In this Explainer, we explore the 5 leading third-party risk management challenges facing resource-strapped UK Councils, and offer some insights into a new approach to TPRM and supply chain security that could offer a solution.
UK Councils are highly vulnerable to cyber-attack due to the vast amount of sensitive data they hold and the limited resources they have at their disposal to adequately defend against them. What’s more, Councils have extensive digital supply chains, i.e. they rely on and work with many external vendors and services providers on whose services they rely on a daily basis. These extensive relationships and dependencies can give hackers a route to compromise Council’s own systems or data.
With severely restricted budgets, Councils face an uphill struggle to secure not only their own systems and data, but also manage the cyber security risks posed by their suppliers and partners. In this Explainer, we explore the main challenges facing UK Councils in securing their supply chains, and offer some insights into a new approach to third-party risk management and supply chain cyber security that could offer a solution.
Councils in the UK have become one of the primary targets for cyber criminals and increasingly even foreign threat actors. A combination of the vast amounts of personal information they hold and the limited resources they can devote to cyber security makes them particularly vulnerable.
One study found that UK councils were subject to more than 10,000 cyber-attacks per day, while, according to DataBreachClaims.org.uk, the ICO (Information Commissioner’s Office) reported that cyber-attacks on Council authority systems increased by 24% between 2022 and 2023 alone.
Phishing, ransomware and distributed denial of service (DDoS) attacks are common methods used to target councils, and the techniques used by threat actors are becoming more and more sophisticated and difficult to prevent or detect. As part of a more general digitalisation drive within the public sector and the economy as a whole, councils are using digital tools, and rely on third-party service providers, more than ever before to deliver critical public services. While essential, this also gives threat actors an even greater attack surface to exploit.
The dangers are real and present. Councils have suffered devastating consequences in recent years as a result of these attacks, and they are more often than not left to fend on their own.
In 2020, a ransomware attack on Hackney Council resulted in criminals encrypting almost half a million files, costing the council £12m. A similar attack on Redcar and Cleveland Borough Council disrupted critical services and reportedly cost the council more than £10m. More recently, the websites of Salford, Bury, Trafford and Tameside councils were brought down by a DDoS attack that has been linked to a group of Russian cyber criminals.
In addition to these direct attacks on councils themselves, threat actors can gain access to Councils’ systems and data via the many hundreds of third-party suppliers and service providers that they rely on. In July last year, for example, a cyber-attack on a housing company resulted in thousands of Greater Manchester residents being targeted by phishing scams using stolen data. This means that those attempting to secure Council authority data and systems need to focus not only on first-line defences, but also on ensuring the security of their critical third-party suppliers.
Based on numerous conversations that Risk Ledger has had over the past few months with Councils across the UK, we have summarised some of the key challenges that Councils are facing with respect to securing the security of their critical suppliers and partners.
Councils across the UK are experiencing severe budget constraints and huge financial pressures. With such limited resources, Councils are often limited in how much they can invest in their cyber security defences and TPRM processes to adequately protect the vast amounts of sensitive data (think about all the personal details they hold in relation to Council Tax alone) that they hold. In a 2023 survey, more than a quarter of Councils said they had made “no progress” on cyber security, and 59% said their approach to cyber security was “outdated”, demonstrating the extent of the challenge they face.
Meanwhile, the risk posed by cyber criminals and foreign threat actors has grown as more Council services have been digitalised to meet public demand and increase efficiencies. Meanwhile, advances in technology, particularly AI, have added powerful new tools to the cyber criminals’ armoury and further expanded the attack surface, as more and more third party providers are integrating AI into their own tools and services. The rise of AI also means that attacks are no longer carried out purely by determined individuals with specialist IT knowledge, but can be perpetrated on a huge scale by non-specialists using AI to identify and exploit vulnerabilities. AI systems can also learn and mimic human behaviour, enabling attackers to run more nuanced phishing operations that are harder to detect.
While Councils are not regulated they are advised to work towards compliance with the UK Government Cyber Security Strategy and the Cyber Assessment Framework’s (CAFs) indicators of good practice , the CAF assurance framework is currently being adapted for Council government by the Ministry of Housing, Communities and Council Government.
