Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for directors of procurement

Building a cyber resilient service guidance for directors of procurement
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Consider the three categories of harm caused by a cyber attack: being robbed (theft of money, data, or intellectual property), being weakened (espionage, political interference, or prepositioning) and being hurt (ransomware and destructive or catastrophic attacks). 

  • Which of these motivations is most relevant to the procurement team? 
  • What do you have that makes your service vulnerable? 
  • Is data theft at the top of your list? 
  • Would there be data of value? 
  • Are you aware of all the digital data that the council’s control and safeguard this data of interest to malicious actors, making them a target?[1] 

Procurement services, and teams within your directorate, are supported by a huge amount of data. This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.

Figure 1: Commonly held Procurement services data

  • Vendor Information – Details about the suppliers and vendors participating in the procurement process, such as company name, address, contact information, and registration details.
  • Tender Documents – Information related to the tendering process, including tender documents, specifications, and requirements that suppliers must adhere to when submitting proposals.
  • Contractual Information – Details about awarded contracts, including contract terms, conditions, and the scope of work. This may also include contract start and end dates, as well as any renewal or termination clauses.
  • Financial Information – Information about the financial aspects of the procurement, such as budgetary constraints, cost estimates, and payment terms.
  • Evaluation Criteria – Criteria used to evaluate supplier proposals, including scoring mechanisms and factors considered during the selection process.
  • Bidder Qualifications – Information on the qualifications and capabilities of bidders, including their experience, expertise, and relevant certifications.
  • Compliance - Information related to compliance with procurement regulations and guidelines. This may include ensuring fair competition, transparency, and adherence to legal requirements.
  • Risk Management – Assessment of potential risks associated with the procurement, including financial, operational, and legal risks, along with strategies to mitigate these risks.
  • Performance Metrics – Criteria and metrics used to measure the performance of suppliers and the effectiveness of the procurement process. This may include key performance indicators (KPIs) and service level agreements (SLAs).
  • Audit Trail – A date and time-stamped record of the history and details around the procurement process. Documentation of the entire procurement process, providing an audit trail for transparency, accountability, and compliance purposes.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

The last decade has seen an increasing number of large organisations investing heavily in information security. This needs to be the case for councils also.

No system can be entirely secure, but heavy investments in cyber security do make it far more difficult for malicious actors to compromise well-resourced organisations. Hackers are increasingly incentivised to target smaller subcontractors to bypass robust and well-funded cyber security programs. 

Compromising the email of a small supplier, for example, and using that as an unwitting route to target other organisations is far easier to accomplish than directly compromising a larger target organisation itself.

Figure 2: Example of service level impact on procurement

A cyber attack targeting the supply chain of local councils in England and Wales would lead to the vendors experience facing challenges. This may be in accessing and submitting bids, leading to frustration and strained relationships. The inability to conduct business smoothly may result in vendors reconsidering their participation in future council procurement opportunities.

Things to consider:

  1. Which critical services operated by your team rely on internet access?
  2. Which of these critical services is prioritised to get back online first?
  3. How have communication channels between your team and vendors been affected by the cyber attack? 
  4. To what degree have vendors experienced challenges in accessing and participating in the procurement processes? 
  5. How effectively can vendors provide feedback on the impact of the cyber attack and their concerns? 
  6. How quickly are you able to address vendor concerns and provide support in the aftermath of the cyber attack? 
  7. Create offline records and plans for use during an attack and ensure all teams have access to them.

 

Figure 3: Example of financial impact on procurement services

Due to delays in awarding contracts and fulfilling procurement obligations, your service may face contractual penalties from vendors. These penalties could be in the form of late fees, liquidated damages, or other contractual consequences specified in agreements.

Things to consider:

  1. How will a cyber attack affected your ability to meet contractual obligations with vendors, including deadlines for bid evaluations, contract awards, and project timelines? 
  2. How effectively will your team communicate with vendors regarding the cyber attack and the potential delays in procurement processes? 
  3. Have the contractual terms with vendors outlined procedures for addressing delays or disruptions caused by unforeseen events, including cyber attacks? 
  4. What mitigation strategies are in place to address contractual penalties? 
  5. Does your team have an offline record of contracts to be fulfilled?

