The UK Government ran in mid-2021 a ‘call for views’ on how to improve cyber security in supply chains and in managed service providers. The DCMS (Department for Digital, Culture, Media & Sport) has published its response to views, that it has summarised.
As Matt Warman MP, Minister for Digital Infrastructure at the DCMS said in a foreword for the original call, digital is ‘top of the agenda’. “Supplier risk management and assurance, however, is an aspect of cyber resilience that organisations find particularly challenging. Digitisation of the UK economy has exacerbated this challenge as it is now common for companies to outsource critical services. Despite government and industry action, DCMS research shows that many businesses of all sizes are not adequately protecting themselves against cyber attacks, particularly attacks originating in their supply chains.”
In interconnected supply chains, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers, for example through managed service providers. Hence the need for security of supply chains and the digital economy generally. For the DCMS response in full visit the DCMS website.
From what industry told the Government, it’s plain much needs doing: ‘key barriers to effective supply chain cyber security risk management are: low recognition of supplier cyber security risk, limited visibility into supply chains, insufficient tools to evaluate supplier cyber security risk and limitations to taking action due to structural imbalances. Supporting organisations to overcome these barriers calls for a range of interventions from the government. This includes advice and guidance, improving access to a skilled workforce and the right products and services to manage risk, and working with influential market actors to drive prioritisation of supply chain cyber security risk management across the economy’.
Comment
AJ Thompson, CCO at Northdoor says there are two branches to this discussion. “Firstly, there are those companies who are aware that there is a problem and know how to solve it, but are budget constrained. Secondly, there are those, who perhaps rather naively believe that they are unlikely to suffer a breach via their supply chain.
“The second branch is obviously worrying and probably represent those that are happy to continue to send out a spreadsheet once a year to analyse their supply chain’s vulnerabilities. Both branches need to take the threat seriously though. The threat from supply chains is very clear. No matter how high your own defensive walls are, or how much money you’ve spent on them, if you’re leaving the backdoor open you are inviting the cyber-criminal in.
“Industrialising the process internally is crucial. Too often the manual process that takes place at the moment is not effective. It doesn’t happen regularly enough, it doesn’t happen well enough and it often falls between job roles anyway. By automating the process companies can be more confident that they are getting a regular 360-degree view of their supply chain vulnerabilities.
“As a result of the call for views I believe that companies will soon have to take supply chain security seriously anyway. Legislation is likely to focus on companies who outsource their IT and similar areas to third parties as the potential downside is dramatic across multiple, possibly thousands of organisations, if they are breached. However, companies should be acting before they are forced to. It is not just a regulatory obligation, but a moralistic one too.”
