The British government is seeking views on what measures can be taken to enhance security of businesses’ digital supply chains and third-party IT services.

The consultation comes against a background of increasing cyber-attacks and data breaches involving suppliers of digital services and research showing few organisations assess cyber security risks coming from their suppliers.

Referring to a long history of outsourcing of critical services, digital infrastructure minister Matt Warman said: “We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk.”

In the first step, the department for digital, culture, media and sport (DCMS) wants views on the existing guidance for supply chain cyber risk management.

As a second part to the consultation the department is testing a proposed security framework for firms which run organisations’ IT infrastructure, known as managed service providers.

They would have to meet the cyber assessment framework, 14 principles designed for organisations which play a vital role in the UK’s day-to-day life. The framework includes having policies to protect devices and prevent unauthorised access; ensuring data is protected at rest and in transit; keeping secure and accessible backups of data; training staff; and pursuing a positive cyber security culture.

DCMS research released in March revealed only 12% of organisations review cyber security risks from their immediate suppliers and only 5% address vulnerabilities in their wider supply chain.

The Cyber Security Breaches Survey 2021 report also showed that 39% of businesses and 26% of charities reported having cyber security breaches or attacks in the previous 12 months.

The government’s National Cyber Security Centre (NCSC) offers support to help organisations assess the security risks of their suppliers and the government has funds available to help organisations improve cyber risk management during the pandemic.

“As organisations increasingly move their operations online, digital supply chains and third-party IT service operators are becoming vital to companies’ everyday operations and are hugely important for business continuity and resilience,” the DCMS said. 

Warman added: “Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.”

The department’s supply chain cyber security call lasts from 17 May to 11 July.