 to provide a baseline for the way in which organisations capture, handle and report on Personally Identifiable Information (PII). Despite the increased profile of the regulation, however, almost two thirds of British businesses are still unaware they could face fines of up to €20m under GDPR1 should they be found guilty of the mismanagement of data and security processes.

Why credentials matter

The importance of schemes such as the Cyber Essentials certification are therefore likely to grow over the coming years, as businesses seek reassurance that partners throughout their supply chain share their same attitude towards an all-encompassing security approach. In ensuring compliance with GDPR, one of the key considerations is that of due diligence – undertaking detailed, holistic research into the cybersecurity threats being faced, and developing strategies to mitigate these risks. Whilst many businesses will perform due diligence checks, these undertakings will often not extend further than their own four walls. With a range of third party vendors and installers providing mission-critical security systems and support to modern businesses; extending due diligence to include the entire supply chain is now essential.

To meet this challenge, NW Security Group is Security Systems and Alarms Inspection Board (SSAIB) approved and we have just attained Cyber Essentials Plus certification too. Building on this, ISO 9001 is on track for 2017 and ISO 27001 is in our sights thereafter – not only assuring our security, but meaning we are armed with the knowledge, systems and processes to ensure the security of others. Under GDPR, the appointment of a Data Protection Officer (DPO) is often required to ensure best practice. Currently, however, there are few credentials required to undertake this role and often a lack of budget flexibility for new-hires. We have committed to not only undertake best practice, but have extended this to our customers through the appointment of our internal DPO; offering external guidance and consultancy.

Whilst the security benefits of adhering to tighter regulation are significant, it presents a sizeable operational challenge for businesses across the UK. Discover how our security consultancy services can help.


Leave a Reply

Your email address will not be published. Required fields are marked *