The UK government is considering setting minimum cyber security requirements in public procurement.
The proposal could involve establishing an “assurance mark” to “promote uptake of the expected security standards and enable consistent procurement practices across the government, with security appropriately valued and embedded into decision making”.
The move is among a number of options to address cyber security in supply chains and managed service providers as figures show fewer firms are assessing risk in their wider supply chain.
A 2021 survey by the Department for Digital, Culture, Media and Sport (DCMS) found just 12% of businesses reviewed cyber risks from immediate suppliers, while just one in 20 (5%) did so for wider supply chains, down on 9% in 2020.
Matt Warman, minister for digital infrastructure, said supplier risk management and assurance was something “organisations find particularly challenging”, while it was “now common for companies to outsource critical services”.
“Despite government and industry action, DCMS research shows that many businesses of all sizes are not adequately protecting themselves against cyber attacks, particularly attacks originating in their supply chains,” he said.
“As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organisations.
“Recent high-profile cyber incidents where attackers have used managed service providers as a means to attack companies are a stark reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security, and seemingly small players in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.”
DCMS said barriers to effective cyber security included low recognition of supplier risk, limited visibility into supply chains, insufficient expertise, and insufficient tools.
DCMS pointed out “Operation Cloud Hopper”, a cyber attack discovered in 2016 that compromised 14 managed service providers, and a ransomware attack that disrupted a service provider’s ability to enable its staff to work remotely during Covid-19, “effectively putting operations reliant on the managed service on hold”.
DCMS said the threat from managed service providers was exacerbated because many operate internationally and provide services across borders.
Under the proposals managed service providers could be required to follow updated security standards, such as having policies to protect devices and prevent unauthorised access, ensuring data is protected, keeping secure backups, and training staff.
A consultation runs until 11 July 2021.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.