DCMS has announced new plans to enhance the security of the UK’s critical supply chains. The proposal could require Managed Service Providers to meet the current Cyber Assessment Framework – a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK. This includes:

  • Having policies to protect devices and prevent unauthorised access
  • Ensuring data is protected at rest and in transit
  • Keeping secure and accessible backups of data
  • Training staff and pursuing a positive cyber security culture
  • Protecting the network from cyber-attacks

Experts Comments

May 18, 2021
Chris Waynforth
Area Vice President, Northern Europe
Imperva

Concern over supply chain attacks and Nth party risks continue to ripple across the globe, and for good reason. Many are unprepared to manage the threats their ecosystem introduces to their organization -- at a time when dependency on third-party providers is growing. It's encouraging to see the UK Government address this problem and spur organisations to think about supply chain attacks as more than just a security issue, but an operational risk that can impact the physical supply chain

.....Read More

Concern over supply chain attacks and Nth party risks continue to ripple across the globe, and for good reason. Many are unprepared to manage the threats their ecosystem introduces to their organization -- at a time when dependency on third-party providers is growing. It's encouraging to see the UK Government address this problem and spur organisations to think about supply chain attacks as more than just a security issue, but an operational risk that can impact the physical supply chain and the wider economy. For example, software security issues targeted at an order fulfilment application could cause downstream disruption to the physical supply chain, such as stopping orders from leaving the warehouse and leaving customers without their goods and waiting on fulfilments. This represents a complex issue that impacts both businesses and consumers.

 

It’s interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time. Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show they are equipped to protect customers from supply chain attacks. For others, this could be time-consuming and a difficult process. The principles outlined in the Cyber Assessment Framework are comprehensive and far-reaching. Ensuring “data is protected at rest and in transit” and “protecting the network from cyber-attacks” shows that it is essential to protect data and all paths to it and that security must be managed holistically, not in silos.

 

Organisations will only be as secure as their partners, and in some cases, their partner’s partner. This requires deep visibility across the IT ecosystem as a way to build resilience. Knowledge of one’s supply chain will be essential for understanding exactly where the data is, who has access to it and how it’s being used.

 

Traditional security tools are less effective at managing Nth party risks as they extend beyond the perimeter. Further, attacks are increasingly starting at the application layer and later infiltrate the data source. The complexity of today’s attacks means that organisations need visibility and protection from Nth party risks that span from edge to application to data. This is the only way organisations will be able to protect their sensitive data from supply chain attacks and the risks introduced by third-party services.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.