This week’s round-up centres on legacy risk, supplier assurance, and accountability. Windows 10 is now out of support, rising attack rates across the UK, and new DSPT audit rules are on the horizon.
Here's your brief recap of what mattered this week, why it matters, and what comes next...
Microsoft officially ended free security updates for Windows 10 on 14 October 2025, marking a major shift for NHS organisations still running legacy systems.
Despite repeated warnings, many trusts remain mid-migration to Windows 11, with ageing hardware and medical device dependencies creating friction.
From this point, only Extended Security Updates (ESU) will be available — at a cost — leaving unpatched endpoints increasingly exposed to exploit kits targeting unsupported OS versions.
NHS England has confirmed that the 11 Mandatory Audit Assertions under the Data Security and Protection Toolkit (DSPT) will now be subject to external audit. Each assertion aligns with a core element of cybersecurity and data governance that trusts and suppliers must evidence.
59% of UK SMEs experienced a cyber-attack in the past year.
80% of victims paid at least part of the ransom demand.
According to the Hiscox Cyber Readiness Report 2025
Compromises involving ID/KYC vendors, Oracle E-Business Suite, and managed-file-transfer tools like GoAnywhere underline the need for stronger supplier controls.
Organisations should map critical third parties, confirm DSPT-aligned disclosure clauses, and request Software Bills of Materials (SBOMs) for assurance.
The NCSC’s 2025 Annual Review reported a ~50 % rise in “highly significant” incidents affecting the UK between 2024 and 2025.
The agency is calling for executive-level ownership of resilience and signalling tighter oversight of supply-chain risk and incident disclosure.
Infosys will replace the legacy Electronic Staff Record (ESR) under a 15-year contract with NHS Business Services Authority to build a data-driven HR and payroll system for 1.9 million staff.
Attention now shifts to data residency, migration planning, and contractual exit routes to avoid future vendor lock-in.
The Information Commissioner’s Office has issued a £14 million penalty to Capita for its 2023 cyber incident that exposed pensions and benefits data.
The ruling signals renewed scrutiny on supplier assurance, particularly around logging, containment SLAs, and data-processor accountability.
With Windows 10 support ended, external DSPT audits for IT suppliers underway, and a rise in critical incidents reported by the NCSC, focus is shifting from written policies to provable resilience. Organisations now need externally audited, tested defences, not just policies on paper.
Third-party risk is now a leading vulnerability. Recent fines and supplier breaches prove that a single vendor lapse can affect entire ecosystems. Supplier due diligence, contractual audit rights, and continuous monitoring must become routine, far beyond procurement checklists.
Large-scale digital projects, like the £1.2 billion Infosys ESR transition, amplify these stakes. Strong governance means independent validation of security controls, data residency, and exit strategies, owned at the board level.
Resilience is now business continuity in action. Cybersecurity isn’t just a compliance box to tick, it’s your licence to operate.