With most of the media focus in recent weeks being on preventing and retaliating to state-sponsored cyberattacks, one key point about the UK’s National Cyber Security Strategy (NCSS) that has been largely ignored is how tough it may be on UK IT suppliers.
What Is The NCSS?
As the name suggests, The National Cyber Security Strategy (NCSS) is a (five-year) plan for defending the UK’s systems and infrastructure, for deterring adversaries, and for developing a whole-society capability. The strategy, recently outlined in a speech at the recent ‘Future Decoded’ conference by UK Chancellor Philip Hammond, will be carried out with the help of a £1.9 billion budget which was allocated by the previous Chancellor George Osborne.
The Impact For IT Suppliers
In the Chancellor’s speech outlining the new strategy, although he focused on responding and retaliating to cyberattacks, some key issues relating to policy changes and the impact that the strategy will have on IT suppliers were overlooked. These will mean that:
- Suppliers to the public sector will have to be subject to more stringent checks and regulation to preserve cyber security. This looks likely to mean that if products or services are supplied to the government, it is the responsibility of the supplier to make sure that they already have high-level security features included in them. This means that the government’s job as the customer will be to remove those security features if they don’t believe they need them.
- With this new model, rather than the customer adding more security protection after receiving the products/services, it is the responsibility of the supplier to ensure that security features are maximised before delivery.
- There will be a rating system for suppliers, the results of which will be made public. This means that public sector companies and members of the public will have a means with which to judge the supplier in terms of how secure their products and services are, and this could impact upon future business for that supplier.
- The government also looks likely to grant itself the power to test a supplier’s cyber security measures, and to force them to make changes to improve them where it thinks they are needed.
- Suppliers will be made liable for cyber breaches that affect public services.
What Does This Mean For Your Business?
Although the government appears to believe that there will be a general benefit from cyber security regulations in the UK (being seen as higher in the UK than in other comparative advanced economies), if you are an IT supplier to the public sector this new national strategy may dramatically affect you.
It will mean higher costs and greater risks and responsibilities, plus it could mean that smaller suppliers may find it harder to compete. The effects of a poor rating could also mean that future business is affected and this could cause greater anxiety for suppliers and put more pressure on them.