If the UK Government gets its way, IT service vendors and other cloud-based service providers may soon be required to adopt new measures to strengthen their cybersecurity, amid rising concerns about supply chain risks.
The Department for Digital, Culture, Media and Sport (DCMS) has floated plans to make mandatory compliance with the National Cyber Security Centre's Cyber Assessment Framework, which provides guidance for organisations responsible for vitally important services and activities.
In a press release, the government department claimed that businesses recognise that cybersecurity is a priority, but that "action lags behind".
That damning assessment of the state of security, comes as newly published research reveals that the majority of Britain's top business bosses (91 per cent, up from 84 per cent in 2020) see cyber threats as "a high or very high risk to their business", but nearly a third of leading firms admitting that they are not taking action on supply chain cyber security, with only 69 per cent saying their organisation actively manages cyber-related supply chain risks.
This week the UK government responded publicly to the findings:
"...the Government recognises the close interaction and the frequent business model overlaps between digital technology providers such as managed service providers, cloud service providers and some software vendors. All of these types of suppliers are endemic third party providers of digital technology services and are an indispensable part of UK and global supply chains. The government therefore agrees that any future policy should consider this broader range of digital technology providers, moving away from an exclusive focus on managed services."
"As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure," said Digital infrastructure minister Julia Lopez. "Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses' digital footprint and protect their sensitive data."
Recent attacks such as the one in early July involving IT service firm Kaseya, where ransomware was delivered to hundreds – if not thousands – of companies just as they were closing down for the Independence Day holiday weekend, have underlined the importance of making supply chain attacks more difficult for cybercriminals.
At the time, Tim Erlin, VP of product management and strategy at Tripwire, told the media that "No one should be surprised when a successful attack methodology is repeated, but we should aim to make these types of supply chain attacks harder to execute and incrementally less successful."
A review of current legislation in the UK is underway, and a new national strategy for cybersecurity is due to be launched before the end of the year. Only time will tell how successful it will be in helping businesses secure their systems and better protect their sensitive data.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.