Complying with an adapted version of CAF for Council government will be an ongoing process, which will involve identifying critical systems and supply chain dependencies, running assurance against such critical third parties, and developing plans to address vulnerabilities. The UK Government Cyber Security Strategy aims for the public sector to become resilient to all known vulnerabilities and attack methods no later than 2030.
However, new regulations are on the horizon. Last year, the government published a statement of its plans for a new cyber security and Resilience Bill. One of its key pillars will be its focus on supply chains and critical third parties. This reflects the widely held view that cyber security weaknesses in supply chains are fast becoming the number one cyber threat facing organisations today.
On their own, Councils often have limited means to encourage greater supplier responsiveness when a supplier’s level of engagement leaves much to be desired. Also, suppliers have little incentive to engage in time consuming manual and often still spreadsheet-based processes. They often receive hundreds of different security questionnaires from their different clients, making this a hugely time and resource-consuming process for suppliers, too. This huge and largely unnecessary duplication of assessments causes bottlenecks in completing requests, impacting both suppliers and their clients, including Councils. With the prevailing lack of collaboration with peers, Councils thus have limited leverage against unresponsive suppliers on their own, and are often unable to influence change. Furthermore, information sharing remains limited as a result.
Councils often also don’t have direct access to the security teams at their suppliers, which further complicates the situation. Since supplier assessments are usually conducted during the tender or onboarding stages of a supplier contract lifecycle, the main points of contact at suppliers are typically members of their procurement and sales teams. This means that they coordinate the internal security due diligence requested by their clients, and that the security teams of the organisation onboarding this supplier don’t build relationships with the security teams at their suppliers.
Manual approaches with often inaccurate and out-of-date data on suppliers’ security controls result in slow and tedious ways of evaluating and reacting to supply chain incidents, such as Log4j or MOVEit, when they hit. When these incidents occur, and are being actively exploited by threat actors, it often takes days, weeks, even months to figure out whether an organisation may be impacted through one of their suppliers. But during that time, how much data has already been exposed to malicious attackers?
During supply chain attacks, Councils need to quickly understand and appreciate the risk to themselves from their supply chain, but they don’t usually have the capacity to check all of their suppliers at scale, and they may also not have their full supplier list to hand. In these scenarios, the lack of access to and relationships with the security teams at their suppliers becomes particularly detrimental.
Since security teams need to collect data to make informed decisions on the risk a particular supplier might pose to them, they usually put together their own set of questions and send them over email, with a deadline for responding. They then manually track responses via spreadsheets, confluence pages, google documents etc. All of the above takes too long, however, and involves a lot of manual work, significantly delaying response times.
As our corporate supply chains are ballooning in size, it has become almost impossible for individual security teams to assure the security of each supplier individually and continuously on their own. This lack of collaboration leads to a lot of unnecessary duplication of work between organisations and prevents a more scalable and resource-efficient approach to TPRM.
Moreover, the prevailing lack of collaboration prevents organisations from gaining a much better view of the critical dependencies and risks that might exist in their extended supply chains. These dependencies could affect multiple critical suppliers of Councils at the same time, and thus makes any fallouts even more difficult to respond to when they occur. Having access to this contextual knowledge provides enhanced operational resilience and would allow Councils to better mitigate risks before they become a problem.
While there is much Councils can do to control security within their own organisations, tackling the risks in their supply chains is much more challenging. To optimise the use of the limited resources and budget available to Councils, an innovative new approach to supply chain cyber security might hold the answer - a social network approach.
Traditionally, organisations have approached third-party risk management and supply chain cyber security generally as a one-to-one and spreadsheet based assurance process with each of their critical suppliers. With often hundreds of critical suppliers, the time and resources required are simply prohibitive. The burden that this approach imposes on suppliers is also enormous. Suppliers receive numerous security questionnaires from clients and prospective clients all the time, leading to a situation where they simply cannot complete these in a timely manner, and it increases the chance that they don’t take each assessment as seriously as they should. This approach is simply no longer viable.
