Facing rising supply chain cyber attacks and fragmented, isolated risk management methods, UK councils pioneered a 'Defend-as-One' collaborative model. Learn how this collaboration uncovered over 1,000 hidden supplier dependencies and critical concentration risks.
Facing rising cyber attacks, dwindling resources, and a complex web of supply chain cyber risk, UK local authorities reached a critical turning point: they couldn't secure essential public services alone. Instead of relying on fragmented, manual, and increasingly obsolete traditional Third-Party Risk Management (TPRM) methods, a group of local authorities have pioneered a groundbreaking, collaborative defence model, transforming their individual limitations into a collective shield. This is the story of how they came together to “Defend-as-One,” moving beyond isolation to gain unprecedented visibility into systemic vulnerabilities and boost the operational resilience of UK public sector supply chains.
UK local authorities, the indispensable providers of essential public services and custodians of vast amounts of sensitive citizen data, find themselves increasingly vulnerable amidst rapid digitalisation. As they accelerate their digital transformation, reliance on external suppliers and service providers has surged, inadvertently heightening their exposure to an unrelenting wave of cyber threats. Compounding this systemic risk are harsh structural realities: limited budgets, critical skills shortages, and mounting regulatory pressures.
The situation has escalated into a full-blown cyber crisis, with official data painting a concerning picture. In just three years, UK metropolitan councils reported over 12,700 data breaches, an alarming 388% increase. Recent industry research confirmed that the supply chain is a primary vulnerability, finding that 86% of UK Councils experienced at least one cyber incident involving a supplier in the past year alone.
Historically, local authorities approached Third-Party Risk Management (TPRM) in isolation, leading to a fragmented, reactive, and resource-intensive process that proved incapable of handling the scale of the threat. Each local authority engaged in the costly, manual exercise of sending out and reviewing risk questionnaires to the same suppliers on their own, resulting in vast and unnecessary duplication of effort and generating "audit fatigue" among vendors.
Furthermore, this siloed approach prevented the crucial sharing of supply chain intelligence and masked systemic risks—the shared, hidden vulnerabilities that could cripple an entire sector if a critical common supplier were compromised. With suppliers' security postures changing dynamically, the reliance on static, annual assessments meant local authorities were constantly operating with outdated data and gaping blind spots remained. It became clear that no single authority could secure its supply chain alone.
Recognising that their collective vulnerability was also their greatest strength, local authorities began to pivot toward a collaborative defence model—based on the concept of "Defend-as-One". This collective strategy was built upon a collaborative platform, Risk Ledger, which provides a standardised, shared view of supplier security. Instead of completing hundreds of separate questionnaires, a supplier only needs to maintain one comprehensive security profile that can be instantly shared with all their connected local authority clients. This standardisation and single source of truth cuts down on supplier workload, encourages engagement, and facilitates continuous monitoring.
Crucially, a group of 20 local authorities and 3 Warning, Advice and Reporting Points (WARPs) established a trusted peer community on Risk Ledger. Within these communities, members can securely share supplier risk intelligence and—most significantly—overlay their respective supply chain network maps to map out their broader supply chain ecosystem and identify critical dependencies that were previously hidden.
The tangible benefits of this collaboration were rapidly demonstrated. Within just two weeks, the platform connected the initial group of participants to 60% of their suppliers who were already active on the network, providing immediate access to their pre-vetted security profiles and slashing the time and resources needed for initial due diligence.
The long-term impact on supply chain visibility was even more profound. By mapping their extended supplier ecosystem, the growing cohort of collaborating local authorities were able to uncover what was previously invisible to them:
This collective intelligence allows the participating local authorities to move beyond simple compliance to proactive cyber defence, enabling them to collaboratively target mitigation efforts on the most systemically relevant suppliers.
By championing this new collaborative paradigm, UK local authorities have established an effective and scalable model for bolstering public sector cyber security, proving that necessity is indeed the mother of invention.
Stay tuned for our Special Report on this unique flagship project and discover “How UK Councils Have Come Together to Secure Public Sector Supply Chains” in depth.
In the report, you’ll learn:
🔍 The Scale of the Crisis
Why fragmented TPRM failed, and how metropolitan councils reported over 12,700 data breaches in just three years—a staggering 388% increase.
🔍 Collective Intelligence in Action
How, within six months, collaborating councils uncovered 1,048 additional dependencies across 4th, 5th, and even 8th-party suppliers , and identified 84 potential concentration risks.
🔍 Critical Points of Failure
The discovery of one singular supplier connected to all participating councils, representing a critical single point of failure for the entire community.
🔍 Fundamental Security Gaps
Data revealing that a striking 1 in 4 suppliers serving councils do not possess Cyber Essentials certification, and 41% of suppliers fail to regularly test or rehearse their Business Continuity and Disaster Recovery plans.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
