Crown Commercial Service
How to build resilience and strengthen the cyber security procurement process – Procurement Essentials
Procurement Essentials is a new series of articles to help you overcome common hurdles, understand key concepts, and make your life as a buyer of everyday goods and services easier.
Public sector data is a tempting target for cybercriminals. The following article includes our 5 top tips for building resilience and strengthening cyber security within your organisation.
An ever increasing threat
Britain has recently been named the ‘cyber attack capital of Europe’. The National Cyber Security Centre (NCSC) is the UK’s technical authority for cyber security incidents. According to its 2022 annual review, over the last year the cyber security threat has evolved significantly and businesses and organisations in the UK reported hundreds of cyber incidents to the NCSC, 63 of which were significant enough to require a national level response.
These attacks are predominantly ransomware attacks where cyber criminals use malicious software to block access to computer systems and threaten to release the organisation’s sensitive data unless the ransom is paid. The impact of a ransomware attack on public sector organisations can be devastating. Any data breach is not only a reputational issue but can cause real issues in the ability of organisations to deliver crucial frontline services.
For example, Wannacry – one of the most well-known examples of a ransomware attack – cost the NHS £92 million in 2017 and brought the NHS to a standstill for several days, affecting more than 600 healthcare organisations. Not only were thousands of appointments and operations cancelled, but staff were also left unable to access the key systems that they depended on.
Cyber attacks are calculated. Criminals that target the public sector’s data, networks and systems are often politically motivated and looking to steal specific information.
How to strengthen your cyber defences through the procurement process
With cyber criminals targeting supply chains and recent attacks such as Solar Winds, procurement can be an increasing concern for the public sector.
For example, the NHS has an extremely complex supply chain and relies on a large range of suppliers. These companies are critical to maintaining our health service, however, with criminals often targeting the weakest link within supply chains, they also pose significant risk.
How can the procurement process help reduce these risks?
One of the biggest supply chain challenges can be a supplier’s understanding or competence when it comes to cyber security. Accreditation is increasingly important in strengthening cyber defences within the procurement process. Buying through a framework ensures that your suppliers have had vetting checks for accreditation such as Cyber Essentials.
Cyber Essentials is a government-backed scheme that allows organisations to carry out a cyber self-assessment and provides an understanding of the organisation’s security levels. This will mean that your supplier has taken steps to safeguard their business against cyber threats and will assist in strengthening cyber defences within your supply chain.
A further step would be to request Cyber Essential Plus, which offers additional protections as it includes a technical audit of supplier’s systems as opposed to the self assessment in Cyber Essentials.
NCSC Assured Suppliers
When buying cyber security services, there are additional certifications you can look for from a supplier. The NCSC offers assurance for a range of services including consultancy, incident response and penetration testing.
The advantages of using NCSC assured suppliers to manage supply chain risk are that they will have:
- met the NCSC’s standards and have a proven track record in delivering high quality consultancy services
- a defined process for working with customers to understand their needs
- demonstrated a clear understanding of current and potential cyber threats and techniques and potential effective mitigations
- been independently and rigorously assessed
- shown that they act with integrity objectivity and proportionality
- protect the customer’s confidentiality and integrity and comply with relevant laws and regulations
- a commitment to continuously improve the services offered
5 steps to building resilience to cyber attacks:
Building cyber resilience is about strengthening cyber security to increase confidence and ensure that in the event of an attack, not only can your organisation continue to operate, but you can also recover quickly. Resilience means continuous, uninterrupted access to data whilst remaining secure and protected.
As threats continue to increase in frequency and sophistication, so must your preventative measures, which should include:
Understanding critical assets
The first step to building resilience is having a strong understanding of your organisation’s critical assets. These are resources that are fundamental to maintaining operations. Ask yourself: what impact would an attack have and what are your critical assets?
For example, for local authorities, critical assets include essential data, which citizens rely on including housing benefit, voter registration, electoral management, school grants and the provision of social care. It is imperative that it is protected in the event of an attack. Managing back-ups is an essential part of this process – rapid recovery is dependent on how regularly these back-ups are carried out.
