Firms must encourage supply chains to ‘get cyber security right’

5 June 2019

The government must involve large firms in its cyber security strategy to encourage smaller, vulnerable companies that lie within supply chains to get basic security right, MPs have said.

In a report the Public Accounts Committee (PAC) said larger organisations needed to realise the responsibility they have to encourage smaller suppliers to implement basic cyber security to protect customer data. 

The Cabinet Office (CO) told the PAC it considered it the “responsibility of larger organisations to encourage their supply chains to get basic cyber security right” as many SMEs in the supply chains can be a point of entry for cyber hackers. 

The PAC said the government should involve sectors of the economy such as the retail industry in its strategy to improve cyber security, citing the example of the National Cyber Security Centre, which worked with the Bank of England to build better cyber security standards.

The PAC urged the government to outline how it would influence different sectors to provide their customers with information on cyber resilience, which should form “part of its approach to cyber security after 2021”.

Progress made by the CO to develop long-term objectives for the National Cyber Security Strategy has been hampered by “a weak evidence base and the lack of a business case”, the report continued.

The PAC said £1.9bn in funding was allocated to the strategy which would counter the threat of cyber attacks on the UK’s digital economy, but a “weak evidence base and lack of business case” makes it difficult to assess whether it will actually meet its objectives or provide value for money.

Following the end of its first National Cyber Security Strategy in 2016, the CO failed to complete robust “lessons learned” exercises to establish a baseline for the current strategy, the report said.

It continued: “A lack of a business case also means it is unclear whether the money allocated at the start of the programme was the right amount, making it more difficult to judge value for money.”

The PAC also said the government is yet to set out its approach to cyber security for 2021 onwards but it urged the CO to ensure another “long-term coordinated approach to cyber security is put in place well in advance of the current strategy finishing”.

Chair of the PAC, Meg Hillier, said: “With its world-leading digital economy, the UK is more vulnerable than ever before to cyber attacks. As the likelihood of these attacks continues to grow, the UK needs to protect itself against the risks created by more and more services going online.

“We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the programme were grounded in business cases – despite being allocated £1.9bn funding.”

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates