New NCSC Supplier Check Service – what you need to know
What has the Government ever done to protect our customers from Cyber Crime? Without sounding like a parody of the well-known Monty Python comedy sketch, it seems that the National Cyber Security Centre (NCSC) is evolving - stepping up from awareness and advice; to a wider programme of intervention, as evidenced by the Active Cyber Defence (ACD) programmes’ activities and a range of new services for 2019.
In their second published Active Cyber Defence report, they provide a wealth of data on how the NCSC's ACD programme is improving the security of the UK public sector and the wider UK cyber ecosystem. However, deep in the report are details on their plans to pilot a new Supplier Check Service. We’ve taken a look to see if resellers are being checked and what the introduction of this as a programme, would mean for the UK channel.
Who? The NCSC
The NCSC was set up in 2016 as part of a wider strategy which sought to make government much more interventionist in the protection of the UK. Part of that interventionist strategy is the ACD programme, which aims to “protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks, the majority of the time".
Why? Supply-chain Risk
The Supplier Check service will use passive techniques to identify suppliers to government, discover their public facing IT footprint and then perform analytics to identify relevant security and configuration concerns. The aim is to use this information to see if they can infer supply chain risk from the public facing infrastructure of those suppliers and resellers.
How? A hands-off approach
The report outlines an automated approach that doesn’t involve contacting the supplier or accessing any internal systems. They won’t be involved with any systems containing customer records, transaction data, or sensitive data of any kind, unless they are trivially accessible from the internet – a case which would indicate a real issue and call into question the suitability of the supplier to provide products or services.
The pilot is underway now and runs to the end of August 2019. Helpfully, you’ll know if you’ve been checked though, as the NCSC will be in contact with a report, highlighting key areas for improvement and a promise to check again in 6 months.
What does it mean?
From our point of view at Marathon, intervention is often welcome when it highlights a Security problem that can be fixed. We can understand where the NCSC is coming from, when trying to secure their supply chain. These projects, along with recent reports about the vulnerabilities found with outsourcers, (in our blog Can we make Outsourcing secure?), add pressure on resellers to make their own Security a priority. Some of you will have started this journey already but get in touch if you need help in taking the first steps. The Marathon team have experience in supporting resellers to lock-down their supply chain and we’d be happy to point you in the right direction.
It’s not all bad. As well as the Supplier Check service, the NCSC have also launched Exercise in a Box; An online tool which helps organisations find out how resilient they are to cyber attacks and enables them to practise their response in a safe environment. More on this in the coming weeks as we lift the lid and see what it has to offer. Talk to your Marathon account manager for more information or call us on 020 8329 1000