Understanding the UK Government's supply chain cyber security guidance


October 13, 2022

The UK’s National Cyber Security Centre (NCSC) has released a 29 page document entitled "How to assess and gain confidence in your supply chain cyber security". To support Procurement leaders in digesting this information, Darkbeam's Supply Chain Cyber Resilience Analysts have condensed the document into this actionable guide. 

 


 

Why you should care about supply chain cyber security

Cyber security affects every area of business, not just the company's technology specialists. 

In recent years, there has been a significant increase in the number of cyber attacks resulting from vulnerabilities within the supply chain. Despite this, only 13% of businesses review the risks posed by their immediate suppliers and only 7% review the risks of their wider supply chain.

Why might somebody be attacking your supply chain?

Many (but not all) cyber criminals are motivated by either financial gain or political objectives. Sometimes, your company may be caught up in a supply chain attack in which you weren't even the intended target. 

Who carries out cyber attacks

The two main reasons somebody could attack your supply chain are:

  1. They might want to harm your organisation but your suppliers are more susceptible to cyber attacks
  2. They might want to harm your suppliers and you become collateral damage

Note

Implementing an effective Supply Chain Cyber Resilience Plan makes your organisation a less susceptible or appealing target of cyber crime. This reduces the likelihood of significant disruption to your organisation, as well as the risk of financial loss and reputational damage.

 

Identify the key players in your organisation

Medium and large organisations often have multiple stakeholders involved most decisions. Identifying who these are is a significant step towards improving supply chain security and resilience. 

Who needs to be involved

Once all the of above have been identified, they will need to be informed of the process. Sharing this guide alongside some of your business-specific observations is a good introduction to the topic.

 

Develop an approach for assessing supply chain security

Companies’ supply chains are often expansive. In order to effectively tackle the risk cyber security poses to the Procurement process, your organisation will need to identify its ‘Crown Jewels’ - the critical suppliers with the potential to cause the most impact. 

Security factors to consider

Other things to consider are:

  • Is the supplier potentially connected to any governments which may be hostile?
  • Is the supplier potentially connected to any companies or organisations which may be hostile?
  • Would a breach via the supplier impact the business’s reputation?
  • Would a breach via the supplier cause significant financial, legal, regulatory or contractual consequences?

Note

Categorising suppliers can be time-intensive. Darkbeam's expert Supply Chain Cyber Resilience Analysts have worked with Procurement teams in FTSE 100 companies to make this process as efficient as possible.

 

Implementing a process for managing cyber security in the supply chain

Using answers to the questions above, suppliers can be divided into three profiles. Each of these profiles can be assigned minimum expectations which are communicated with suppliers and added as clauses to contracts. 

Some examples of these clauses are:

Low impact Moderate impact High impact
Cyber essentials scheme certification The above plus:
  • Defined and implemented security policy with training for all employees and contractors including assessment of potential employees

  • Record and maintain levels of security of their entire network

  • Demonstrate proportionately increased security governance for size of organisation

The above plus:

  • Compliance with procuring organisations security policy

  • Create policy for granting access to sensitive assets

  • Create policy to control remote access to networks and systems

  • Create policy for regular off-line back-up of data off-site

 

Note

Ensuring that all suppliers are monitored via a Darkbeam Watchlist means you will have a standardised measurement of their cyber security position which is routinely updated automatically.

 

Integrating the Supply Chain Cyber Resilience approach into new supplier relationships

The simplest place to start when implementing new processes is with new suppliers.

But before you can have the conversation with prospective companies, everyone involved in assessing suppliers must:

  • Be aware of the threats posed by supplier cyber security
  • Understand their role in reducing the risk
  • Understand the processes you have defined

As cyber security risks and threats are constantly evolving, cyber assessments cannot be a ‘once and done’ activity. Instead, the supplier’s cyber position should be continually monitored through the lifecycle of the contract. 

Cyber security in the contract lifecycle

Note

In addition to automatic risk monitoring via Watchlists, Darkbeam can provide ongoing Cyber Threat Intelligence - alerting you when a key supplier has been breached or has become the likely target of a cyber criminal's campaign.

 

Integrating the Supply Chain Cyber Resilience approach into existing supplier relationships

During an ongoing contract, it can be difficult to stipulate material changes such as a new cyber security policy and the associated processes. Despite this, it is possible to make significant improvements to resilience.

  1. Identify existing contracts
    Build a register of all suppliers that your business is working with. If this is not possible, key suppliers should be identified at minimum.

  2. Risk assess and prioritise contracts
    Refer to the assessment earlier in this document.

  3. Support suppliers
    If you find a shortfall in how existing suppliers are managing cyber risks, it might be the first time they’ve been asked to address the problem. Supporting the supplier is important - consider implementing a Security Management Plan with them.

  4. Review contractual clauses
    If the existing contract does not allow for assessments during the contract term, you will need to understand what can be achieved on a ‘best endeavours’ basis until it can be contractually binding.

  5. Monitor supplier security performance
    Cyber risks and threats evolve constantly. Ongoing monitoring is as important as the initial cyber assessment.

Note

In cases where existing suppliers run into the thousands or even tens of thousands, it can be unrealistic to subject each supplier to the above process. In this case, identify suppliers which post a material risk using the assessment process earlier in this document.

 

Reporting on Supply Chain Cyber Resilience progress

As Supply Chain Cyber Risk Management is strongly related to good governance, it is important that it is upheld and reported upon so that the practices introduced remain relevant. 

One way to do this is by providing regular updates of risk levels to the Board or an internal committee. These reports might include:

Supply Chain Cyber Resilience Reporting

Note

Darkbeam's highly experienced Supply Chain Cyber Resilience Analysts have worked with FTSE 100 companies to support them in assessing, building resilience and monitoring their supply chain for cyber security risks and threats. To learn more about how Darkbeam can support your Procurement team, please complete the form below.


 

Darkbeam

Subscribe Here!