New proposals to help British businesses manage cyber risks attached to supply chains are being considered, as research from the Department for Culture, Media and Sport suggests that just 12% of organisations review the cyber security risks coming from their immediate suppliers and that just 5% address the vulnerabilities in their wider supply chain.

DCMS is looking for views on the existing guidance for supply chain cyber risk management and is also testing the suitability of a proposed security framework for managed service providers.

The proposals could require MSPs to meet the current Cyber Assessment Framework - a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.

The framework sets out measures organisations should take, such as:

• Having policies to protect devices and prevent unauthorised access;
• Ensuring data is protected at rest and in transit;
• Keeping secure and accessible backups of data; and
• Training staff and pursuing a positive cyber security culture.

Digital infrastructure minister, Matt Warman said: “There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.”

The announcement comes as a separate poll suggests that more than a quarter of IT professionals report having no control over their data as it flows between third-parties.

Over one third polled earlier this month by Infosecurity Europe say they are very concerned about the security risks third-party providers present to their organisation, with 20% simply having no idea whether any such measures have been implemented.

While more than half of respondents have a process in place to control data flow between providers, only 35% actually enforce this policy.

Infosecurity Europe also asked IT professionals what security prerequisites would be top of the list when preparing to work with a supplier. The number one priority was a full risk assessment (40%), followed by cyber insurance (24%), proven compliance (22%) and national accreditation (16%).

The information security event’s Twitter poll drew 2,596 responses, with supporting interviews conducted by the organisation amongst its network of CISOs and analysts.

Additional research from the Ponemon Institute and SecureLink recently found that almost half of all organisations have suffered a data breach via a third party in the past 12 months. The risk is likely to rise as businesses along the supply chain adjust to yet another shift in working models, creating new vulnerabilities. In addition, organisations will increasingly turn to third party providers as they seek to streamline their operations, widening their attack surface.

Maxine Holt, senior research director at Omdia, echoes the value of a full risk assessment for every provider, but recognises the difficulty in keeping on top of them all. “The starting point is discovery: which organisations do you have relationships with? What’s the nature of the relationship; do they handle PII on your behalf? Then prioritise accordingly. Request compliance information, and details of cyber-risk insurance and accreditations. You also need to know where your data is and what it’s doing, and third-parties must be able to ensure that data transfers are consistent with what has been agreed.”

Meha Shukla, researcher with University College London’s Department of Security and Crime Science, believes organisations need to assess not only security risks, but also operational resilience and liability risks in the event of disruption of citizen-centric services. She says: “Assessments should focus on holistic operational risks, including physical locations, people, processes and cyber, for critical components of composite services in the entire ecosystem. The government needs to support third-parties in terms of an approach to a consistent benchmark and a roadmap for upgrading their capabilities. Organisations must also ensure that their risk reduction strategies do not stifle innovation.”

The government’s call for views on supply chain cyber security will will be open until 11th July 2021. Interested parties may submit feedback here: https://www.gov.uk/government/publications/call-for-views-on-supply-chain-cyber-security

Share Story: