The UK’s National Cyber Security Centre (NCSC) has today published new guidance to encourage organisations to work in tandem with others in their supply chains to identify and address security issues, following a marked rise in incidents.
Cyber attacks originating from within supply chains have become widespread in the past 18 months to two years – arguably the most impactful event being the exploitation of SolarWinds services by Russian threat actors targeting downstream government customers in the US.
In the light of this, the NCSC wants to encourage both medium and large organisations to effectively assess and gain confidence in the security of their supply chains. It cited recent government data that showed a paltry 13% of businesses regularly review the risks presented by their immediate suppliers, and just 7% for the wider supply chain.
“Supply chain attacks are a major cyber threat facing organisations and incidents can have a profound, long-lasting impact on businesses and customers,” said Ian McCormack, NCSC deputy director for government cyber resilience.
“With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place. Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
Cyber minister Julia Lopez added: “UK organisations of all sizes are increasingly reliant on a range of IT services to run their business, so it is vital these technologies are secure.
“I urge businesses to follow this expert guidance from our world-leading National Cyber Security Centre. It will help firms protect themselves and their customers from damaging cyber attacks by strengthening cyber security right across their supply chains.”
The NCSC’s latest guidance package has been produced in conjunction with the Cross Market Operational Resilience Group (CMORG), which more usually focuses its energies on the financial services market, although this guidance is designed for organisations in any vertical.
It was produced in response to a 2021 government consultation that highlighted a need for further advice, and supplements the NCSC’s 2020 Supply chain principles, which it also references.
Broadly, the new guidance breaks supply chain security best practice into five actionable areas:
- Before starting, take time to understand why you should care about supply chain security, who bears responsibility for it in the organisation, and how your organisation evaluates risk.
- Then develop an approach to assess supply chain security, prioritising critical assets, and create key components for this approach, such as the specific requirements you will place on suppliers, contract clauses, and so on.
- This approach then needs to be applied to new supplier relationships, with controls embedded into the contract lifecycle, and performance and progress monitored and reported on.
- The approach can then be integrated into existing supplier contracts, and again, performance and progress monitored and reported on.
- Finally, security teams should adopt an approach of continuous improvement, evaluating and evolving the approach as their situation, or the threat landscape, changes, always in collaboration with suppliers.