Channel backs government plans to tighten supply chain security

At the start of the week, the government revealed that it wanted to boost the cyber resilience of UK supply chains and would consider calling on managed service providers (MSPs) to adhere to rules that ensure they are secure.

Those that operate on the security and data protection side of the channel have broadly welcomed the consultation started by the Department for Digital, Culture, Media and Sport (DCMS).

There is a feeling among many in the channel that security is already taken extremely seriously, and any hoops that the government would require MSPs to jump through could be accommodated and are likely to be already met by many suppliers.

The consultation period kicked off this week and runs until 11 July, with MSPs getting the chance to share their thoughts. The DCMS is keen to hear about best practices and examples of good supplier risk management.

The government hinted that one of the ideas it is considering is that it could become mandatory for MSPs to meet the current Cyber Assessment Framework and adhere to the 14 principles that encourage higher levels of security.

Andrew Pitt, co-founder of security specialist Saepio, said that those channel players that already understood the importance of securing their own data would not be phased by the government’s discussion.

“We are very centred around strengthening the community and ensuring we are doing everything we can to mitigate the risk,” he said.

“Cyber security definitely has our government’s ear and as a result we are able to substantiate the messaging from a business point of view and relate it back top parliamentary initiatives,” he added. “It’s good that our government is focused on supporting businesses and cyber security businesses.”

Brooks Wallace, vice-president of Europe, Middle East and Africa (EMEA) sales at Deep Instinct, also welcomed the opportunity to share thoughts about how MSPs could improve their security levels, and saw the DCMS move as a positive.

“The DCMS can help to educate [MSPs] on the value of prevention and what it can mean for an MSP in the marketplace. That’s exactly what we want to hear because we can help out,” he said.

Others in the industry accepted that the experiences of the past year had triggered changes that meant data was more diverse and exposed to threats, and the DCMS consultation was a timely one.

“We have to remember that, in March 2020, we saw the start of Covid-19 and every company out there having to digitally transform, whether they were ready for it or not,” said Sophia Anastasi, head of channels and alliances at Skurio.

“A lot of these organisations – SME organisations that don’t have the right budget, or in-house expertise to have a really strong security posture – are the ones that are at risk of being breached,” she added.

“You stand a good chance of securing your data on your own network, because you understand what your security stack looks like. But you don’t know what the supply chain looks like and what their security looks like,” she said.

Chris Waynforth, assistant vice-president of Northern Europe at Imperva, said that it was important to put supply chain security risks under the spotlight.

“Concern over supply chain attacks and Nth party risks continue to ripple across the globe, and for good reason. Many are unprepared to manage the threats their ecosystem introduces to their organisation at a time when dependency on third-party providers is growing,” he said.

“It’s encouraging to see the UK government address this problem and spur organisations to think about supply chain attacks as more than just a security issue, but an operational risk that can affect the physical supply chain and the wider economy.

“It’s interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time.

“Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show that they are equipped to protect customers from supply chain attacks. For others, this could be time-consuming and a difficult process,” he added.

Waynforth said that the DCMS consultation came at a time when many firms were facing up to the limitations of their existing security tools and discovering that they were not able to cope with a perimeterless network. Many organisations were also struggling with visibility of risks.

“Organisations will only be as secure as their partners, and – in some cases – their partner’s partner. This requires deep visibility across the IT ecosystem as a way to build resilience. Knowledge of one’s supply chain will be essential for understanding exactly where the data is, who has access to it and how it’s being used,” he concluded.