Proposed digital supply chain regulations are good news for SMEs
Major attacks on technology providers like Kaseya and SolarWinds have highlighted how vulnerable organisations are to attacks on their digital supply chain. Managed service providers and technology companies provide cybercriminals an avenue into hundreds or even thousands of organisations from a single breach.
The government has published a policy paper on its response to a ‘call for views’ to supply chain cyber security.
The government Policy Paper highlighted four key issues:
- Low recognition of supplier cyber security risk
- Limited visibility into supply chains
- Insufficient tools to evaluate supplier cyber security risk
- Limitations to taking action due to structural imbalances
Or to put it another way:
- Not enough people think about risks in the supply chain
- Those that do, struggle to find good information about their supply chain
- There aren’t tools (or consistent standards) to help manage it in an organised way
- Unless your organisation is big and powerful, large suppliers won’t engage with you
Supplier continuity and supply-chain security is difficult because it’s out of your control. You have to work with your suppliers but your ability to influence them depends on how important you are to them.
Large companies can exert force on their suppliers to adapt to their methods or adopt new processes. SMEs on the other hand can’t exert much pressure on someone like Microsoft, Dell or ServiceNow.
The Benefits to the SMEs
Without the market influence to affect change, SMEs need assistance to help secure their technology suppliers. A quote from the report highlights the specific challenge:
“a key point that was made in industry workshops regarding a notable imbalance of power between UK customers of all sizes and typically larger, often multinational, cloud and managed service providers. Many companies do not feel that they have the resources or power to request information or require, where appropriate, more stringent cyber security practices of their larger digital technology suppliers.”
Government regulation on supply-chain security is therefore positive for that purpose. It won’t necessarily help the largest organisations, but it will benefit SMEs.
What regulation?
So what mechanism is the best way to do that? The paper highlights a number of conflicting certifications and standards.
The Cyber Essentials Scheme was introduced to set a minimum cyber security baseline. It is the most recognised scheme and was frequently reference by respondents to the call for views. It is relatively light-weight, partly to encourage participation because it aims to raise the bar for all organisations. Cyber Essentials Plus could be a good fit here for MSPs because it also includes a ‘hands-on technical validation’ (as opposed to just verified self-assessment). The other alternative is the NCSC Cyber Assessment Framework (CAF) which is more advanced still.
Managed Service Providers do need to be held to a higher standard due to their access and the greater impact of a breach. Increasing resiliency in the digital supply chain has a positive network-effect on all organisations. Increased regulation isn’t always the answer, but in this case, it is the only realistic solution to the power-asymmetries supply-chain.