Prominent organisations, including the Ofcom, the BBC, British Airways, Boots and Aer Lingus, have been recently targeted in a global cyber-attack by the hackers known as "CLOP", compromising personal data belonging to their employees.
This hack exploited a file-transfer software known as "MOVEit", produced by Progress Software and enabled the hackers to breach multiple companies' data simultaneously. As part of this, Zellis, a payroll services provider in the UK, disclosed that eight of its client firms had experienced data breaches.
As the public sector actively pursues digital transformation in its operations, like many sectors it faces challenges in maintaining robust cybersecurity measures necessary for secure operations. The MOVEit hack, which infiltrated prominent public sector organisations as well as commercial entities, is a stark reminder that the resilience of individual public bodies in safeguarding against cyber threats is contingent upon the security measures implemented by externally outsourced networks. The government's 'Cyber Security breaches survey 2023' reported that 32% of businesses and 24% of charities recall some breaches or attacks during the previous twelve months.
Given the volume and range of data they hold, and the essential nature of the services they provide, contracting authorities must proactively engage with cyber security issues, assessing risk and keeping up to date with best practice and relevant guidance. Contracting authorities need to identify their organisation’s key risk areas and priorities and understand how to protect themselves and their systems in the event of a breach. Whilst not expected to be cyber experts, getting input from those who are expert from a technical, legal and regulatory perspective will allow public bodies to better assess and mitigate their organisation’s cyber risks.
From a public procurement perspective, the MOVEit hack demonstrates the importance of managing supplier risk in organisations from the outset. This will require an understanding of how all suppliers operate and the systems and procedures they have in place to ensure cyber resilience. One way to take steps towards mitigating these risks is to choose a supplier with external accreditations.
The UK is taking proactive measures to encourage public bodies and businesses to prioritise strengthening their cybersecurity defences. One such initiative is the implementation of the Cyber Essentials certification, which offers two levels of recognition, both of which adhere to the same rigorous technical standards but provide varying degrees of assurance. The first level, Cyber Essentials, involves a verified self-assessment conducted by the organisation and certified by an approved certification body. The second level, Cyber Essentials Plus, entails a comprehensive technical audit of the implemented controls performed by a licensed assessor. By selecting a supplier with the Cyber Essentials certification, organisations can be re-assured, to an extent, that their supplier is committed to cybersecurity best practices and dedicated to safeguarding their systems, networks, and data from cyber threats.
The National Cyber Security Centre (NCSC) serves as the authoritative body in the UK for addressing cyber security incidents. As part of its efforts, the NCSC has developed the Cyber Assessment Framework (CAF), to evaluate the effectiveness of cyber risk management within businesses and their suppliers. The CAF can be utilised through a self-assessment process conducted by the organisation or an external entity, such as a regulator or a qualified organisation. The CAF aims to ensure a systematic approach to assessing and managing cyber risk within organisations.
As supply chains grow increasingly interconnected, vulnerabilities present in the products and services of suppliers become appealing targets for attackers, looking for vulnerabilities to exploit and gain unauthorised access to organisations and their systems. During the procurement process, contracting authorities need to conduct comprehensive evaluations and inquire about the cybersecurity capabilities of potential bidders. Where appropriate, contracting authorities should employ a quantitative scoring methodology as part of their procurement evaluation criteria to assess potential suppliers and determine the most suitable supply option for their protection.
It is crucial, therefore, that contracting authorities are educated on the specific risks they could be exposed to and are aware of the cyber protections and management systems they should be looking for in their supply chains. Security requirements should be tailored so that suppliers are asked to meet their specific needs.
Of course, the evaluation of cybersecurity protection does not stop once the procurement process has concluded. Incorporating a provision in your contracts that requires suppliers to offer regular reports on their security performance and compliance with risk management policies, procedures, and any formal security certifications will help maintain control of your supply chain. This diligent approach is essential to safeguarding businesses against dynamic and growing cyber risks.