SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 10 - 20 minutes)
You have already read 0%

Ensuring Secure Supply Chains for Small Organisations

Hot

Apples and Pears

For small organisations to keep large enterprise customers they must make sure that their supply chain is secure, consistent and not affected negatively easily. To do this successfully they have to invest in processes similar to those used by their enterprise customers. Here we explore some of those considerations for small organisations, so that you are not comparing apples to pears.

This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.

Introduction to Small Organisation Supply Chains

Today we are going to be looking at Small Organisation supply chains. In another episode we looked at how you can be secure as part of your customers supply chain and now, we are following that through to your own supply chain. So, over to you Nick, how do you ensure the security and resilience of your supply chain?

Small Organisation Supply Chain

For many Small Organisations, when they start off with just one or two staff members don’t think about resilience or the security of their suppliers. But in many cases, we know that it is probably the best time to start, because with very few suppliers it is going to be simpler and as the organisation develops and grows so will the number of suppliers and the requirements for resilience and security.

To some extent many small organisations do ask some of the basic questions but without formalising anything on paper. The starting point is to understand what product or service is required, its impact on your ability to continue to operate as planned.

The requirements stage may involve considering the following:

  • How critical is the product or service for our continued operations?
  • What are the impacts of a disruption to continued supply?
  • What are the technical or standards requirements?
  • Will the supply of this service impact other products or services?
  • Is the whole service being outsourced?
  • What are the support requirements?
  • What are the internal requirements for staff?

We explore some of these in more detail later.

Apart from the product or service requirements, there are considerations about the supplier. Depending on the organisations policies or intentions, these set of considerations may be treated with the service requirements or separately.

Supplier considerations may include:

  • Suppliers’ background and years of service in Organisation.
  • Diversity of suppliers.
  • Sustainability policies of suppliers.
  • Suppliers’ commitment to Anti-Slavery.
  • Suppliers’ commitment to other Social Responsibilities.
  • Suppliers’ commitment to staff development and training.
  • Suppliers’ achievement of security standards, and related policies.
  • Suppliers’ Continuity Policies.

Once the service and supplier requirements are defined, the procurement process that will be used needs to be considered. There are some things that may be as simple as picking up the phone and placing an order or getting onto a supplier’s website and placing an order. In most cases such things may not require a process and it will be accepted that there is no reason to document such process, but it may be useful and important over time that the boundaries of how staff can make such decisions is documented. Some of the reasons for doing this may include other considerations that come over time like Supplier Diversity Policies, or Sustainability Policies, where certain suppliers or types of suppliers may be excluded.

Considerations around supplier selection processes may include:

  • The value or types of purchases, products or services which don’t have to go through the more formal process.
  • Any additional special processes or cases that may need to be considered differently. Examples may be that the formal process is used for all existing recognised important services, and a different process for new or first-time purchases where the organisation is still trying to understand the service or solution. These special processes may be shorter or quicker processes (where there is a requirement to bring the service in quickly), or more stringent processes due to the value and importance where additional due diligence may be required.
  • Will there be only one formal process or more and how will they differ from any tendering processes that are used.
  • Importance of the service to the organisation – all critical services should undergo the formal process.
  • The minimum number of suppliers to be included in each type of process.
  • The individual roles that should be involved in each type of process.
  • The process of notifying the selected suppliers.
  • What will the standard contract to supply include, in relation to support?

What we’ll do now is going into some of these things in a little more detail.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Follow-on Information

Follow-on activities for you:

  • Share the content you found useful on social media, using the above links
  • Review our FAQ's.
  • Let us know what you would like to see included in future FAQ's
  • Participate in our polls and see what other businesses like yours think.
  • Review our "'Let Us Show You How" articles.
  • Subscribe to our newsletter(s).
  • Join us on a Webinar.

About the Authors

Sarb Sembhi

Sarb Sembhi, Virtually InformedSarb is the Chief Technology Officer and Chief Information Security Officer for Virtually Informed. 

He writes and speaks about:

  • Strategic issues in Smart Environments and related technologies;
  • Digital Safety Skills for anyone not working in Cyber Security, and; 
  • Business / security challenges for small businesses and start-ups.
Nick Ioannou

Nick is Director of Boolean Logic Limited, a blogger, an author and public speaker.

Nick has authored:

  • 'Internet Security Fundamentals',
  • 'A Practical Guide to Cyber Security for Small Businesses' and
  • 'A Practical Guide to GDPR for Small Businesses',
  • as well as contributing to three 'Managing Cybersecurity Risk' books and 'Conquer The Web'.