The government has announced it has new plans to boost the cyber resilience of the UK’s critical supply chains.

The Department for Digital, Culture, Media & Sport (DCMS) is calling for views on a number of measures to enhance the security of digital supply chains and third party IT services, used by firms for things such as data processing and infrastructure management.

Research from the department found that only 12 per cent of organisations review the cyber security risks coming from their immediate suppliers. Only one in 20 firms, or five per cent, address the vulnerabilities in their wider supply chain.

“There is a long history of outsourcing of critical services,” said digital infrastructure minister Matt Warman. “We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.”

Warman urged firms to follow free government advice and take steps to protect themselves against vulnerabilities.

He also said that third-party kit and services need to be as secure as possible.

“We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules,” he added.

The government wants views on the existing guidance for supply chain cyber risk management and is also testing the suitability of a proposed security framework for firms which manage organisations’ IT infrastructure, known as ‘Managed Service Providers’.

The proposals could require Managed Service Providers to meet the current Cyber Assessment Framework - a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.

The framework sets out measures organisations should take, such as having policies to protect devices and prevent unauthorised access, ensuring data is protected at rest and in transit, keeping secure and accessible backups of data, and training staff and pursuing a positive cyber security culture.

Share Story: