The National Cyber Security Centre (NCSC), which is part of GCHQ, published new guidance to help organisations effectively assess and gain confidence in the cyber security of their supply chains.
It follows a significant increase in cyber-attacks resulting from vulnerabilities within supply chains in recent years, including some high-profile incidents such as the SolarWinds attack.
The guidance, which can be found here, is designed to help medium and larger organisations effectively assess the cyber risks of working with suppliers and gain assurance that mitigations are in place.
Supply chain attacks can cause far-reaching and costly disruption, yet the latest government data shows just over one in ten businesses review the risks posed by their immediate suppliers (13 percent), and the proportion for the wider supply chain is just seven per cent.
Ian McCormack, NCSC Deputy Director for Government Cyber Resilience, said: “Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers.
“With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
“Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
Cyber minister Julia Lopez, said: “UK organisations of all sizes are increasingly reliant on a range of IT services to run their business, so it’s vital these technologies are secure.
“I urge businesses to follow this expert guidance from our world-leading National Cyber Security Centre. It will help firms protect themselves and their customers from damaging cyber attacks by strengthening cyber security right across their supply chains.”
The guidance has been published in conjunction with the Cross Market Operational Resilience Group (CMORG) which supports the improvement of the operational resilience of the financial sector, though the advice is for organisations in any sector.
It aims to help cyber security professionals, risk managers and procurement specialists put into practice the NCSC’s 12 supply chain security principles and follows the government’s response to a call for views last year which highlighted the need for further advice.
It describes typical supplier relationships and potential weaknesses that might expose their supply chain to attacks, defines the expected outcomes and sets out key steps that can help organisations assess their supply chain’s security.
In addition to guidance focused on improving supply chain cyber resilience, the NCSC has published a range of advice to help organisations improve their own cyber security.
This includes the 10 Steps to Cyber Security guidance, aimed at larger organisations, and the Small Business Guide for smaller organisations.
Vice President Westcon EMEA Daniel Hurel said that a provider with vulnerabilities risks not only being compromised, but also every business they work with being compromised. In a channel environment, with a number of players involved up and down the supply chain, this becomes critical. Especially for MSPs, who exist to protect and secure their end users.
The new guidance is a five-stage process that every medium-to-large enterprise must implement to protect themselves. It outlines the challenges that businesses may face when looking to protect against supply chain attacks, including limited visibility, a lack of tools, insufficient expertise and not understanding the risk. Only around one in ten businesses are reviewing the risks posed by their immediate suppliers, and it’s easy to see why: looking after your own security is challenging enough, ensuring suppliers are up to scratch is perhaps a bridge too far.
Hurel said that MSPs can rise up and meet this challenge. They have the tools and expertise that means they can assess the risk of a supply chain attack, and identify suppliers that may carry more risk than a business should be happy to tolerate. As nearly 90 percent of businesses are failing to check their suppliers’ security, it’s too much to expect this to change quickly, especially with so many other pressures on businesses.
With supply chain attacks an immediate threat—enough to warrant special, government, guidance—businesses need experts on the case today, rather than spending time creating their own supplier review processes.