 

Figure 4: Example of data impact on procurement services

In this example the attacker creates fraudulent transactions using the stolen supplier information, from within the procurement system. They may alter purchase orders, change payment details, or initiate unauthorised purchases.

Things to consider:

  1. What is the extent of the financial loss and potential liabilities?
  2. How have supplier relationships been affected, and what steps are being taken to restore trust?
  3. What measures are in place to prevent future fraudulent activities within the procurement system?
  4. How is your service addressing the reputational impact, and what communication strategies are being employed?

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?
Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 
Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?
Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context  Areas to consider
Handling sensitive data You may be less likely than other directorates than other to be handling sensitive data on a day-to-day basis, however that doesn’t mean that it won’t happen! Your team must take extra precautions to protect the sensitive information.

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?
Access controls

To ensure any sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting data.

 

Is sensitive information stored and protected in your service? 

Who has access to data storage systems?

How often does you review access?

How often does training take place?

Is multi-factor authentication in use across programmes?
Regular audits

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards e.g. the retention of records are complaint within GDPR timeframes.

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection laws

 

In the UK, we still have the General Data Protection Regulation (GDPR) and the Data Protection Act (2018).

It is your obligation to ensure that your team complies with the data being collected, processed, and stored lawfully, fairly, and securely.

Are your team aware of the UK GDPR regulations and how they affect your work?

How often does full staff training take place and not just awareness?

Record keeping

 

 The context of record keeping in this sector involves the creation, maintenance, and preservation of financial records to support effective financial management, decision-making, and regulatory requirements.

How often do your team update records?

How are records stored and updated?

 
Risk management

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of data. 

These risks should be added to the departmental risk register and raised to your SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration 

 

Different government agencies and departments at various levels (local, regional, national) may be involved in procurement services. 

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. 

Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

 
Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in procurement is as crucial as managing digital records. 

Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 
Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?
Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 
Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?
Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership

Co-ownership typically refers to the shared rights and responsibilities among multiple stakeholders involved in the procurement process. 

These stakeholders can include local government authorities, developers, community groups, local citizens, and other relevant entities.

Do members of your team work closely with other teams during the procurement process?

What barriers are in place during this process?

What needs to change in order to streamline this process?
Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?
Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative implications (not exhaustive)

Law/ Regulation Cyber security implications 
Procurement Act (2023)

The current government has made it clear that the Act will come into effect starting October 2024, allowing a six-month notice period leading up to the official implementation date.

Despite the Act's progressive stance on flexibility, there appears to be an omission in addressing cyber security considerations explicitly.

Given the critical importance of cyber security in safeguarding sensitive information and ensuring the integrity of government systems, stakeholders, including cyber security experts, vendors, legal advisors, and you as a Head of Procurement, may need to proactively address this gap. 
Social Value Act 2012

While the act itself may not directly relate to cyber security, the incorporation of social, economic, and environmental factors in procurement decisions may involve the assessment of cyber security practices of suppliers. 

Cyber security considerations may become part of the broader evaluation criteria.

The Public Services (Social Value) Act 2012

 

 Similar to the Social Value Act 2012, the consideration of social value may involve assessing the cyber security practices of suppliers. Entities may be expected to demonstrate a commitment to cyber security as part of their overall social responsibility.

Local Government (Contracts) Act 1997

 

This act empowers local authorities to enter into contracts. 

While not explicitly focused on cyber security, it implies the importance of secure contract management systems and secure electronic communication channels.
Local Government Act 1999 (Best Value Authorities) (Power to Compel Compliance with Best Value Requirements) (England) Order 2000

Best value considerations may extend to the resilience of services against cyber threats.  

Local authorities may need to ensure that suppliers meet certain cyber security standards to provide reliable and secure services.

UK Public Procurement Regulations 2021

 

 Compliance with the regulations may involve secure electronic communication, protection of sensitive procurement data, and ensuring the cyber security posture of suppliers, especially when dealing with public contracts and sensitive information.

Transparency in Supply Chains Clause

 

 Organisations covered by this clause are required to disclose steps taken to prevent modern slavery, and this may include ensuring that suppliers have robust cyber security measures to protect against potential cyber threats related to modern slavery risks. 

Utilities Contracts Regulations 2016

 

 Utilities may handle critical infrastructure and sensitive data. Compliance with these regulations involves secure electronic procurement processes, protection of sensitive information, and ensuring the resilience of utilities against cyber threats.