In August 2023, Met Police in London announced that they had been made aware of unauthorised access to a third-party system that held vetting and security data relating to all of their personnel.
From the outside, it's easy to throw rocks and stones, and report how terrible it is. But I have had the pleasure of talking to a number of Met Police procurement staff over the years and without exception they are all diligent and accutely aware of the public safety role they play. At some point, the investigations into this specific breach will conclude and we will no doubt have some insight related to process failures (or not) and improvements to be made.
In the meantime, both NIST and ISO27001 have been updated to explicitly require third-party and supply chain risk assessments as part of their standard. It is a difficult area, and one where balancing what is pragmatic and implementable with the potential risks posed by internal and external vulnerabilities can be challenging to security experts.
At RTG Commercial Services Ltd, we have created a simple ten step guide to assessing and managing supply chain risk. It is one of the core components of our Security Healthcheck and often highlights opportunities to improve visibility and management of supply chain exposure. We cannot eliminate the risk, but a Healthcheck will most definitely help you to identify and prioritise areas of potential weakness.
Why not book your free introductory discussion now and see how we can help (https://calendly.com/rachel-rtg/introductory-call)?
And drop us a DM if you'd like a copy of our free guide to managing supply chain risk.