DCMS calls for feedback on improving cybersecurity in supply chains. New proposals could require managed service providers to meet strengthened security guidelines. Credit: SIphotography / Jamie Lawton / Getty Images The UK government’s Department for Digital, Culture, Media and Sport (DCMS) is considering new measures to enhance the security of digital supply chains and third-party IT services. As a result, managed service providers (MSPs) could be required to adhere to strengthened security rules or guidance going forward.DCMS is calling for input from MSPs and firms procuring digital services on existing approaches to supply chain cyber risk management, along with new proposals on measures to enhance the security of digital supply chains and third-party IT services to protect businesses. The new proposals could require MSPs to meet the current Cyber Assessment Framework, a set of 14 cybersecurity principles designed for organisations that play a vital role in the day-to-day life of the UK. The framework sets out measures businesses should take, such as:Having policies to protect devices and prevent unauthorised accessEnsuring data is protected at rest and in transitKeeping secure and accessible backups of dataTraining staff and pursuing a positive cybersecurity cultureThe move comes after DCMS research, released in March, discovered only 12% of organisations review the cybersecurity risks coming from their immediate suppliers, whilst just 5% address the vulnerabilities in their wider supply chain. Reliance on third parties increases security risksAs organisations continue to move operations online, their reliance on supply chains and third-party services intensifies, DCMS explained in a blog posting. Given the risks involved, the government is focused on boosting the cyber resilience of the UK’s supply chains. “We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider,” wrote digital infrastructure minister Matt Warman. “It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk. We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”Commenting on the announcement, Chris Waynforth, area vice president for northern Europe at Imperva, says it is encouraging to see the UK government taking steps to address supply chain and third-party security issues, especially when attacks continue to ripple across the globe. “It’s interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time. Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show they are equipped to protect customers from supply chain attacks. For others, this could be time-consuming and a difficult process.” Organisations will only be as secure as their partners, and in some cases, their partner’s partner, Waynforth adds. “This requires deep visibility across the IT ecosystem as a way to build resilience. Knowledge of one’s supply chain will be essential for understanding exactly where the data is, who has access to it and how it’s being used.Waynforth notes that traditional security tools are less effective at managing supply chain risks as they extend beyond the perimeter. “Further, attacks are increasingly starting at the application layer and later infiltrate the data source. The complexity of today’s attacks means that organisations need visibility and protection from third-party risks that span from edge to application to data. This is the only way organisations will be able to protect their sensitive data from supply chain attacks and the risks introduced by third-party services.” Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe