Government announces plans to enhance cyber security of UK’s critical supply chains

It has been announced that the government are considering new measures to aid British businesses against cyber security risks linked to UK supply chains. In particular, the Department for Digital, Culture, Media and Sport (DCMS) has called for a review of a number of proposals to improve the security of digital supply chains and third-party IT services. These are mainly used by businesses for services such as infrastructure management and data processing.

The calls have come following recent research conducted by DCMS which found that just 12% of businesses review the cyber security risks from their close suppliers, and only 1 in 20 (5%) of organisations highlight vulnerabilities within their wider supply chain.

As more and more businesses move online and become reliant on digital services, supply chains and third-party IT service operators are becoming integral to every day business operations. Therefore, it is hugely important that companies are supported when it comes to cyber security risks.

Matt Warman, Digital Infrastructure Minister highlighted the importance of increased cyber security:

“There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.

“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.”

The government has called for firms to offer their views on the current guidance for supply chain cyber risk management and has started testing the appropriateness of a suggested security framework which will oversee organisation’s IT infrastructure, called ‘Managed Service Providers’.

The new proposals outline that Managed Service Providers could have to meet current Cyber Assessment Framework, these include but are not limited to:

• Implementing policies to protect devices and prevent unauthorised access
• Ensuring data is secured at rest and in transit
• Maintaining secure and accessible data backups
• Training staff and pursuing a positive cyber security culture

To make informed decisions, the government has called for industry feedback to assess and review examples of strong supplier risk management, which will help improve the government advice set out in the Supply Chain Security Guidance and Supplier Assurance Questions.

Currently, business have access to support on assessing security risks of suppliers from the National Cyber Security Centre (NCSC), this includes help on identifying company-wide cyber security risks. This support is set out in the Cyber Assessment Framework, and specifically in Supply Chain Security and Supplier Assurance guidance.

Following the coronavirus pandemic, the government has also offered additional support to businesses to improve their cyber security management.

Need cyber security support?

Looking for cyber security support for your organisation? Get in touch.