How To Collaborate With Critical Suppliers To Ensure A Resilient Supply Chain
Supply Chains Under Pressure
Cyber risks in the supply chain are intensifying, with attackers targeting critical suppliers to disrupt entire ecosystems. The consequences are operational disruption, regulatory penalties and reputational damage, threatening the financial stability and success. Organisations can no longer afford to take a reactive approach.
To meet NIS2 requirements and strengthen supply chain resilience, businesses must focus on response planning and training that includes critical suppliers. Here’s what that means for you.
Understanding NIS2 Supply Chain Requirements
NIS2 requires organisations to implement a structured approach to securing supply chains:
- Identify and Document Critical Dependencies – Map your direct, critical suppliers and key assets they provide, including IT systems, hardware, and network infrastructure.
- Assess Risks – Conduct risk assessments to evaluate suppliers’ cyber security practices and identify vulnerabilities. Verify their security plans and procedures.
- Ensure Security Measures – Implement necessary protections against identified risks and ensure compliance with NIS2.
- Set Clear Contractual Requirements – Establish security expectations with suppliers to align with your security policies and regulatory obligations.
- Monitor and Adapt – Security is not a one-and-done effort. Continuously update strategies and monitor suppliers to maintain compliance and resilience.
Coordinating With Suppliers To Boost Cyber Resilience
While compliance with NIS2 is essential, true resilience requires collaboration with suppliers to prepare for, detect, and respond to cyber incidents. For this, we recommend coordinating your efforts with three key actions: plan, embed, and exercise.
1. Plan
Begin by preparing comprehensive incident response plans that align with your organisation's risk profile and operational needs.
This includes:
- Defining Incident/Crisis Response Roles & Responsibilities – Clearly document who leads the response, coordinates the incident/crisis response and handles external communication.
- Formalising Incident Response Agreements –Establish notification and escalation procedures and timelines, containment and eradication measures, recovery steps, communication strategies and key points of contact.
- Ensuring Continuous Readiness – Regularly test response plans through joint scenario-based simulation exercises.
As mentioned, the plans should be developed in collaboration with key suppliers to ensure a unified approach to cyber resilience. This will set the foundation for a coordinated and efficient response to potential cyber threats.
2. Embed
Regular cyber incident and crisis training ensures that both organisations and suppliers can respond effectively when a crisis hits. But there is a step in between that organisations often overlook.
Before proceeding with a cyber exercise, it is important to first come together, discuss, and align on the response plans you developed with your suppliers. The most effective way to do this is by conducting walk-through sessions.
Scenario-based walkthroughs help assess and refine the plans while embedding them into practice. These sessions foster collaboration, helping to identify practical areas for improvement and ultimately enhance incident response plans. Additionally, they provide an opportunity for suppliers and the organisation connect in person and build trust before the actual exercise.
3. Exercise
Now it’s time to put your plans to the test with cyber exercises. Be sure to focus on supplier-specific threats and test real-world response coordination. There are several different types of cyber exercises. When choosing an exercise, it’s a good idea to consider the number of teams you want to involve, your cyber risks, and what you want to achieve.
Types of Cyber Exercises
- Tabletop Exercises – structured discussion where all participants from one team receive information simultaneously, enabling immediate collaboration on response strategies.
- Cyber Crisis Simulation Exercises – more advanced format where individuals on one team receive different information, requiring real-time coordination and decision-making.
- Multi-team Simulation Exercises - large-scale simulation exercise involving two or more teams, this interactive exercise is ideally suited for training collaboration between the teams (incident response, crisis management, business continuity and suppliers)
- Gold Teaming – a dynamic exercise that integrates the technical findings of a Red Teaming assessment with a Crisis Management Exercise, creating an experience for the entire organisation that reflects the reality of a cyber-attack as genuinely as possible.
What Are The Main Objectives of Cyber Exercises?
It terms of goal-setting for a cyber exercise, be as specific as possible to gain an accurate perspective of how your plans will hold up during a real cyber incident. Here’s a quick checklist of goals we recommend:
- Practicing roles and responsibilities
- Testing the escalation and notification process
- Identifying gaps in response coordination
- Testing communication/information management between internal teams and suppliers
Measuring & Improving Response Effectiveness
Once you’ve completed your exercise, it’s time to debrief. After each session, teams should conduct a structured assessment of the coordination and identify communication gaps. A structured review covers:
- What worked well and where coordination needs improvement
- Gaps in communication and decision-making
- Adjustments needed to incident response plans
Finally, you can refine your incident response plan for continuous improvement.
It’s also a good idea to consider how you will access your crisis plans and communicate with suppliers during a cyberattack. In many cyber crises, primary communication channels are disrupted or rendered unavailable, severely impacting the response.
Northwave’s partnership with Merlin offers a solution to this risk: CrisisSuite. Merlin’s browser-based Crisis Management Platform enables resilience teams to maintain contact and collaborate during a cyber crisis. All the response information is securely stored in the cloud and available at any time.
Safeguarding Supply Chains, Together
The responsibility for supply chain resilience belongs to the entire organisation. IT leaders, risk managers, and executives must work together to embed security, compliance, and resilience into supplier relationships.
Start today—assess your critical suppliers, test your response plans, and make cyber security a shared responsibility across the supply chain.
Would you like to learn more about how to include critical suppliers in your cyber crisis planning and training exercises? Get in touch with Northwave’s Resilience team today to discuss our customisable solutions.
We are here for you