How can we fix the systemic challenges of public sector supplier relationships? asks Jonathan Lee, Director of Public Sector Relations, at the cyber firm Trend Micro.
The public sector relies heavily on third-party technology and contractors to drive innovation and improve operational efficiency. However, this reliance can expose organisations to significant risk, as demonstrated by the NHS data breach following the cyber-attack on Synovis earlier this year which disrupted thousands of elective procedures, outpatient appointments and operations at major London hospitals.
Public sector organisations are a top target for hackers due to the sensitive data they hold about citizen records, as well as for critical national infrastructure and government operations. With supply chain attacks increasingly common as a route into public sector organisations, supply chain risk has become a significant threat to not only the bottom line of organisations, but also public-facing services and even national security.
Supplier risk – the NHS
To further understand the impact of suppliers on the overall cyber resilience of the public sector, we recently issued a series of Freedom of Information (FoI) requests to NHS Trusts and NHS Integrated Care Boards (ICBs).
FoI responses indicated that some Trusts experienced prolonged system downtimes due to incidents derived from suppliers. One Trust reported that some services were offline for several hours following the CrowdStrike issue impacting Windows servers. Adding to this, one ICB reported that incidents of systems managed by third parties resulted in breaches affecting patient data. When exploring what types of suppliers were affected by the incidents, the FoIs responses called out cloud service providers and telecommunications at one Trust.
This underscores the need for greater oversight and collaboration to manage and mitigate risks posed by third-party suppliers. Some trusts outlined the cybersecurity supply chain technologies they deploy, such as multi-factor authentication (MFA), endpoint detection and response (EDR), secure data-sharing platforms, and third-party risk assessment tools.
Systemic issues in procurement
While only one area of the UK’s vast public sector, the findings revealed variation across entities in how they manage supplier relationships and their cybersecurity investment priorities.
This brings attention to a core challenge in the UK’s technology procurement strategy: the role of G-Cloud. While G-Cloud simplifies supplier access, it provides limited support in evaluating whether these technologies meet the unique requirements of specific public sector organisations. This absence of a standardised framework leaves organistions to navigate procurement with varying levels of risk awareness, potentially adopting technologies that fall short of their cyber security or operational needs. This gap in procurement processes clearly stresses the importance of stronger supplier oversight to protect against supply chain risks.
The solution? An accreditation framework
To address these gaps, we must establish an accreditation framework for technology suppliers. This framework would set clear, measurable standards for cybersecurity with public sector compliance needs, helping to set the bar for all third parties. This accreditation could involve rigorous assessments of a supplier’s cybersecurity practices, data handling protocols, incident response capabilities, and adherence to industry standards.
An accreditation framework would do more than just guide procurement officers – it would build a culture of accountability among suppliers. Accredited suppliers would need to prove that they’re “secure-by-design”, capable of keeping up with evolving cyber security standards undertake regular re-evaluations to maintain their status. This would encourage providers to strengthen their security, leading to more secure partnerships and greater resilience across the public sector. By raising the bar on supplier standards, this framework would put a focus on trust, transparency, and innovation in public sector technology.
Final thoughts
To fix the systemic challenges of public sector supplier relationships and mitigate cyber risks in supply chains, we must establish a supplier accreditation programme. With this framework in place, public sector organisations can make informed decisions and ultimately enhance the safety and reliability of critical public services in what is an increasingly complex threat landscape.
