UK government considers strengthening security rules for MSPs to address supply chain risks

The UK government’s Department for Digital, Culture, Media and Sport (DCMS) is considering new measures to enhance the security of digital supply chains and third-party IT services. As a result, managed service providers (MSPs) could be required to adhere to strengthened security rules or guidance going forward.

DCMS is calling for input from MSPs and firms procuring digital services on existing approaches to supply chain cyber risk management, along with new proposals on measures to enhance the security of digital supply chains and third-party IT services to protect businesses. The new proposals could require MSPs to meet the current Cyber Assessment Framework, a set of 14 cybersecurity principles designed for organisations that play a vital role in the day-to-day life of the UK. The framework sets out measures businesses should take, such as:

• Having policies to protect devices and prevent unauthorised access
• Ensuring data is protected at rest and in transit
• Keeping secure and accessible backups of data
• Training staff and pursuing a positive cybersecurity culture

The move comes after DCMS research, released in March, discovered only 12% of organisations review the cybersecurity risks coming from their immediate suppliers, whilst just 5% address the vulnerabilities in their wider supply chain.

Reliance on third parties increases security risks

As organisations continue to move operations online, their reliance on supply chains and third-party services intensifies, DCMS explained in a blog posting. Given the risks involved, the government is focused on boosting the cyber resilience of the UK’s supply chains.

“We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider,” wrote digital infrastructure minister Matt Warman. “It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk. We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”

Commenting on the announcement, Chris Waynforth, area vice president for northern Europe at Imperva, says it is encouraging to see the UK government taking steps to address supply chain and third-party security issues, especially when attacks continue to ripple across the globe. “It’s interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time. Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show they are equipped to protect customers from supply chain attacks. For others, this could be time-consuming and a difficult process.”

Organisations will only be as secure as their partners, and in some cases, their partner’s partner, Waynforth adds. “This requires deep visibility across the IT ecosystem as a way to build resilience. Knowledge of one’s supply chain will be essential for understanding exactly where the data is, who has access to it and how it’s being used.

Waynforth notes that traditional security tools are less effective at managing supply chain risks as they extend beyond the perimeter. “Further, attacks are increasingly starting at the application layer and later infiltrate the data source. The complexity of today’s attacks means that organisations need visibility and protection from third-party risks that span from edge to application to data. This is the only way organisations will be able to protect their sensitive data from supply chain attacks and the risks introduced by third-party services.”