Data

Merthyr Tydfil sets minimum cybersecurity standards for suppliers

Written by James | Aug 9, 2021 6:27:57 AM

Merthyr Tydfil County Borough Council has become the first in Wales to make cyber resilience a must-have for all businesses it tenders with.

The unitary authority is partnering with the Cyber Resilience Centre for Wales (WCRC), and asking organisations that tender for goods, services or works to, or for, the council to ensure they have a minimum level of protection from common cyber-attacks.

"Determining whether our supply chain meets our cyber security requirements is essential to us as an organisation, a vulnerable supply chain can cause damage and disruption to our organisation," said Ellis Cooper, Chief Executive, Merthyr Tydfil County Borough Council. "Working in partnership with WCRC, we can ensure our suppliers are prepared and have the information they need to maintain their cyber resilience."

The WCRC is a partnership between the police, private sector and academia set up to help Welsh businesses protect themselves against cybercrime. It provides micro, small and medium-sized organisations with free and affordable cyber resilience guidance designed to help protect themselves from attack. Those who sign up to its free Core Membership receive practical guidance on the cyber security basics. 

"We have been promoting cyber resilience for a long time with the businesses we use as part of our procurement process but there is a definite feeling of reluctance to take this on board, which I think comes from the mindset that a cyber-attack just won’t happen to them. Yet, this is quite the opposite and by ensuring we practice this level of cyber security, we are protecting our own supply chain," said Ryan James, Corporate Information Security Officer for Merthyr Tydfil County Borough Council.

"We’re seeing more and more businesses becoming victims of cybercrime and we felt that the Council needed to take action. We have now made it mandatory that any supplier who tenders for us going forward must have one of these two crucial cyber resilience steps as a minimum before they are even considered for a contract," he continued.