New plans to boost cyber resilience of UK’s critical supply chains

DCMS is calling for views on a number of measures to enhance the security of digital supply chains and third party IT services.

New proposals to help British businesses manage cyber risks attached to supply chains are being considered.

The Department for Digital, Culture, Media and Sport (DCMS) is calling for views on a number of measures to enhance the security of digital supply chains and third party IT services, used by firms for things such as data processing and infrastructure management.

DCMS research shows only 12 per cent of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (5 per cent) address the vulnerabilities in their wider supply chain.

The National Cyber Security Centre (NCSC) already offers a raft of support to help organisations assess the security risks of their suppliers, including the advice on identifying business-wide cyber security risks and vulnerabilities such as the Cyber Assessment Framework and provides specific Supply Chain Security and Supplier Assurance guidance.

The government has also helped organisations improve their cyber risk management during the pandemic, including through £500,000 of funding to enable critical suppliers in healthcare subsectors to boost their preparedness and resilience through the Cyber Essentials scheme.

But, as organisations increasingly move their operations online, digital supply chains and third party IT service operators are becoming vital to companies’ every day operations and are hugely important for business continuity and resilience. The government is looking at what more it can do to support UK firms.

Digital Infrastructure Minister Matt Warman said:

There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.

Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.

We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.

The government wants views on the existing guidance for supply chain cyber risk management and is also testing the suitability of a proposed security framework for firms which manage organisations’ IT infrastructure, known as ‘Managed Service Providers’.

The proposals could require Managed Service Providers to meet the current Cyber Assessment Framework – a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.

The framework sets out measures organisations should take, such as:

Having policies to protect devices and prevent unauthorised access
Ensuring data is protected at rest and in transit
Keeping secure and accessible backups of data
Training staff and pursuing a positive cyber security culture.
The department seeks industry feedback on examples of good supplier risk management, building on government advice set out in the Supply Chain Security Guidance and Supplier Assurance Questions.