The lack of visibility of the supply chain’s resilience to cyber attacks is the biggest threat to British industry’s cyber security, according to a government survey.
Almost all, 98%, of the 200-plus respondents to the survey said the lack of visibility of cyber resilience in the supply chain was either a severe barrier or somewhat of a barrier to effective supplier cyber security risk management.
The low recognition of risk, insufficient expertise to evaluate suppliers’ cyber risk, and insufficient tools or assurance mechanisms to evaluate suppliers’ cyber risk were also cited as barriers by the vast majority of respondents.
It should be noted that the last high-profile ransomware attack in construction – some of Arup’s staff was compromised earlier this year – was the result of attackers targeting a third-party payroll provider.
Confusion about and the lack of standards was mentioned by many respondents. The report stated: “Respondents cited a lack of a common standard for organisations to be measured against (with mentions of existing standard and frameworks such as ISO 270001, Cyber Assessment Framework, Cyber Essentials and the National Institute of Standards and Technology, among others) creating a lack of a cohesive accepted approach or standards for organisations to work towards.
“Respondents that referenced specific standards often noted that Cyber Essentials was commonly understood as a good way of demonstrating compliance with a minimum baseline. Beyond this baseline, there was confusion for organisations about which standards they should be adhering to, or expecting of suppliers.”
The government response
The report noted that the majority of respondents thought that greater regulation would help, but predictably the government is not overly keen on this.
Responding in the report, it said: “Addressing supply chain cyber security risk requires investment from organisations, and lack of incentive to do so was identified as a significant additional barrier to cyber resilience. It is the responsibility of senior management and boards to prioritise and drive investment in this area.
“Alongside regulation, the government will seek to harness influential market agents to drive supply chain cyber security risk management up the agenda, ensuring they have access to appropriate guidance and information about the costs and impact of cyber incidents to strengthen the internal case for investment.
“Future government engagement will target those professionals and functions that may influence investment decisions within organisations, such as investors, banks and insurers, so that companies throughout the supply chain feel compelled to prioritise cyber security risk management.”
Clarifying and consolidating standards
With regards to standards, the government is considering ways of increasing the uptake of its Cyber Essentials initiative across the wider economy so “that it becomes a more universally adopted minimum security requirement in supplier contracts”. The government will also consider what can be done to clarify and consolidate the standards landscape above this minimum to make it a more effective tool for supply chain risk management.
Turning its attention to skills, the government said it “is addressing this challenge through funding mechanisms, working in partnership with further and higher education providers, and establishing formal accreditation for cyber skills through the UK Cyber Security Council. This will give organisations greater access to professionals with the skills to evaluate their suppliers’ cyber security risk posture.”
It added: “The work of the UK Cyber Security Council will also define the skills required by non-cyber professionals, such as procurement teams and security teams, to assess supplier risk throughout the supply chain lifecycle.”
Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.