Fresh research from the Department for Culture, Media, and Sport (DCMS) has revealed less than a third of business leaders in the UK's top companies are actively managing cyber security risks in the supply chain.
Just 28% of respondents replied strongly in favour when asked if they actively manage vulnerabilities in the supply chain, despite 97% of businesses being impacted by supply chain attacks in the past year.
That's according to new research from the DCMS in which C-suite executives at 107 of Britain's top companies were asked about their business' cyber resilience.
The DCMS is now considering imposing tough new rules for businesses to follow to secure the country's digital supply chains, such as those set out in the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework.
The public sector may also face restrictions that could include more stringent procurement rules to ensure products and services are only bought from vendors with good cyber security histories, and plans for improved advice and guidance campaigns to help businesses manage security risks, the DCMS said.
There is strong support from the industry for developing new or updated legislation to improve security at the supply chain level with 82% of respondents agreeing legislation could be an effective or a somewhat effective solution.
Following a call for views, which closed in July 2021, the UK government will now develop more detailed policy proposals in response to the new findings. A review of current legislation is underway and a new national cyber strategy will be launched before the end of the year.
"As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure," said Julia Lopez, minister for media, data and digital infrastructure.
"Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data," she added.
Elsewhere in the research, interviews of C-suite executives showed most board members (51%) at the very top of UK business are only consulted on cyber security matters once every quarter.
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
One in five boards (19%) are consulted on cyber security even less frequently with the topic raised as little as once every six months. A similar proportion (20%) discuss the latest threats on a monthly basis, one in 20 (5%) discuss cyber security on a weekly basis while just 1% discuss the matter daily.
Just a minority of boards at the UK's top firms (24%) report feeling 'very informed' to make key business decisions related to cyber security, and a sizeable proportion (34%) expressed that more awareness training and education is needed at the board level to make better decisions about cyber resilience.
Other data from the research revealed a more positive outlook as most business leaders (91%) agree that cyber threats are considered 'high risk' or 'very high risk' at the board level - a figure which is up from 84% in 2020.
A similar majority of leaders (92%) also agree that the board integrates cyber risk considerations into wider business areas, however, the data shows greater awareness and more frequent consultation about the cyber security landscape may be needed to improve the overall cyber resilience in UK businesses.
