UK government security experts have called on the country’s businesses to embed best practice security in their supply chains using a new playbook.
The National Cyber Security Centre (NCSC) said on Friday that the government’s Cyber Essentials (CE) scheme should be used as an assurance mechanism. It can be deployed in combination with a new NCSC Supplier Check tool, which enables organizations to quickly check which of their suppliers are certified, and to what level – CE or CE Plus.
The NCSC also reminded those UK businesses with a turnover of under £20m that CE certification entitles them to free cyber-liability insurance, including professional incident response support.
Read more on Cyber Essentials: UK Cyber Essentials Certification Numbers Falling Short
The playbook itself contains actionable advice, tools and resources to help businesses embed CE in their supply chains. It consists of seven steps:
- Understand your supply chain and any security risks that may affect your operations/reputation/contracts/safety
- Define a set of supplier security profiles
- Consider a minimum set of security requirements for each profile, using CE to help where appropriate
- Consider how to communicate and enforce minimum security requirements with suppliers
- Incentivize CE adoption
- Embed CE adoption into procurement processes and RFPs
- Monitor adoption via the Supplier Check tool
The NCSC said its Supply Chain Principles guide can also help organizations better understand the cyber-risks associated with suppliers for steps 1 and 2.
“There have been too many occasions where we’ve seen first-hand the impact that cyber-attacks can have on businesses. Supply chains can provide numerous points that attackers look to exploit, but only 14% of firms are on top of the potential risks faced by their immediate suppliers,” said cybersecurity minister, Liz Lloyd.
“That’s why we wrote to the UK’s leading companies, to set out steps to bolster their cybersecurity – including a specific action on securing supply chains using the Cyber Essentials scheme – which should be a priority for every company.”
Cyber Essentials Still Struggling
The NCSC said CE is a great way for organizations to improve baseline security posture, noting that 43% suffered a cyber-attack over the past year.
However, take up remains low. Even though quarterly certifications surpassed the 10,000 milestone for the first time in the first three months of the year, there are nearly six million private sector businesses in the UK.
Awareness of the best practice framework sank to just 12% of businesses polled by the government in June, down from 16% in 2022. The figures for large (51%) and medium (43%) businesses are higher, but still nowhere near universal.
The study claimed just 3% of UK businesses are accredited, rising to 21% of large organizations.