Risk Ledger has developed and successfully implemented an alternative, social network approach, to TPRM that leverages the power of networks and collaboration to reduce the burden for everyone involved, from security teams at organisations wanting to assure their critical suppliers to those at suppliers which are in need of demonstrating their organisations security to their clients.
This new approach is based on the idea of a social network like LinkedIn, but which connects cyber security and TPRM teams of organisations directly with those of their suppliers as well as with those of their peers across their industries. Each supplier has a profile on the platform, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is based on a standardised assessment framework specifically designed for supply chain due diligence, which is mapped against leading international standards like NIST, ISO 27001, the NCSC’s CAF and many others, and is updated twice a year to reflect new regulations and best practices. This solves one of the major impediments to a more effective TPRM and to effective collaboration within industries on TPRM. This also solves major problem for suppliers - the need to constantly complete similar yet different questionnaires for all their clients and prospects. On Risk Ledger, they simply complete one security profile, which they can then share with all connected clients at the click of a button. Instead of having to complete numerous different questionnaires, this gives them the space to actually focus on improving their security postures and simply keep one profile up-to-date. Clients can set requirements against our standardised assessment framework, so they can compare suppliers against criteria which matter most to them.
Crucially, suppliers can also use the platform to manage their own supply chain risk, connecting with their own suppliers, thus using Risk Ledger as both a supplier and client in their own right. Organisations acting as both suppliers and clients on the Risk Ledger platform is what uncovers the middle links in supply chains and builds out the map of dependencies within the wider supply chain ecosystem, not just between one client and their third-parties. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems beyond third-parties, into fourth, fifth and n-th parties.
Risk Ledger has been working closely with several WARPS across the UK to collaboratively and efficiently improve their supply chain security. Together with ISfL and SEGWARP, Risk Ledger is running a project for 10 Councils to easily automate and assess supplier risk with less resources than manual processes. Furthermore, we have formed a community on Risk Ledger where (if opted in) Councils will be able to share best practices, see each others’ supply chain maps. They will also be able to see risks raised against specific suppliers by their peers, mitigate these risks together, and collaboratively lobby unresponsive suppliers. Moreover, they will also be able to collaborate on supply chain attacks when they strike, significantly improving their access to up-to-date supplier and contextual information in order to ascertain how their critical suppliers might be exposed to any attack.
The main benefit of this collaborative approach is that Councils commonly share many of the same suppliers, which means that not only can they now be assured that numerous eyes are on the same supplier at all times. It also means that this removes the need for an unnecessary duplication of work and creates an opportunity for shared assurance and collaborative risk management.
Joining our dedicated community for Councils, provides participants with numerous benefits. They can now:
Within a mere 2 weeks since the start of the project, Risk Ledger was able to compare 300 unique supplier names provided by the participants and connect them to 180 of them. Councils also realised that on average 60% of their suppliers were already on the platform, making the process of connecting them even faster. And just by connecting the participants to these 180 suppliers, Risk Ledger was immediately able to identify 20 critical supply chain dependencies and potential risk factors that these Councils were previously unaware of.
With so many service providers, vendors and third-party suppliers digitally connected to every Council, effective risk management has hitherto been contingent on ample resources and large budgets. This is no longer the case. By leveraging the power of numbers, and collaborating with peers, this significantly reduces the resource burdens and enables, for the first time, a more efficient and effective supply chain risk management.
Building a community of connected organisations helps to improve the resilience of every supply chain participant. In a sector where resources are constrained, councils can be much more effective at defending against cyber-attacks when they work together with their peers, and their suppliers.
This ‘defend-as-one’ approach allows councils to collaborate, to exchange best practices and continuously assess the security posture of shared suppliers. It enhances the ability of the entire supply chain to monitor threats and address vulnerabilities. If there is a cyber security breach at any connected organisation, the network is notified quickly and can work together to minimise the impacts.
At a time when financially constrained councils are facing growing threats from cyber criminals and foreign threat actors, it makes sense to combine resources and work together to reduce the risks.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
