The UK government is seeking feedback from industry voices on its proposed measures aimed at boosting supply chain cybersecurity following the SolarWinds and Codecov attacks.
It could see third-party technology outsourcing companies, known as managed service providers, bound by the current Cyber Assessment Framework.
Among the measures in the framework are requirements to ensure data is protected at rest and in transit, keeping secure and accessible backups of data along with cybersecurity training for staff.
The Department for Culture, Media and Sports (DCMS) also wants feedback on existing guidance for supply chain risk management.
A supply chain attack sees threat actors target suppliers to gain access to other organisations, such as a third-party software provider.
The call for views follows the SolarWinds supply chain attack that saw up to 18,000 of the IT software provider’s customers download a malicious update giving Russian nation-state hackers access to their networks. The attack affected companies across US government and the private sector.
Last month hundreds of Codecov customers were compromised after malicious hackers used a vulnerability at the online software testing company as a launchpad for other attacks.
“No matter how good your own network security, someone else may lose your data and bad actors are ready to exploit this, which highlights the need to secure your data, not just your network,” said Jeremy Hendy, CEO of dark web monitoring firm Skurio. “All organisations in a digital supply chain are generally businesses with their own supply chain – it is critical that they enforce security standards with their own suppliers, require ISO certification and set mandatory requirements for data processing.”
According to DCMS research 12% of organisations review the cybersecurity risks stemming from their immediate suppliers. Just 5% look at security weak points in their wider supply chain.
DCMS said it is looking for industry feedback on examples of good supplier risk management.
Digital Infrastructure Minister Matt Warman said: “There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.
“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.”
Calls for views on supply chain security are open until 11 July 2021. More information can be found here.