The growing importance of third-party risk management in public sector cyber security
by Harriet Belderbos · Open Access GovernmentFuse CS Limited highlights the increasing significance of third-party risk management in public sector cyber security
In today’s public sector landscape, organisations no longer operate in isolation. Local authorities, NHS trusts, education providers, and central government bodies depend on a complex ecosystem of suppliers to deliver essential services. From cloud platforms and case management systems to managed service providers and specialist healthcare applications, third parties are embedded in almost every aspect of service delivery.
While these relationships enable efficiency, innovation, and digital transformation, they also introduce significant cyber security risks.
Third-party risk management (TPRM) has, therefore, evolved from a procurement exercise into a critical component of cyber resilience. Increasingly, attackers are bypassing well-defended organisations by exploiting vulnerabilities within their supply chain.
For the public sector, the implication is clear: an organisation’s cyber security is only as strong as the weakest supplier with access to its systems or data.
At Fuse CS, we are seeing growing recognition that effective cyber security must extend beyond internal environments to include structured governance, visibility, and continuous oversight of third-party relationships.
Why third-party risk is increasing
Public sector organisations rely heavily on external providers to support both operational delivery and digital transformation programmes. These suppliers often have privileged access to sensitive systems and data, including personal, financial and healthcare information. This dependency significantly expands
the attack surface.
Threat actors are actively targeting suppliers because they offer an efficient pathway into multiple organisations. By compromising a shared provider, attackers can gain indirect access to numerous public sector bodies simultaneously.
Recent NHS incidents demonstrate the scale of this risk. In June 2024, a ransomware attack on Synnovis, a pathology services provider to multiple NHS trusts in London, disrupted blood testing, forcing hospitals to cancel operations and delay patient care. Clinical teams were required to revert to manual processes, significantly impacting service delivery.
Similarly, the 2022 ransomware attack on Advanced, a supplier of NHS 111 systems, caused nationwide disruption to urgent care services. Organisations were forced to fall back on manual triage processes, reducing efficiency and placing additional pressure on already stretched frontline teams.
These incidents clearly show that third-party compromise is no longer theoretical; it is a proven and growing threat across the public sector.
Through our work with public sector organisations, Fuse CS frequently sees similar risks: limited visibility of supplier access, inconsistent assurance processes and reliance on point-in-time assessments that do not reflect evolving threats.
The impact of third-party cyber incidents
A cyber incident involving a third party can have far-reaching consequences, particularly in the public sector where services are critical and highly visible.
Common impacts include:
- Data breaches involving sensitive citizen or patient data.
- Disruption to essential services.
- Delays in healthcare or social care delivery.
- Increased pressure on frontline staff.
- Regulatory scrutiny and reporting obligations.
- Reputational damage and loss of public trust.
However, recent NHS incidents show that the true impact extends beyond traditional risk models.
The Synnovis attack disrupted a core clinical dependency, pathology services, affecting multiple hospitals simultaneously and delaying diagnosis and treatment. In the case of NHS 111, the Advanced incident impacted a national service relied upon by millions, reducing the speed and effectiveness of urgent care access.
These examples highlight a fundamental point: In the public sector, third-party cyber incidents are not just IT issues; they are service delivery failures.
At Fuse CS, we work with organisations to assess these wider impacts, helping leadership teams understand how supplier risk translates into operational disruption, regulatory exposure and risks to citizen outcomes.
Increasing governance and regulatory expectations
Regulatory expectations around third-party cyber risk are continuing to grow across the public sector. Frameworks and guidance such as the UK’s National Cyber Security Centre (NCSC) principles, Cyber Essentials Plus, ISO 27001, General Data Protection Regulation (GDPR), NIS regulations, and the NHS Data Security and Protection Toolkit all emphasise the need for robust supplier assurance and ongoing risk management.
Importantly, these frameworks are moving away from point-in-time assessments. Annual questionnaires are no longer sufficient. Organisations are expected to demonstrate continuous visibility and control over supplier risk.
Fuse CS supports public sector organisations in aligning their approach to these requirements, ensuring that governance is both compliant and practical, without unnecessary complexity.
Key challenges
Despite increasing awareness, many organisations still struggle to implement effective TPRM. Common challenges include:
- Limited visibility of suppliers and their access levels.
- Inconsistent or questionnaire-led assurance processes.
- Resource constraints within IT and cyber teams.
- Complex supply chains, including fourth-party dependencies.
- Rapid digital adoption outpacing governance.
These challenges often create oversight gaps, leaving organisations exposed to unmanaged risks. Fuse CS helps address these issues by providing structured frameworks, independent assessment and ongoing support, enabling organisations to build maturity without overburdening internal teams.
What effective third-party risk management looks like
An effective approach to TPRM is structured, risk-based and continuous. Key elements include:
- Supplier identification and classification.
- Maintaining a clear inventory of suppliers and prioritising them based on risk and access.
- Robust due diligence.
- Conducting evidence-based assessments covering access controls, data protection, incident response and vulnerability management.
- Contractual security requirements.
- Embedding clear cyber security expectations, including breach notification, minimum standards and audit rights.
- Continuous monitoring.
- Maintaining ongoing visibility of supplier risk and responding to changes in security posture.
- Incident response integration.
- Ensuring supplier-related incidents are included within broader incident response and business continuity planning.
Fuse CS supports organisations across each of these areas, combining governance, technical expertise and managed services to deliver a pragmatic, risk-led approach.
Third-party risk: Looking ahead
Third-party risk will remain one of the most significant cyber security challenges facing the public sector.
As organisations continue to adopt cloud-first strategies and interconnected digital ecosystems, reliance on suppliers will only increase. At the same time, regulatory expectations and public scrutiny will intensify.
Recent NHS supply chain incidents have demonstrated how a single supplier can disrupt services at scale, affecting patient care, operational resilience and public trust.
Organisations that take a proactive, structured approach to TPRM will be better positioned to protect data, maintain service continuity and meet compliance obligations.
At Fuse CS, we believe organisations should be able to embrace digital transformation with confidence. Strengthening visibility, governance and control across the supply chain is essential to achieving that goal.
Cybersecurity is no longer just about protecting internal systems; it is about securing the entire ecosystem on which public services depend.
Please Note: This is a Commercial Profile
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.