By AJ Thompson, CCO at IT Consultancy Northdoor plc
Third-party IT consultants can help safeguard the public sector using a 360-degree, 24/7 overview of supply chains
The government has released its new Plan for Change in a bid to secure the UK’s future by bolstering its security posture and strengthening critical infrastructure. Hospitals and energy suppliers will look to boost their defences under the new Cyber Security Resilience Bill, in order to safeguard public services and ensure growth.
The new Bill will ensure that organisations that provide IT services to the public sector will no longer be an easy target for cybercriminals, with 1,000 services providers falling into the bracket of proposed measures that are expected to be introduced in the latter part of this year. The move will provide the public, businesses and investors with a greater confidence in IT and digital services, helping to spur economic growth.
Between 2015 and 2019 cybercriminals cost the UK economy £22 billion a year, causing massive disruptions to the NHS and other public sector organisations. The Synnovis ransomware attack on 4th June 2024, caused widespread disruption to NHS services in London, with 10,152 acute outpatient appointments and 1,710 elective procedures postponed at King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust. Figures also show a hypothetical cyber-attack focused on key energy services in the South East of England could wipe a staggering £49 billion from the wider UK economy.
The most recent Cyber Security Breaches Survey also highlights that 50 percent of UK businesses suffered an attack in the last 12 months, with more than seven million reported incidents in 2024. With this in mind, the government is looking to give the Technology Secretary extra powers to direct regulated organisations to take rapid action to strengthen their cybersecurity defences.
Under the new Cyber Security Resilience Bill organisations and suppliers, such as data centres and Managed Service Providers (MSP), will need to adhere to strict cybersecurity requirements. This means that third-party suppliers will be required to boost their own cybersecurity postures to minimise the impact of cyberattacks by protecting their data and their networks. With companies required to report more incidents, this will build up a broader picture of cyberattacks and where weaknesses lie in networks and defences. This will help to better protect critical infrastructure, supply chains and the public.
“AJ Thompson, CCO at Northdoor plc, explains: “The protection of critical services such as water, power and healthcare is crucial as the UK faces new and emerging cybersecurity threats. The Cyber Security Resilience Bill is designed to arm the UK with the cyber defences it needs to protect itself against increasingly sophisticated threats by safeguarding supply chains and critical infrastructure.
“The attack on Synnovis is a prime example of how cybercriminals are using third-party suppliers to attack their intended ‘primary’ target. The NHS and other public service providers hold valuable, sensitive data and has always been a target for cybercriminals looking to sell this data for profit. In recent years the NHS has invested in front-line cyber defences, therefore cybercriminals have turned to an easier route to access data by targeting third-party groups supplying the healthcare and public sectors.
“The key to keeping the back-door locked is having an overview of the possible vulnerabilities that lie within your supply chain. For most public sector organisations with a huge number of different partners and suppliers this seems like an impossible task.
“Current methods of analysing supply chain risk usually involve surveys sent out to potential partners at the point of contract signing. This means that you are entirely reliant on the knowledge, expertise and honesty, of the IT team of your potential partner. In the face of such consistent and sophisticated attacks, this is no longer acceptable nor effective.
“The nature of supply chain relationships means that almost every partner is connected into your systems. This is particularly the case with the public sector as partners providing critical services are essentially part of the organisation and therefore should be under the same levels of scrutiny as in-house departments.
“The only way to do this effectively is to have a 360-degree, 24/7 overview of the whole supply chain. With internal teams struggling with the workload already, many are turning to qualified third-party Security Operations Centre provided by IT services consultancies. They have teams of experts who can supplement internal teams allowing for a comprehensive view of where vulnerabilities lie. This then allows NHS and other public sector organisations to have urgent conversations with supply chain partners to shut the vulnerabilities before they are exploited by cybercriminals,” concluded Thompson.
