Procurement Essentials is a new series of articles to help you overcome common hurdles, understand key concepts, and make your life as a buyer of everyday goods and services easier.

Published 1 March 2023

Last updated 1 March 2023


NB: This article was originally published on 1 March 2023. All information was correct at the time of writing, but may not be fully applicable following the introduction of the Procurement Act 2023.

Public sector data is a tempting target for cybercriminals. The following article includes our 5 top tips for building resilience and strengthening cyber security within your organisation.

An ever increasing threat

Britain has recently been named the ‘cyber attack capital of Europe’. The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security incidents. According to its 2022 annual review, over the last year the cyber security threat has evolved significantly and businesses and organisations in the UK reported hundreds of cyber incidents to the NCSC, 63 of which were significant enough to require a national level response. 

These attacks are predominantly ransomware attacks where cyber criminals use malicious software to block access to computer systems and threaten to release the organisation’s sensitive data unless the ransom is paid. The impact of a ransomware attack on public sector organisations can be devastating. Any data breach is not only a reputational issue but can cause real issues in the ability of organisations to deliver crucial frontline services. 

For example, Wannacry – one of the most well-known examples of a ransomware attack – cost the NHS £92 million in 2017 and brought the NHS to a standstill for several days, affecting more than 600 healthcare organisations. Not only were thousands of appointments and operations cancelled, but staff were also left unable to access the key systems that they depended on.

Cyber attacks are calculated. Criminals that target the public sector’s data, networks and systems are often politically motivated and looking to steal specific information. 

How to strengthen your cyber defences through the procurement process

With cyber criminals targeting supply chains and recent attacks such as Solar Winds, procurement can be an increasing concern for the public sector. 

For example, the NHS has an extremely complex supply chain and relies on a large range of suppliers. These companies are critical to maintaining our health service, however, with criminals often targeting the weakest link within supply chains, they also pose significant risk. 

How can the procurement process help reduce these risks?

One of the biggest supply chain challenges can be a supplier’s understanding or competence when it comes to cyber security. Accreditation is increasingly important in strengthening cyber defences within the procurement process. Buying through a framework ensures that your suppliers have had vetting checks for accreditation such as Cyber Essentials. 

Cyber Essentials is a government-backed scheme that allows organisations to carry out a cyber self-assessment and provides an understanding of the organisation’s security levels. This will mean that your supplier has taken steps to safeguard their business against cyber threats and will assist in strengthening cyber defences within your supply chain. 

A further step would be to request Cyber Essential Plus, which offers additional protections as it includes a technical audit of supplier’s systems as opposed to the self assessment in Cyber Essentials.

NCSC Assured Suppliers

When buying cyber security services, there are additional certifications you can look for from a supplier. The NCSC offers assurance for a range of services including consultancy, incident response and penetration testing.

The advantages of using NCSC assured suppliers to manage supply chain risk are that they will have:

  • met the NCSC’s standards and have a proven track record in delivering high quality consultancy services 
  • a defined process for working with customers to understand their needs
  • demonstrated a clear understanding of current and potential cyber threats and techniques and potential effective mitigations
  • been independently and rigorously assessed
  • shown that they act with integrity objectivity and proportionality
  • protect the customer’s confidentiality and integrity and comply with relevant laws and regulations
  • a commitment to continuously improve the services offered 

5 steps to building resilience to cyber attacks:

Building cyber resilience is about strengthening cyber security to increase confidence and ensure that in the event of an attack, not only can your organisation continue to operate, but you can also recover quickly. Resilience means continuous, uninterrupted access to data whilst remaining secure and protected.

As threats continue to increase in frequency and sophistication, so must your preventative measures, which should include:

  1. Understanding critical assets

The first step to building resilience is having a strong understanding of your organisation’s critical assets. These are resources that are fundamental to maintaining operations. Ask yourself: what impact would an attack have and what are your critical assets? 

For example, for local authorities, critical assets include essential data, which citizens rely on including housing benefit, voter registration, electoral management, school grants and the provision of social care. It is imperative that it is protected in the event of an attack. Managing back-ups is an essential part of this process – rapid recovery is dependent on how regularly these back-ups are carried out. 

  1. Developing an incident response plan

A thorough incident response plan is crucial to resilience as this will ensure that you can recover quickly from an attack. 

An incident response plan collects together the coordinating functions which guide, inform and support the whole response process. It encompasses a number of aspects, including triaging and categorising an incident through to your core response.

  1. Educating employees and building cyber resilience

Phishing emails, which dupe staff into opening them and exposing the organisation to phishing attacks, have become more frequent and sophisticated during the pandemic. This shows the importance of creating a strong cyber security culture. 

It is essential that your employees understand cyber threats, the potential risk, and their role in mitigating incidents. Educating your employees, increasing awareness and providing strong governance and training can all assist in building cyber resilience.

  1. Keeping up to date with emerging cyber threats

New advanced threats are being discovered daily. Resilience is also the detection of threats and increasing both your understanding of the threat landscape and threat intelligence. Taking a proactive approach to cyber security is essential in ensuring that organisations are aware of threats to allow for methods to be adjusted.  

  1. Developing a Business Continuity Disaster Recovery plan

All organisations should have sufficient business continuity disaster recovery (BCDR) methods in place to make sure they can resume normal operations in the event of an attack. It should include a complete approach to keeping your team productive during planned or unplanned disruptions such as a cyber attack.

The BCDR plan builds resilience by reducing the risk of data loss and enhancing operations, detailing emergency contacts and key staff. 

More: The Cyber Security Services 3 dynamic purchasing system (DPS) is the official route to market for NCSC-assured services, covering a wide range of cyber services. All suppliers have Cyber Essentials as a minimum and other accreditations can be selected using the filtering options. Visit our Cyber Security Services 3 page or contact the team. 

You can now find all of our Procurement Essentials articles in one place on our website