Developing an incident response plan
A thorough incident response plan is crucial to resilience as this will ensure that you can recover quickly from an attack.
An incident response plan collects together the coordinating functions which guide, inform and support the whole response process. It encompasses a number of aspects, including triaging and categorising an incident through to your core response.
Educating employees and building cyber resilience
Phishing emails, which dupe staff into opening them and exposing the organisation to phishing attacks, have become more frequent and sophisticated during the pandemic. This shows the importance of creating a strong cyber security culture.
It is essential that your employees understand cyber threats, the potential risk, and their role in mitigating incidents. Educating your employees, increasing awareness and providing strong governance and training can all assist in building cyber resilience.
Keeping up to date with emerging cyber threats
New advanced threats are being discovered daily. Resilience is also the detection of threats and increasing both your understanding of the threat landscape and threat intelligence. Taking a proactive approach to cyber security is essential in ensuring that organisations are aware of threats to allow for methods to be adjusted.
Developing a Business Continuity Disaster Recovery plan
All organisations should have sufficient business continuity disaster recovery (BCDR) methods in place to make sure they can resume normal operations in the event of an attack. It should include a complete approach to keeping your team productive during planned or unplanned disruptions such as a cyber attack.
The BCDR plan builds resilience by reducing the risk of data loss and enhancing operations, detailing emergency contacts and key staff.
More: The Cyber Security Services 3 dynamic purchasing system (DPS) is the official route to market for NCSC-assured services, covering a wide range of cyber services. All suppliers have Cyber Essentials as a minimum and other accreditations can be selected using the filtering options. Visit our Cyber Security Services 3 page or contact the team.
You can now find all of our Procurement Essentials articles in one place on our website.
Latest News from
Crown Commercial Service
Transforming contact centre services using outsourcing23/02/2024 15:15:00
Learn how London Borough of Sutton Council, used our Outsourced Contact Centre and Business Services agreement to improve their out of hours contact centre service.
Find out how our tail spend solution can enable broad efficiencies, reduce costs and improve social value for your organisation01/02/2024 10:05:00
Following the launch of our Tail Spend Solution, research carried out on behalf of CCS has revealed how it is already improving supplier and process efficiencies and increasing social value
5 steps to becoming a CCS supplier – Procurement Essentials30/01/2024 12:20:00
Becoming a CCS supplier is a great way to grow your business while supporting vital public services. Find out how to start supplying.
Public sector printing at lightning speed29/01/2024 11:10:00
Find out how our Print Marketplace service met the challenge of a fast-turnaround requirement from The Church Commissioners for England.
Crown Commercial Service publishes its updated SME action plan alongside a VCSE action plan26/01/2024 12:20:00
Crown Commercial Service (CCS) has published its new small and medium-sized enterprise (SME) action plan, outlining how it's helping the public sector meet the government's aim to work with more SMEs.
Sustaining Sustainability – announcing our updated Carbon Reduction Plan24/01/2024 10:20:00
Kristen Green, our Head of Sustainability, introduces the latest version of the CCS plan to reach Carbon Net Zero by 2050
New Crown Commercial Service partnership announced with NHS England to centralise energy purchasing and save the NHS £millions on gas and electricity04/01/2024 15:10:00
We’re pleased to announce a new strategic partnership with NHS England to develop and provide a dedicated suite of energy ‘baskets’, through which all NHS trusts can procure their gas and electricity.
New open banking agreement launched to reduce fraud and improve prompt payment across the public sector12/12/2023 12:20:00
We’re pleased to announce we’ve launched a new agreement designed to reduce the costs of receiving money into public sector organisations, as well as reduce fraud.
Crown Commercial Service announces partnership with key buying organisations to strengthen procurement of temporary workers in schools11/12/2023 10:20:00
We're pleased to announce a new CCS partnership with key public sector buying organisations to increase support, value for money and service levels in school temporary staffing.