In the wake of a significant cyber-attack on a critical NHS supplier, the security of our digital supply chain has never been more scrutinized. We sat down with Rupert Marais, our in-house security specialist, to dissect the complex interplay between data collection, third-party risk, and operational resilience. We explored the concrete measures his team takes to secure user data gathered through cookies, the rigorous process for vetting external partners, and the delicate balance between necessary website functionality and user privacy. Finally, we looked ahead at the evolving landscape where cyber threats and privacy demands are on a collision course.
The content mentions an NHS supplier suffered a cyber-attack but claimed operations were unaffected. Given the detailed user data your company collects through performance and targeting cookies, what specific steps do you take to secure that information and ensure your own operations could truly continue after a breach?
That claim of being “unaffected” always raises an eyebrow, because the ripple effects of a breach are immense. For us, security is not an afterthought; it’s built into the architecture from day one. When we collect performance data—like counting visits or seeing how users navigate the site—that information is immediately aggregated and anonymized where possible. For targeting data, which helps build interest profiles, we employ strict data segregation. This means the data used by our advertising partners is kept in a completely separate environment from our core operational systems. We have a robust, tested incident response plan designed to isolate any compromised segment of our network, ensuring that even if a part of our analytics or advertising infrastructure were hit, the essential functions of the site would remain online and secure.
The cyber-attack highlighted a vulnerability with a third-party supplier. Your cookie policy also refers to “third party providers” and “advertising partners.” Could you walk us through the process you use to vet the security and data-handling practices of these external partners before integrating their services?
The NHS supplier incident is a perfect, if unfortunate, example of why third-party risk management is paramount. Our vetting process is incredibly thorough and begins long before any code is integrated. We conduct comprehensive security audits of any potential partner, reviewing their compliance certifications, penetration testing results, and data governance policies. We don’t just take their word for it; we look for proof. Furthermore, our contracts include stringent data processing agreements that legally bind them to our security standards. It’s a partnership, and we treat it as such, with ongoing monitoring and regular check-ins to ensure their practices haven’t slipped. We have to trust, but we absolutely verify, because their vulnerability can quickly become our crisis.
Your policy explains that “strictly necessary cookies” cannot be switched off for the website to function. From a technical standpoint, how do you balance this requirement for essential data collection with rising user concerns about privacy, and what specific examples of functionality would break without them?
This is a constant balancing act, and we approach it with a principle of data minimization. The “strictly necessary” category is reserved for functions that are mechanically essential for the site to work. For instance, when you set your cookie preferences in our consent manager, a cookie has to be placed to remember that choice; otherwise, we’d have to ask you on every single page. Another key example is the login process or filling out a multi-page form. Without these cookies, the site would have no memory from one page to the next, and you’d be logged out instantly or have your form reset every time you clicked “next.” We ensure these cookies collect zero personal information beyond what is required for that specific technical function, creating a clear line between operational necessity and optional tracking.
What is your forecast for the evolving relationship between user privacy, third-party data sharing, and the increasing sophistication of cyber-attacks?
I foresee a significant tightening of the digital ecosystem. The era of casually integrating dozens of third-party scripts and sharing data freely is coming to a close, driven by both regulatory pressure and consumer demand. We’re moving toward a “zero-trust” model, not just for our internal networks, but for our external partners as well. This means every connection and data transfer will be scrutinized. As attackers become more sophisticated, leveraging supply chain vulnerabilities just like the one seen with the NHS supplier, companies will be forced to shorten their digital supply chains and demand far greater transparency from the partners they retain. Users will have more granular control, and the “black box” of third-party data sharing will have to become a clear, auditable process if companies want to maintain trust.
