Justin Kuruvilla, Chief Cyber Security Strategist at Risk Ledger, explores how councils are collaborating to map hidden supply-chain cyber risks and strengthen resilience.
When cyber-attacks affecting public services make headlines, the focus is usually on the organisation directly impacted: a council’s systems go down and services are disrupted. In many cases, the breach does not begin inside the organisation, but several layers down its digital supply chain.
As threat actors increasingly target public sector organisations, UK local authorities are experiencing heightened exposure. This reflects both the sensitive personal data they process and the critical services they deliver.
As the UK Government’s new Cyber Action Plan rolls out—with its focus on improving visibility of cyber risks, faster incident response, central action on complex threats, and higher resilience for critical services—councils are demonstrating proactive leadership. By coming together and mapping shared dependencies and collaborating across organisational boundaries, local authorities are building a practical blueprint for improving national cyber resilience.
Why councils sit on the frontline
Local authorities hold vast amounts of sensitive citizen data: housing records, social care systems, electoral rolls and more. At the same time, they rely heavily on external technology providers to deliver these services. This combination increases both their exposure to cyber threats and the potential impact of disruption.
Yet the challenge is not confined to their own internal defences. For councils, resilience increasingly depends on the security practices of every supplier they engage with and, critically, on the subcontractors and upstream providers those suppliers rely on themselves. A vulnerability several tiers down the supply chain can be exploited to disrupt multiple services at once.
The limits of traditional supplier assurance
Despite this reality, public sector cyber risk is still often treated as a narrow bilateral contract issue. Assess the direct supplier, confirm compliance against contractual requirements, and move on. While this approach may satisfy procurement requirements, it can leave organisations without visibility into systemic risk across their wider ecosystem.
Threat actors exploit concentration risks to maximise impact. They look for shared technologies, common service providers and widely used platforms that sit quietly beneath multiple organisations. These are efficient attack vectors, allowing a single compromise to cascade across councils, NHS bodies or other public services.
The scale of the issue is already clear. Freedom of Information responses revealed that UK metropolitan local authorities reported over 12,700 data breaches in the preceding three years, a 388% increase compared to previous periods, with compensation payouts exceeding £268,000. Recent industry research conducted by Risk Ledger found that 86% of UK local authorities experienced at least one cyber incident in their supply chain in the past year, while 48% experienced two or more incidents.
What changes when councils collaborate
Recognising that isolated action is insufficient, councils are increasingly collaborating and securely sharing their supply chain maps to understand shared dependencies collectively rather than in isolation. By combining their data, a coalition of councils identified 84 potential concentration risks, which provided visibility not only to the risks each council faced individually, but systemic risks that could affect multiple councils that would not have been identified in isolation. This collaborative mapping turns isolated risk assessments into a system-wide view. It allows councils to see which suppliers underpin multiple services, where resilience really matters and where contingency planning is essential. It also enables more informed conversations with suppliers about security expectations and incident readiness.
Most importantly, it shifts cyber security from a compliance exercise to an industry wide operational resilience strategy.
Why this model should be scaled nationally
The collaborative approach emerging among councils offers a practical blueprint for cyber resilience. By endorsing and scaling supply chain collaboration nationally, governments could begin to map concentration risks across the public sector, prioritise protection around critical suppliers supporting the delivery of essential functions, and respond faster when incidents occur.
This does not necessarily require creating new bureaucratic structures. It requires setting standards for data sharing, supporting trusted platforms for supply chain mapping and information sharing, and encouraging collective risk management as a norm rather than an exception.
Rewriting the cyber resilience playbook
UK councils are demonstrating that mapping of systemic cyber risk across organisations is achievable and that collaboration can improve resilience across public services. This represents a strong foundation that could be extended across the wider public sector. Greater collaboration and shared visibility would enable governments to identify and manage systemic supply-chain risks across services, rather than addressing them in isolated numbers.
