Government seeks advice to combat threat from supply chain attacks

Managed Service Providers could be required to follow new security standards

Posted 18 May 2021 by Christine Horton

The Department for Digital, Culture, Media and Sport (DCMS) is calling for views on measures to improve the security of digital supply chains and third party IT services, used by firms for things such as data processing and infrastructure management.

DCMS research shows only 12 percent of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (five percent) address the vulnerabilities in their wider supply chain.

The government says it is looking at what more it can do to support UK firms. 

“There is a long history of outsourcing of critical services,” says Digital Infrastructure Minister Matt Warman. “We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.”

Warman said firms must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.

Additionally, the government is “seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.” 

Managed Service Providers

The government is also testing the suitability of a proposed security framework for managed Service providers (MSPs). The proposals could require MSPs to meet the current Cyber Assessment Framework – a set of 14 cyber security principles designed for organisations.

The framework sets out measures organisations should take, such as:

  • Having policies to protect devices and prevent unauthorised access
  • Ensuring data is protected at rest and in transit
  • Keeping secure and accessible backups of data
  • Training staff and pursuing a positive cyber security culture. 

The call for views will be open from May 17 to July 11, 2021.

Earlier this year DCMS released a report that shows two in five businesses (39 percent) and more than a quarter of charities (26 percent) report having cybersecurity breaches or attacks in the last 12 months.

More than 80 percent of British people fear themselves or their friends or family falling victim to cybercrime, according to the National Cyber Security Centre (NCSC