Majority of UK's top business leaders are failing to manage supply chain security risks
New findings from a DCMS review have sparked concern in government which could see new laws introduced to protect Britain's digital supply chains
Fresh research from the Department for Culture, Media, and Sport (DCMS) has revealed less than a third of business leaders in the UK's top companies are actively managing cyber security risks in the supply chain.
Just 28% of respondents replied strongly in favour when asked if they actively manage vulnerabilities in the supply chain, despite 97% of businesses being impacted by supply chain attacks in the past year.
That's according to new research from the DCMS in which C-suite executives at 107 of Britain's top companies were asked about their business' cyber resilience.
The DCMS is now considering imposing tough new rules for businesses to follow to secure the country's digital supply chains, such as those set out in the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.
The public sector may also face restrictions that could include more stringent procurement rules to ensure products and services are only bought from vendors with good cyber security histories, and plans for improved advice and guidance campaigns to help businesses manage security risks, the DCMS said.
There is strong support from the industry for developing new or updated legislation to improve security at the supply chain level with 82% of respondents agreeing legislation could be an effective or a somewhat effective solution.
Following a call for views, which closed in July 2021, the UK government will now develop more detailed policy proposals in response to the new findings. A review of current legislation is underway and a new national cyber strategy will be launched before the end of the year.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure," said Julia Lopez, minister for media, data and digital infrastructure.
"Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data," she added.
Elsewhere in the research, interviews of C-suite executives showed most board members (51%) at the very top of UK business are only consulted on cyber security matters once every quarter.
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
One in five boards (19%) are consulted on cyber security even less frequently with the topic raised as little as once every six months. A similar proportion (20%) discuss the latest threats on a monthly basis, one in 20 (5%) discuss cyber security on a weekly basis while just 1% discuss the matter daily.
Just a minority of boards at the UK's top firms (24%) report feeling 'very informed' to make key business decisions related to cyber security, and a sizeable proportion (34%) expressed that more awareness training and education is needed at the board level to make better decisions about cyber resilience.
Other data from the research revealed a more positive outlook as most business leaders (91%) agree that cyber threats are considered 'high risk' or 'very high risk' at the board level - a figure which is up from 84% in 2020.
A similar majority of leaders (92%) also agree that the board integrates cyber risk considerations into wider business areas, however, the data shows greater awareness and more frequent consultation about the cyber security landscape may be needed to improve the overall cyber resilience in UK businesses.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.