The Department for Digital, Culture, Media and Sport (DCMS) has unveiled new proposals aimed at “protect[ing] the country’s digital supply chains”. Under the proposals, IT service providers could have to follow new rules, including the National Cyber Security Centre’s Cyber Assessment Framework, to bolster their cyber resilience.
Although developed before the results of the latest Cyber resilience captains of industry survey 2021 were published on 15th November, the move addresses directly the key issue highlighted by the research. The survey, conducted with “chairs, CEOs and directors of Britain’s top companies” demonstrates a gap between perceived cyber security risk and “action on supply chain cyber security”. 91% of respondents now “see cyber threats as a high or very high risk to their business”, whereas just 69% say they’re “actively manag[ing] supply chain cyber risks.”
The proposals are the result of a government consultation that began in May 2021, driven by “an increasing number of organisations…suffering cyber attacks via their supply chains or via their providers of IT services.” During the government’s ‘call for views’ on this issue, 82% of respondents agreed that an effective (or somewhat effective) solution could be legislation.
Minister for Media, Data and Digital Infrastructure, Julia Lopez, said:
“As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure.
“Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data.”
As the DCMS admits, this is only the beginning of an idea to strengthen the UK’s digital supply chains. A “new national cyber strategy” is promised “later this year”. Policy proposals need to be developed further and the government is reviewing “the laws and measures which encourage firms to improve their cyber security”.
More generally, the Cyber resilience captains of industry survey 2021 results show that the country’s largest firms – the Top 500 industrials by turnover and the Top 100 financial companies by capital employed – are taking cyber risks seriously.
77% of respondents said cyber security is discussed at board level on at least a quarterly basis. 92% reported that their “board integrates cyber risk considerations into wider business areas”.
However, only 16% said that their company’s board members needed no support “to be able to make better decisions about cyber resilience”. The most commonly chosen type of support needed was “awareness raising / education / training for board members” (34%), which is almost identical to our cyber security motto at ESA Risk: training, education and awareness.
Cyber Assessment Framework
The National Cyber Security Centre’s Cyber Assessment Framework covers 4 objectives:
- Managing security risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents.
It “provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible” through 14 principles of cyber security and resilience.
ESA Risk and cyber resilience
For cyber security advice and support, including supply chain cyber resilience and meeting the Cyber Assessment Framework, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)843 515 8686 or via our contact form.
Cyber threats report
Discover the key cyber security threats you need to be aware of this year in our Special Report.