The Department for Digital, Culture, Media and Sport (DCMS) is calling for views on ways to secure digital supply chains and IT services as used by data processing and national infrastructure.
As DCMS says, the UK official National Cyber Security Centre (NCSC) already offers support such as assessment of the security risks of suppliers, advice on identifying business-wide cyber security risks and vulnerabilities such as the Cyber Assessment Framework and specific supply chain security and supplier assurance guidance. You can show preparedness and resilience through the Cyber Essentials scheme.
But, as organisations have moved their operations online, interconnected digital supply chains and third party IT service operators have become vital to everyday operations, let alone for business continuity and resilience.
At DCMS, Digital Infrastructure Minister Matt Warman said: “There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.
“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible. We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”
The UK Government wants views on the guidance for supply chain cyber risk management and is testing the suitability of a proposed security framework for firms which manage IT infrastructure, known as ‘Managed Service Providers’. The proposals could require MSPs to meet the UK’s Cyber Assessment Framework – a set of 14 cyber security principles.
The call for views is open to July 11.
Chris Waynforth, AVP Northern Europe at data and app security product firm Imperva, said: “Concern over supply chain attacks and Nth party risks continue to ripple across the globe, and for good reason. Many are unprepared to manage the threats their ecosystem introduces to their organization — at a time when dependency on third-party providers is growing. It’s encouraging to see the UK Government address this problem and spur organisations to think about supply chain attacks as more than just a security issue, but an operational risk that can impact the physical supply chain and the wider economy. For example, software security issues targeted at an order fulfilment application could cause downstream disruption to the physical supply chain, such as stopping orders from leaving the warehouse and leaving customers without their goods and waiting on fulfilments. This represents a complex issue that impacts both businesses and consumers.
“It’s interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time. Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show they are equipped to protect customers from supply chain attacks. For others, this could be time-consuming and a difficult process. The principles outlined in the Cyber Assessment Framework are comprehensive and far-reaching. Ensuring “data is protected at rest and in transit” and “protecting the network from cyber-attacks” shows that it is essential to protect data and all paths to it and that security must be managed holistically, not in silos.
“Organisations will only be as secure as their partners, and in some cases, their partner’s partner. This requires deep visibility across the IT ecosystem as a way to build resilience. Knowledge of one’s supply chain will be essential for understanding exactly where the data is, who has access to it and how it’s being used.
“Traditional security tools are less effective at managing Nth party risks as they extend beyond the perimeter. Further, attacks are increasingly starting at the application layer and later infiltrate the data source. The complexity of today’s attacks means that organisations need visibility and protection from Nth party risks that span from edge to application to data. This is the only way organisations will be able to protect their sensitive data from supply chain attacks and the risks introduced by third-party services.”
And Adam Philpott, EMEA President, at cyber firm McAfee, said: “Companies may outsource IT services on a regular basis, but they cannot outsource risk. The reality is cyberattacks are putting organisations under more strain than ever before, with 648 threats detected per minute in the last quarter of 2020. Today’s evolving threat landscape requires a thorough approach to supply chain cyber risk management.
“For an organisation to go beyond baseline protocols to secure their mission critical supply chains, they must build a flexible architecture that can adapt as needed and avoid viewing security as a bolt-on or after thought. A Zero Trust mindset is also important. By taking this approach, businesses can maintain control over access to the network and all instances within it, such as applications and data, and restrict them if necessary. These steps will set businesses up with complete data and enterprise protection capabilities, underpinned by a holistic, proactive and open security architecture, enabling them to execute good supplier risk management.
“If these steps are taken, businesses can rest easier knowing they have taken a proactive approach to strengthen their security posture as well as securing both digital supply chains and third-party IT services. As cybercriminals continue to evolve their attack tactics and target companies through their supply chain, this additional government guidance will be a useful tool to help businesses keep their data and systems safe from criminals.”