The UK and French governments, and the EU, are ramping up their efforts to upgrade cyber resilience within businesses, not least in the increasingly vulnerable area of supply chain. Adrian Ladbury reports on the fast-evolving cyber security landscape.
The UK’s National Cyber Security Centre (NCSC), part of GCHQ, the UK’s central intelligence and security organisation, has issued new cybersecurity guidance in response to a growing trend in supply chain attacks.
The latest guidance issued by NCSC advises organisations to work with suppliers to identify weaknesses and boost resilience.
This forms part of a wider £2.6bn National Cyber Strategy project led by the Department for Digital, Media, Culture & Sport to ramp up the UK’s cyber resilience effort, including new legislation planned by the end of November.
The UK’s effort on cyber comes as the French government considers a new cyber bill that, among other measures, is proposing that ransomware payments will be insurable.
And late last month, the European Commission (EC) introduced its proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features.
Cybercriminals will not be quaking in their boots but it’s good to see concrete steps being taken at national and pan-European level.
The UK NCSC’s latest guidance comes as it reported that based on its research, just over one in ten firms currently review the risks posed by immediate suppliers.
It said that cybersecurity experts have issued a fresh warning about the threat of supply chain attacks following a rise in the number of incidents, and the NCSC is urging UK firms to step up their efforts in this increasingly critical area.
The NCSC said the new guidance is designed to help medium-sized and larger organisations effectively assess the cyber risks of working with suppliers and gain assurance that mitigations are in place.
Supply chain attacks can cause far-reaching and costly disruptions, yet the latest government data shows just over one in ten businesses (13%) review the risks posed by their immediate suppliers, while the proportion for the wider supply chain is just 7%.
Ian McCormack, NCSC deputy director for government cyber resilience, said: “Supply chain attacks are a major cyber threat facing organisations, and incidents can have a profound, long-lasting impact on businesses and customers.
“With incidents on the rise, it is vital organisations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
“Our new guidance will help organisations put this into practice so they can assess their supply chain’s security and gain confidence that they are working with suppliers securely.”
Minister of state for media, data, and digital infrastructure, Julia Lopez, said: “UK organisations of all sizes are increasingly reliant on a range of IT services to run their business, so it’s vital these technologies are secure.
“I urge businesses to follow this expert guidance from our world-leading National Cyber Security Centre. It will help firms protect themselves and their customers from damaging cyberattacks by strengthening cybersecurity right across their supply chains.”
The guidance has been published in conjunction with the Cross Market Operational Resilience Group, which supports the improvement of the operational resilience of the financial sector, though the advice is for organisations in any sector.
It aims to help cybersecurity professionals, risk managers and procurement specialists put into practice the NCSC’s 12 supply chain security principles, and follows the government’s response to a call for views carried out last year, which highlighted the need for further advice.
The NCSC guidance describes typical supplier relationships and potential weaknesses that might expose their supply chain to attacks, defines the expected outcomes and sets out key steps that can help organisations assess their supply chain’s security.
In addition to guidance focused on improving supply chain cyber resilience, the NCSC has published a range of advice to help organisations improve their own cybersecurity.
This includes the Ten Steps to Cyber Security guidance, aimed at larger organisations, and the Small Business Guide for smaller organisations.
The NCSC and the Information Commissioner’s Office (ICO) – the independent authority created to uphold information rights in the public interest – also recently launched a new campaign advising companies not to give in to ransomware requests.
The NCSC said that, as of 2021, the average cost of a cyber incident to organisations in the UK was highest in the energy sector, with a median cost of $35,439 per cyber event (Source: Statista).
Other business sectors where the impact cost of a data breach are high include financial services, retail and wholesale, pharma and healthcare, transport and distribution. The costs were lowest in the travel and leisure industry.
In September Lindy Cameron, NCSC chief executive officer, said there had been a recent rise in payments to “ransomware criminals”, adding: “Ransomware remains the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations.”
John Edwards, UK information commissioner, added: “Engaging with cybercriminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cybercrime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate backup files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.”
The rise in ransomware attacks is one of the main reasons for the £2.6bn National Cyber Strategy, explained the NCSC. Part of the strategy was the creation of the National Cyber Crime Unit within the National Crime Agency, to bring together law enforcement experts into a single “elite” unit. There is also an established network of regional cybercrime units to provide access to specialist capabilities across the country.
The UK approach to ransomware interestingly contrasts with that recently taken by the French government.
In early September, French insurers were given the go-ahead by the Ministry of Economy to cover the ransoms paid by companies that fall victim to cyberattacks.
The ransom payments can, however, only be covered if the victim entity files a complaint. This decision was to be proposed in a new bill to be discussed in parliament in October.
French risk management association Amrae welcomed the forthcoming bill as the move looks set to make it more difficult for insurers in France to justify refusing to pay ransoms after some, including the biggest French insurer AXA, ruled out payments on grounds that they fuel criminal activity, as argued by the UK’s NCSC.
The French government said the goal is to boost transparency and better understand cyber risks, so that the insurance market can work on modelling and take steps to boost risk prevention among clients.
Another proposal in the report is broader exchange of information between the public and private sector about cyber losses.
Also in September, the EC presented its proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features.
A first ever EU-wide legislation of its kind, it would introduce mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle.
The Act was originally announced by EC president Ursula von der Leyen in September 2021. She said that building on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy will ensure that digital products, such as wireless and wired products and software, are more secure for consumers across the EU. The Act will also increase the responsibility of manufacturers by obliging them to provide security support and software updates to address identified vulnerabilities. This will enable consumers to have sufficient information about the cybersecurity of the products they buy and use, said the EC.
Thierry Breton, commissioner for the internal market, said: “When it comes to cybersecurity, Europe is only as strong as its weakest link – be it a vulnerable member state, or an unsafe product along the supply chain. Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyberattack. And yet, today most of the hardware and software products are not subject to any cybersecurity obligations. By introducing cybersecurity by design, the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
The EC’s impact assessment carried out as part of the process to introduce the Act estimated that the annual cost of data breaches is at least €10bn, while the annual cost of malicious attempts to disrupt traffic on the internet is estimated to be at least €65bn.
The European Parliament and Council will now examine the draft Cyber Resilience Act. Once adopted, economic operators and member states will have two years to adapt to the new requirements. An exception to this rule is the reporting obligation on manufacturers for “actively exploited vulnerabilities and incidents”, which would apply one year from the date of entry into force, since it requires fewer organisational adjustments than the other new obligations, said the EC.