The UK government has warned organizations to take steps to strengthen their supply chain security.
New National Cyber Security Centre (NCSC) guidance has been issued amid a significant increase in supply chain attacks in recent years, such as the SolarWinds incident in 2020. The NCSC cited official government data showing that just over one in 10 businesses review the risks posed by their immediate suppliers (13%), while the proportion covering the wider supply chain is just 7%.
Aimed at medium-to-large organizations, the document sets out practical steps to better assess cybersecurity across increasingly complex supply chains. This includes a description of typical supplier relationships and ways that organizations are exposed to vulnerabilities and cyber-attacks via the supply chain, and the expected outcomes and key steps needed to assess suppliers’ approaches to security.
The new guidance followed a government response to a call for views last year which highlighted the need for further advice.
Ian McCormack, NCSC deputy director for Government Cyber Resilience, explained: “Supply chain attacks are a major cyber threat facing organizations and incidents can have a profound, long-lasting impact on businesses and customers.
“With incidents on the rise, it is vital organizations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
“Our new guidance will help organizations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
The new guidance has been welcomed by the cybersecurity industry. Andy Zollo, regional vice president, EMEA at Imperva said: “While a business may have the right security controls in place, it doesn’t mean their vendors across the supply chain do. This is particularly important when a business relies on third-party software or [has] API dependencies. The NCSC’s new guidance will be helpful for organizations that are trying to navigate this complex risk.”
However, Steve Judd, senior solutions architect at Jetstack by Venafi criticized the narrow focus on supplier relationships and communication. “Today’s guidance from NCSC on securing software supply chains is a positive step towards raising awareness of the issue in the wake of damaging attacks, such as SolarWinds and the Log4J vulnerability. However, it offers the security industry very little in the way of actionable, technical information as it mainly focusses on issues such as supplier and stakeholder communication and ‘identifying your crown jewels.’ With this information being aimed at security professionals – among others – it lacks a bit of depth and can only take organizations so far in the journey to securing software supply chains.”