The growing need for cyber protection controls in the SME defence supply chain

As prime contractors invest in increasingly effective cyber-defence strategies, attackers are using new ways to gain access to computer networks. This includes targeting companies further down the supply chain, particularly SMEs, who often connect to their customers’ networks, but whose computer systems are more vulnerable to attack and easier to exploit.

Whilst some SMEs are unaware of the problem or lack the expertise or resource to implement more effective cyber protection controls, others have a misguided view that they are too small or too unimportant to be a target for hackers.

As the MOD and industry continue to work together through the Defence Cyber Protection Partnership (DCPP) to develop a risk based set of cyber protection controls, SMEs whose computer systems lack even a minimum level of protection risk being excluded from defence contract opportunities. In this blog we consider the wider impact and opportunity for SMEs.

The cyber security challenge

The 2019 Cyber Security Breaches Survey, released by the Department for Digital, Culture, Media and Sport, identified that in the last 12 months, around a third of businesses reported having been the target of one or more cyber attacks.

Supply chain infiltration is increasing with hackers using weaker areas of the supply chain as an entrée to highly protected areas to steal valuable intellectual property and information, disrupt business operations and damage reputations. This was highlighted by the US intelligence community recently when they warned about cyber-espionage via supply chains: “Software supply chain infiltration is one of the key threats that corporations need to pay attention too, particularly how software vulnerabilities are exploited”, William Evanina, US National Counterintelligence and Security Center (NCSC).

The MOD response to the cyber security risk

The Defence Cyber Protection Partnership (DCPP) is a joint initiative between the Ministry of Defence and industry which aims to improve the cyber security of the MOD supply chain through deployment of agreed new cyber security standards and controls. It has developed the Cyber Security Model (CSM), a risk-based approach, which defines the cyber protection controls a supplier must have in place in order to be awarded a contract or subcontract where MOD Identifiable Information is generated, transferred, stored or accessed electronically; a requirement that is imposed across the whole supply chain.

The minimum requirement for all new procurement since 1 January 2016 is for suppliers to have Cyber Essentials certification.

Getting Cyber Essentials Certification

Obtaining Cyber Essential certification is straight forward and consists of a self-assessment phase followed by a validation by an external auditor. The latter is usually a telephone call.

In some instances, the higher award of Cyber Essentials Plus is necessary, not just for new work but to maintain existing contracts as highlighted by an ADS member, “With the introduction of DCPP and the Risk Profile of the tasks that we were delivering and bidding, it became clear that we would need to achieve Cyber Essentials Plus. This involved a more extensive questionnaire and a site visit from the assessor so that he could conduct some vulnerability testing. It also requires frequent checks of the firmware versions on our networks”.

If you want help and support getting accreditation why not take advantage of the expertise offered from ADS members, some at a special discounted rate for members. The National Cyber Security Centre has also published information about Cyber Essential and how to obtain accreditation on its website.

Lacking a Cyber Essentials qualification is a key barrier to future business success. Simon Levy, Business Development explains, “When matching capabilities of members with programmes for our Meet the Primes and industry engagement events, Primes and Tier 1s are starting to exclude suppliers that do not hold Cyber Essentials from tender programmes. We therefore recommend SMEs pursue accreditation as part of their business development strategy”.

ADS members can get advice on Cyber Essentials accreditation and how it can help your business, by contacting Tim Martin, Head of Defence Commercial at ADS.

 

Interested in finding out more about joining ADS? Find out about all the benefits

 

Already an ADS Member? Find out more about defence activities, programmes and opportunities by contacting Simon Levy, Head of Defence Business Development.