Home » Topics » Cybersecurity » Cyber Action Plan and what it means for supply chains

Cyber Action Plan and what it means for supply chains

The Cyber Action Plan is geared at public services

Avatar photoby Anna Jordan

The government has unleashed proposals for a Cyber Action Plan. It's still light on detail, but we outline how it could affect supply chains

Alongside the second reading of the Cybersecurity and Resilience Bill, the government has released a Cyber Action Plan.

What’s in the Cyber Action Plan?

As you’ll see, the Plan is geared more towards public services such as the NHS and local councils. Though there is mention of the supply chains that provide services to them – firms that may very well be in the private sector – they’re largely overlooked. They’re also looked at through the gaze of the public sector organisation.

The only steps in the document related to supply chains were as follows:

  • Make sure that organisations within the supply chain understand their accountability and responsibility for government cybersecurity and resilience
  • Supply chain security will be a key focus of learning and development initiatives. The aim is to support commercial and procurement professionals to embed appropriate cyber knowledge and understanding into their operations to assure the cybersecurity and resilience of government suppliers
  • A new Software Security Ambassador Scheme is being launched to drive adoption of the Software Security Code of Practice. This is a voluntary project designed to reduce software supply chain attacks and disruption

What the experts have to say

Though experts in the field largely welcome the legislation, they agree that there are some blind spots and that the proposed investment just isn’t adequate for the scale of the problem.  

Matt Cooke, director of cybersecurity strategy at Proofpoint, said:

“We are seeing a shift where Advanced Persistent Threat (APT) groups and cyber criminals are increasingly targeting the interconnectedness of government by using vulnerabilities in the vendor ecosystem to bypass traditional perimeters and gain a foothold in sensitive national networks.

“The challenge is that modern government services rely on a complex web of third-party cloud services and collaboration platforms. This distributed supply chain has expanded the human attack surface exponentially. Attackers are leveraging this trust by using sophisticated credential theft and account takeover techniques to move laterally from a supplier directly into the heart of government departments.

“While centralised incident response through the Government Cyber Unit is a positive step, the focus must shift toward proactive supply chain integrity. Protecting digitised public services requires a move away from legacy thinking. We must secure the individuals who manage these systems and ensure that any link in the supply chain, no matter how small, cannot become a single point of failure for our national digital infrastructure.”

James Neilson, SVP International at OPSWAT, said:

“The £210 million funding commitment is limited given the size and complexity of public sector networks. Even after £2.6 billion was allocated in 2021 for cybersecurity and legacy IT modernisation, significant issues remain. If the government is serious about improving cyber resilience, further investment will be required.

“The plan must address supply chain risks. Many recent public sector attacks originate from third-party breaches, so departments must ensure suppliers meet robust incident response standards to avoid ongoing security gaps.”

Trevor Dearing, director of critical infrastructure at Illumio:

“Chaos is now driving most attacks, and we’re seeing more organisations forced to shut down operations as a result. While the plans centre on government and digital services, they overlook the private organisations that manage much of our critical infrastructure. If we want real progress, response teams need to cover both public and private sectors. 

“Also, investment alone won’t fix the problem. The public sector continues to lag behind the private sector in attracting cyber talent. To build effective teams, it must compete on salaries and benefits and ensure strong coordination and clear accountability across agencies to defend against increasingly sophisticated threats.” 

Read more

The Cyber Security and Resilience Bill – what’s next for SMEs? – The government’s Cyber Security and Resilience Bill was announced in April. Here’s what your business can do to prepare for what’s ahead

Avatar photo

Anna Jordan

Anna is Senior Reporter, covering topics affecting SMEs such as grant funding, managing employees and the day-to-day running of a business.

Related Topics

Cyber Attack
Cyber Crime
Government & Politics

Related Stories

Cybersecurity

Ransomware has evolved – so must our defences

Ransomware threats are advancing. Jamie Moles goes into what a triple extortion threat is and how to protect your organisation against them

Cybersecurity

Ransomware payments to be banned – the unanswered questions

The government has announced a ban on ransomware payments from public sector organisations. We explore the loose ends to be tied

Cybersecurity

Prioritising cyber resilience in a cloud-first world

Despite complexity and cost, it's certainly worth devoting time to your organisation's cyber resilience strategy. Here's what to do

Cybersecurity

Why slow recovery is the real threat of ransomware events

With ransomware attacks, it's a case of when (not if) you'll be hit and, crucially, how long recovery takes. Here's how to bounce back quicker