Plans to improve cyber security within the UK’s digital supply chains

The risk is real

Cyber-attacks remain a significant threat to the UK economy according to the Cyber Security Breaches Survey 2021. The survey indicates that four in ten businesses (39%) and a quarter of charities (26%) have experienced a cyber security breach or attack within the last 12 months. Approximately a quarter of those who identified such a breach reported experiencing them at least once a week, with phishing attacks being the most common, followed by impersonation.

New plans – digital supply chains

Organisations are also seeing a rise in cyber-attacks via their supply chains or their providers of IT services. Following a consultation by the Department for Digital, Culture, Media and Sport (DCMS), the UK government has revealed its plans to boost cyber security within the digital supply chain. Plans include the following:

• IT service providers could be required to follow the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF)
• New procurement rules stipulating that the public sector must purchase services from firms who implement good cyber security
• Plans for improved advice and guidance campaigns to help businesses manage security risks.

Research findings

New research from DCMS has highlighted that cyber security is a business priority, yet nearly a third of leading firms are not currently taking action in relation to supply chain cyber security.

In May 2021, DCMS launched the Supply Chain Cyber Security Call for Views, seeking industry feedback in order to improve the UK government’s understanding of supply chain cyber security.

Results from the survey highlighted the main perceived barriers to effective supply chain cyber security risk management. These included the following: low recognition of the risk, limited visibility into supply chains and insufficient tools to evaluate the risk. It has been recognised that further support is needed from the government with 82% of respondents agreeing legislation could be an effective solution. Respondents also identified technology platforms which support organisations to manage supplier risk as the most effective commercial tool for managing supply chain cyber security risk.

The future

The need for further government intervention is clear and businesses should be aware of new developments which are on the horizon. The government is undertaking a review of the current laws and measures which encourage businesses to improve their cyber security is said to be launching a new National Cyber Strategy later this year.

As part of the National Cyber Strategy, the government plans to continue collaborating with industry experts to develop more detailed policy solutions which will seek to improve cyber security measures within the digital supply chain. The government will focus on developing new legislation and plans to prioritise engagement with international organisations too, recognising the global extent of digital supply chains.

What other advice is available to businesses?

Further to the Cyber Assessment Framework, the NCSC already provides a wealth of guidance to businesses in relation to cyber security and advice on identifying such risks. The NCSC has published specific Supply Chain Security and Supplier Assurance guidance, which includes questions businesses should ask their suppliers in order to assess risk and increase security within their supply chains.

The NCSC also provides advice on defending against ransomware attacks, with the Cyber Essentials scheme offering cost-effective measures which small and medium-sized businesses can implement to prevent most cyber-attacks.