With cybercrime costing UK businesses an average of £4,200, and rising to £19,400 for medium and large businesses, WCRC Director Paul Peters caught up with Merthyr Tydfil County Borough Council’s Corporate Information Security Officer (CISO) Ryan James to learn more about the cyber security approach that Merthyr Tydfil CBC is taking to cyber and supply chain security, through the procurement process.

PP: Can you tell us a bit about your role at Merthyr Tydfil CBC?

RJ: I am the CISO for Merthyr Tydfil County Borough Council, responsible for providing a clear vision and direction for information and cyber security operations – overseeing a range of technical and process security controls and leading a programme of change and continuous improvement in response to ever changing security threats and risks.

PP: How important is Cyber Security to Merthyr Tydfil CBC?

RJ: It is extremely important and is recognised as a critical function within the organisation. We have a culture of ‘leading from the top’ with the board having joint responsibility for cyber security. Cyber security is considered in every business decision, in new approaches and methods in the wide and diverse range of council services to ensure new policies, processes, procedures and services meet cyber security standards.

The organisation continuously works towards a progressive information and cyber security function, which is future-focused in support of business objectives. We understand that local authorities face a growing threat of cyber-attack, and this is why cyber security is important to us.

PP: What are the consequences of not making cyber security a priority?

RJ: Local authorities process a lot of personal information about citizens and face an ever-increasing threat. The consequences of not making cyber a priority can result in loss of key IT systems and network services, used to help deliver critical services to our citizens. The impact is huge, the entire organisation is at risk of exposing all the data it processes, as well as that of its citizens.

The reputational damage, as well as financial damage following an attack can be devastating to an organisation. Organisations and individuals have an increased threat and exposure to attacks, which can lead to loss of privacy, safety, identity theft etc. of our citizens, staff and councilors.

PP: How important is supply chain cyber security?

RJ: It is very important as it can be a breach for our organisation via a vulnerability in our own supply chain where a supplier has a poor security posture. Because suppliers have a vast user network, a single compromised supplier can result in multiple businesses suffering a data breach. This makes supply chain attacks so attractive as instead of attacking each target individually, multiple targets can be attacked from just one single supplier.

PP: How does Merthyr Tydfil CBC address this?

RJ: As an organisation, we have implemented the National Cyber Security Centre’s (NCSC) ‘Principles of Supply Chain Security’. These have been designed to help us establish effective control and oversight of our supply chain where we understand what the risks are, what needs to be protected and why.

We communicate our view of security needs to our suppliers and communicate the minimum-security requirements we expect them to comply with. We have built assurance activities into our supply chain management where our requirements are, where justified, assurance activities such as Cyber Essentials Plus, penetration tests, external audit and/or other formal security certifications.

We encourage continuous improvement and maintenance of security, and act on any concerns that may suggest that current approaches are not working as effectively as planned.

PP: Why does Merthyr Tydfil CBC encourage businesses in the area to become members of the WCRC?

RJ: Becoming a member of the WCRC will enable businesses in our area the opportunity to improve their security arrangements, which will help them to compete for and win future contracts with Merthyr Tydfil CBC. This also helps to grow the supply chain and the choice of potential suppliers for our organisation and those which are similar and have the same security expectations.

We want to gain their buy-in to our approach to supply chain security and look at it as a shared issue. We understand that for SMEs and micro-businesses they may be under resourced when it comes to improving cyber security or they are unsure what they should be doing – so it’s great that the WCRC offers tips and guidance to support them, not only when they sign-up but continuously through their cyber security journey.

If you would like to become a member of the WCRC, it’s free to join through our core membership option. Membership provides government-approved guidance, along with practical resources, regular cyber updates, tips and access to a local network here to help you protect your business and people. Alternatively, please contact the team to discuss your cyber requirements.