The technical director of the UK National Cyber Security Centre (NCSC) has urged UK organisations to reconsider the potential risks associated with \u201cRussian-controlled\u201d parts of their supply chain. The guidance comes from Ian Levy amid the Russia-Ukraine war and explores the likelihood of Russian commercial products and services being used by the Russian state to cause damage to UK interests.No evidence of Russian subordinance but threats remain\u201cWe have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence,\u201d Levy wrote in a blog posting. \u201cThe war has proven many widely held beliefs wrong and the situation remains highly unpredictable. In our view, it would be prudent to plan for the possibility that this could happen. In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.\u201dRussian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB) and the pressure to do so may increase in a time of war, he added. \u201cWe also have hacktivists on each side, further complicating matters, so the overall risk has materially changed.\u201dCertain organisations at higher risk of Russian supply chain threatsCertain organisations using Russian-nexus products should reconsider the risk of Russian-controlled parts of their supply chain as part of their overall business risk management, Levy said. Specifically, these are businesses providing services to Ukraine, services related to critical infrastructure or doing work that could be seen as counter to the Russian state\u2019s interests, he added.\u201cIf you are more likely to be a target for the Russian state because of what\u2019s going on, then it would be prudent to consider your reliance on all types of Russian technology products or services,\u201d Levy said. \u201cIf you use services that are provided out of Russia (including development and support services), then you should think about how you could insulate yourself from compromise or misuse of these services. This is true whether you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia.\u201dRegardless of whether you\u2019re a likely target, ongoing global sanctions could mean that Russian technology services and support for products may have to be stopped at a moment\u2019s notice. \u201cThis would bring a new set of risks. Enterprises should consider how such an event would affect their resilience and consider plans for mitigation.\u201dRemoving Russian products a balance of riskThe question of whether businesses should continue to use Russian products and services is a pertinent one, and UK organisations may choose to remove them proactively, wait until contracts expire, or do so in response to the geopolitical events. Alternatively, businesses may choose to live with the risk, Levy wrote. Whatever decisions are made, cybersecurity remains a balance of different risks. \u201cRushing to change a product that\u2019s deeply embedded in your enterprise could end up causing the very damage you\u2019re trying to prevent,\u201d he warned.As for specific Russian products, Levy cited queries over the use of Kaspersky anti-virus \u2013 something that Germany\u2019s BSI recently warned against over spying concerns. He said that it remains highly unlikely that individuals and most enterprises will be targeted by Russian cyberattacks regardless of whether they use Russian products and services. \u201cHowever, you may need to move to a new AV product if Kaspersky itself becomes subject to sanctions, since the AV product would likely stop getting updates (and AV software is only effective if it\u2019s updated regularly).\u201dUltimately, the conflict has changed the world order and the increased risk and uncertainty aren\u2019t going away any time soon, he added. \u201cThe best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,\u201d Levy concluded.