The National Cyber Security Centre (NCSC) has issued new guidance about how organisations can better protect their supply chains against risk.
The move comes after it found just one in ten firms review the potential risks their direct suppliers pose.
Commenting on the guidance – which primarily urges firms to map their supply chains for cyber risk – NCSC deputy director for government, Ian McCormack, said: “Cyber attacks resulting from vulnerabilities within the supply chain can result in devastating, expensive and long-term ramifications for affected organisations, their supply chains and their customers.”
He added: “Despite these risks, many companies lose sight of their supply chains.”
According to the NCSC, better mapping of supply chains helps eliminate cyber risk by providing insight into the cyber security considerations that could be enforced through contracts. It also says this makes firms more prepared to respond to supply chain related cyber incidents.
Amongst its recommendations it calls for firms to:
1. Identify important information
Procurement teams should – it argues – make a full inventory of their suppliers and contractors and establish how they relate to each other.
It says firms should also establish what services are being provided by what suppliers; should store information about when suppliers were last assessed; and plan for when the next assurance assessment is due.
Additionally it suggests firms should also hold information about all certifications, including ISO certification and product certification.
However, it noted that this information can be an attractive target for hackers, so any such data needs to be held in a secure repository.
2. Contract terms
The guidance advises procurement teams to introduce better terms into contracts to ensure the above information required is provided as standard.
It says terms could include:
- Incident management responses and requirements to map timeframes for responding to a cyber security breach
- Requiring data is protected through authentication and encryption
- Regular cyber audits of suppliers
3. Plan for risk
The NCSC recommends firms create a playbook to deal with situations where an incident may occur, so procurement teams are ready to coordinate efforts across the extended supply chain. This includes coordinating efford amongst any third parties, such as law enforcement, as well as regulators and even customers.
It further recommends that procurement teams document what new measures need to be undertaken by procurement needs as a result of any supply chain mapping.
According to the DSIT 2023 Security Breaches Survey, just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion for the wider supply chain is half that figure (7%).