top of page

Securing Public Sector Supply Chains

Discover how escalating state-sponsored cyber-attacks, especially on weak links in organisations' supply chains, are threatening public sector organisations.


Risk Ledger – a specialist in supply chain security - are one of our newest members at the Eastern Cyber Resilience Centre – a police led and Home Office funded organisation supporting businesses and the third sector in the Eastern region. We are both committed to raising awareness of cyber resilience within the SME community and we are grateful to Haydn Brooks, CEO and Co-founder of Risk Ledger for allowing us to publish part of this article that originally appeared in Tech UK in October 2023.


Rig worker holding phone
Most organisations do not understand the risks posed by their supply chain

The NCSC issued a threat alert in April 2023, warning of escalated threats emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure. This coincided with a speech by Cabinet Office minister Oliver Dowden at CyberUK in Belfast, in which he stated that the UK was facing a new adversary, “the cyber equivalent of the Wagner group”. These Russian-aligned groups, he explained, initially “focused their attacks on Ukraine and the surrounding region. But recently, they have begun to turn their attention to the UK and its allies”.


But even beyond the rising threat from state-sponsored attacks against the UK, the public sector has long been a prime target of a wide range of threat actors. In fact, 40% of all incidents managed by the National Cyber Security Centre between September 2020 and August 2021 were aimed at the public sector, while a freedom of information request from last year revealed that local authorities faced as much as 10,000 cyber attacks every day.


Many of these take the form of attacks on the weakest possible link in an organisation’s cyber security posture, often its supply chains. Supply chain attacks have become one of the leading cyber threats facing organisations, and can be among the most devastating, as prominent examples such as the SolarWinds (2020), Log4J (2021) or the recent MOVEit Transfer (2023) supply chain attacks attest to.


The UK public sector has already found itself at the sharp end of these attacks, for example last year when the NHS was affected by a breach at one of its suppliers, Advanced, causing serious disruptions to its NHS 111 services.


Supply chain security in the new Government Cyber Security Strategy


The UK Government is very much aware of the scale of the threat, and has taken a determined leadership role in addressing it. This is evident in the new National Cyber Security Strategy 2022 and the subsequent Government Cyber Security Strategy 2022-2030, which is specifically aimed at strengthening the resilience of the public sector.


As part of this strategy, the Government provides public sector organisations with a range of best practice guidance and principles for enhanced supply chain risk management, including through GovAssure, which is underpinned by the NCSC’s Cyber Assessment Framework (CAF), and is a new cyber security assurance scheme for the public sector. This is all good news, and the guidance places the right emphasis on the need for:

  • improved understanding of suppliers and their dependencies;

  • central mapping of government’s critical and common suppliers, not least in order to identify and manage systemic and aggregate supply chain risks to government;

  • greater visibility as the foundation from which an accurate assessment of risk can be derived;

  • shared capabilities, tools and services to tackle ‘common’ cyber security issues at scale.


The Strategy’s second pillar, ‘Defend-as-One’, meanwhile, sets out the vision for bolstering the public sectors’ collective cyber defences by harnessing “the value of sharing cyber security data, expertise and capabilities across its organisations to present a defensive force disproportionately more powerful than the sum of its parts.”


What should I do next?


ECRC Banner
Free membership for any organisation that wishes to join


Join our community at the Eastern Cyber Resilience Centre; it’s totally free. We can talk to you about your firm’s cyber resilience and can offer guidance to free tools that you can implement straight away.

If you want to protect yourself form cyber-attack consider implementing the 5 control measures found in Cyber Essentials – this will drastically reduce your likelihood of becoming a victim yourself, and so reduce the threat to your supply chain.


Tell us when you are ready and we can refer you to one of our Cyber Essentials Partners, who are cyber essentials accreditors in the East of England. They can accredit your work or provide technical help if required.


Contact the ECRC if you wish to learn more about Police Cyber Alarm – a free downloadable analyzer that sits on your external firewall and looks for signs of suspicious or malicious activity.  If it finds anything of note it will inform you and the police who it specifically helps to build up a national current cybercrime intelligence picture.

 

Further Guidance and Support


The ECRC is a police-led, not for profit organisation which companies can join for free.

When you join our community you get:

•              Threat alerts both regionally and nationally

•              Signposting to free tools and resources from both Policing and the NCSC

•              Free Little steps programme –  which aligns to cyber essentials with bite-sized practical information to build cyber resilience

•              Support from the ECRC team

·             Check out our partnership pages for commercial cyber services.


We also work with local university students, who are trained and mentored by senior ethical hackers, to deliver affordable services designed especially for small and medium businesses. So, when you're ready for an insight into if you have common vulnerabilities, are sharing a little too much online or want to review your policies and practices think of us.


Reporting a live cyber-attack 24/7


If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.


Reporting a cyber-attack which isn't ongoing


Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Report a phishing attack


If you suspect a phishing attack, please report it to the Suspicious Email Reporting Services (SERS) set up by the NCSC at: report@phising.gov.uk

Text messages can be forwarded to 7726

Comentarios


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page