While new proposals to support businesses manage cyber risks are also being considered
The Department for Digital, Culture, Media and Sport has unveiled new proposals to help UK businesses manage cyber security across their digital supply chains and third party IT services.
It comes as DCMS research has found that UK businesses are slacking when it comes to reviewing cyber security risks.
According to the DCMS, only 12 per cent of organisations review the cyber security risks that come from their immediate suppliers, while only one in twenty firms (five per cent) address the vulnerabilities in their wider supply chain.
In order to combat against the cyber risks against UK businesses, the DCMS is “calling for views” on a number of measures to improve security, with this running until July 11 2021.
“There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider,” said Digital Infrastructure minister Matt Warman.
“It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.”
Warman says that firms should follow the free government advice that is available, which includes support from The National Cyber Security Centre (NCSC).
“We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”
The NCSC provides advice on business-wide cyber security risk and vulnerabilities such as the Cyber Assessment Framework.
And the government is calling for views on the existing guidance for supply chain risk management, while testing the suitability of a proposed security framework for firms that oversee organisations’ IT infrastructure, known as ‘Managed Service Providers’ (MSPs).
Such proposals could mean that MSPs are required to meet the current Cyber Assessment Framework, which includes a set of 14 cyber security principles.
Some of the measures include having policies to protect devices and prevent unauthorised access, ensuring data is protected, keeping secure and accessible backups of data and the training of staff an pursuing of a positive cyber security culture.