The government has unveiled new proposals to help UK businesses manage cybersecurity in their digital and third-party IT services supply chains, as a growing body of evidence suggests that the risks to business continuity are hitting unprecedented heights. With supply chains demonstrably threatened through high-profile cyber attacks – a recent spate of incidents sparked through breaches of Accellion and Codecov products and, arguably, the SolarWinds incident – the Department for Digital, Culture, Media and Sport (DCMS) is calling for views on several measures to enhance supply chain security.
<p>Digital supply chains are formed both with the data that powers our modern lives, but also with the software components that operate on that data. For practical purposes, organisations of all sizes are software businesses that are reliant upon software created by others. Resilient cyber defenses are created when the security risks of each component – regardless of its role or origin – are well understood by those operating the software. Any gap in knowledge or understanding of those security risks represents a gap that an attacker might exploit for their gain. With DMCS Research showing only 12 percent of organisations, and 36% of large firms, formally reviewing the cyber security risks presented by their immediate suppliers, the exploitable gaps are unduly large.</p> <p> </p> <p>It is against this research that DMCS is soliciting views on how to enhance the security of digital supply chains, and also a reflection of the cyber security realities that have prompted US President Biden to issue an Executive Order on cyber security. Within the American context, the Executive Order targets software procurement for federal agencies and recognizes that it\’s difficult to operate software when that software wasn’t created using secure processes or when the details of security testing aren’t known to operators. In effect, if an attacker is able to identify weaknesses in the software powering a business faster than the business can, such a gap might also be one the business isn’t monitoring for.</p>