As phishing, BEC, and supply-chain attacks evolve beyond legacy defences, learn how AI based email protection can block threats before they hit inboxes.
By Darren Smith, Head of Cybersecurity for Public Sector.
As 2026 gathers momentum, organisations across every sector are reassessing their priorities in the face of evolving risk, regulatory pressure, and accelerating digital transformation. The year ahead is shaping up to be defined by heightened scrutiny, rapid technological change, and increasingly sophisticated cyber threats. Our CTO, Josh Neame, set out predictions for the year ahead in two blogs (part one and part two). If you have 10 minutes they are both worth a read.
The first prediction (regulation will drive investment) applies to all sectors, but given the growing cyber threat faced by healthcare organisations, together with increased incidents of ransomware attacks disrupting patient care and supply chains, organisations in this field will be keenly aware that continued efforts – and investments – will be needed.
In April last year, Josh also wrote a blog entitled “Managing Third-Party Risks In The Supply Chain” which highlighted some of the most well-documented examples of where things have gone seriously wrong. One such example was the Synnovis cyber incident affecting an NHS trust in South East London. It was reported in the media last year that the disruption was associated with a fatality, underscoring the fact that cyber incidents in healthcare can have consequences far beyond technical disruption. The incident served as a powerful reminder of the critical importance of managing third-party risk across the supply chain.
The World Economic Forum’s Global Cybersecurity Outlook 2026, published earlier this month, reported that supply chains remain a major systemic vulnerability. Among large companies, 65% cite third-party and supply-chain risks as their greatest cyber-resilience barrier, up from 54% last year. The survey’s respondents included insights from 804 global business leaders in 92 countries, including 105 CEOs, 316 chief information security officers and 123 other c-suite executives, including chief technology officers, and chief risk officers.
The Cybersecurity Charter and Why it Matters
Cyber risk has inexorably shifted from being just a technical issue to one that’s strategic, and the operational and governance challenges it brings shape the resilience of every NHS organisation. In short, effective cybersecurity is now integral to patient safety and operational continuity. As health and social care services continue to integrate, the security of shared systems and data will become increasingly critical.
We’ve seen time and time again the impact of cyber attacks on organisations, and within healthcare even the smallest incident of digital disruption can rapidly cascade through clinical services, forcing manual workarounds and delaying care.
In May last year, NHS England and the Department of Health and Social Care, launched a new Cyber Security Charter, sending an open letter to the leadership teams of NHS suppliers to adopt best-practice cybersecurity standards to protect patient data and critical services.
A significant part of the charter is eight core principles that suppliers are encouraged to adopt. These include regular system updates and security patches, achieving and maintaining at least ‘Standards Met’ status in the Data Security and Protection Toolkit (DSPT), implementing multi-factor authentication (MFA) across internal systems and products supplied to the NHS, and board-level cyber training to build a stronger, more resilient supply-chain against growing threats like ransomware. Organisations must have immutable backups of critical business data that are maintained, with tested plans in place to support business continuity and enable rapid system recovery.
Although it’s not mandatory, adherence to these standards is likely to become a benchmark for best practice, exceeding existing statutory and contractual obligations, such as the DSPT, which remains a cornerstone of cyber governance. That said, the DSPT requirements remain applicable regardless of participation in the Cyber Security Charter.
At this point, it’s also worth giving a nod to the recent introduction of the Cyber Security and Resilience Bill in Parliament. This new legislation aims to strengthen the cybersecurity and resilience of the nation’s critical infrastructure and places a strong focus on supplier risk and third-party security. As threat actors increasingly exploit vulnerabilities in third-party vendors, the requirement for improved risk management and reporting mechanisms is at the forefront of cybersecurity teams’ minds.
What the Charter Means for Suppliers
The Charter outlines key policy on moving from reactive security measures to a proactive, system-wide approach that recognises the role every partner plays in protecting patient data and critical infrastructure.
For suppliers, this means making sure products, services, and internal processes meet NHS cyber-standards right from the start and continue to do so through rollout and ongoing support. It also means being open and accountable, especially when it comes to spotting security risks, being transparent about those risks, and fixing them quickly.
On top of that, there’s a bigger focus on working closely with NHS organisations and regulators so suppliers can stay ahead of new threats and meet shared goals.
This is a significant shift that puts cybersecurity front and centre in procurement, contracts, and delivery, while giving suppliers a much clearer idea of what’s expected of them in an environment that’s facing escalating cyber crime.
How to Get Charter-Ready
Former Prime Minister, Tony Blair, is remembered by many for his “Education Education Education” speech of the late 1990s. The cybersecurity equivalent of that (and one that I’m rather partial to) is “Visibility Visibility Visibility”.
As I’ve said many times, it’s not possible to protect what you don’t know is there. Understanding your organisation’s unique IT landscape and identifying how adversaries could win in your environment is the first step to any cybersecurity strategy.
Specifically, intelligence-led visibility will enable you to gain insight and context that enables you to identify and prioritise the most important threats facing your business.
When it comes to getting Charter-ready, here are five key considerations:
Establish a view of your cyber threat surface – compare your security posture against the Charter’s eight principles.
Conduct robust testing to establish key strengths and weaknesses in the attack surface, including third parties.
Patch and protect: Maintain DSPT “Standards Met” status and close any outstanding vulnerabilities.
Address and test critical cloud security issues. Cloud security posture management is crucial for any organisation operating in one or several cloud environments.
Improve identity assurance across the organisation with multi-factor authentication and round-the-clock threat detection.
BlueFort’s NHS Cyber Credentials
Improving the cyber resilience of the NHS is a core component of our mission. We are working with more than 50 individual NHS trusts and bodies to consolidate their cybersecurity posture and meet demanding NHS Cyber Assessment Framework (CAF) and Data Security and Protection Toolkit (DSPT) guidelines. The solution providers we partner with are deliberately and acutely aligned with CAF and DSPT. You can read about some of the work we’re doing with the NHS on our website here.
Interested To Know More?
If you’re interested in learning more about how we are working with organisations within the NHS, get in touch, or better yet, come and see us at one of the two NHS-focused cyber events that we’re attending in the next few weeks.
We’ll be at the HETT Leaders Summit with our partner Orpheus Cyber. Working alongside Orpheus we are able to offer a free third-party risk assessment for up to three suppliers to help companies begin their journey to a comprehensive TPRM framework. The resulting TPRM report is actionable (but non-obligatory) and includes detailed risk-assessment scores, analysis, and recommendations for improving the suppliers’ security posture.
Finally, we’re joining forces with Silverfort on 25th February for Cybersecure 2026, where we’ll explore how our partnership has supported multiple NHS trusts in achieving CAF compliance.
Want to see the impact in action? Take a look at one of our case studies here.
As always, we’re looking forward to hearing how we can help.
