February has been another busy month at Periculo, and we show no signs of slowing down. This month, we share an update on our work in the field, the growing demand for supply chain security, NHS DSPT reminder, and our usual practical tips to keep you ahead. Let's get into it...
February has been a varied month for the Periculo team, and shows the span of the work we carry out across sectors.
This month, we have been conducting on-site PCI DSS compliance visits across a multi-site estate, a type of engagement that requires consultants to assess not just technical controls, but physical security, staff awareness, and operational procedures across multiple locations. It is methodical, hands-on work, and it is exactly the kind of assurance that organisations with complex, distributed environments need to meet their cardholder data obligations.
PCI DSS (Payment Card Industry Data Security Standard) applies to any organisation that stores, processes, or transmits cardholder data, regardless of size or sector. Compliance is not a one-off exercise — it requires ongoing monitoring, regular assessments, and a genuine commitment to maintaining the controls that protect both customers and the organisation itself. On-site visits are a critical part of that process, ensuring that what is documented in policy is genuinely reflected in practice.
One of the clearest trends we are seeing this year is a significant increase in organisations enquiring about and completing Cyber Essentials certification, and the driving force behind much of that demand is supply chain security.
Following the high-profile supply chain incidents of 2025, larger organisations and public sector bodies are scrutinising their supplier base far more closely than before. The result is that Cyber Essentials, once treated by many as an optional credential, is increasingly appearing as a contractual requirement. Suppliers are being asked to hold it before contracts are awarded, and in some cases before conversations even begin.
This shift has been brought into sharp focus by NHS England, which from January 2026 began directly contacting suppliers to discuss their cybersecurity controls and, where appropriate, requesting supporting evidence. The programme is not described as an audit, but the message is clear: NHS England is actively reviewing its supply chain and expects suppliers to demonstrate that the right controls are in place. Key expectations include maintaining DSPT 'Standards Met' status, applying multi-factor authentication, keeping systems patched against known vulnerabilities, and ensuring tested recovery plans are in place. Suppliers who cannot demonstrate these fundamentals are increasingly at risk of losing existing contracts or being excluded from new ones.
This is a positive development for the sector as a whole. Cyber Essentials provides a solid baseline of technical controls that protect against the most common cyber threats, and the process of achieving it prompts organisations to take a structured look at their security posture, often for the first time. For many of the organisations we work with, it is the starting point for a broader compliance journey.
We are also seeing a notable rise in enquiries around penetration testing, and the drivers are increasingly specific. Organisations pursuing DTAC approval, a requirement for digital health tools used in NHS clinical pathways, must demonstrate that their product has been independently tested for security vulnerabilities. Similarly, those preparing submissions for FDA clearance in the United States are finding that penetration testing is expected as part of the evidence package for software as a medical device.
Beyond these, other compliance frameworks such as ISO 27001 and the DSPT are also prompting organisations to commission penetration tests, either as a requirement or as a means of generating robust evidence. The common thread is that certification alone is no longer sufficient; stakeholders want proof that security controls have been put to the test.
Beyond Cyber Essentials, the pattern is clear across other frameworks too. Organisations wanting to work with the NHS are asking about DSPT compliance in greater numbers, whilst those looking to enter or expand within the defence supply chain are coming to us specifically about Defence Cyber Certification. The message from both sectors is consistent: if you want to work with us, you need to demonstrate your security credentials, and you need to do it formally.
If your organisation is looking to win or retain contracts in the NHS or MOD supply chain, the time to get your certifications in order is now, not when the deadline is upon you.
We can support you across Cyber Essentials, DSPT, DCC, and penetration testing, helping you meet requirements efficiently and with confidence.
The 30th June 2026 deadline for DSPT submissions is approaching faster than it may feel. For IT suppliers to the NHS with 50 or more staff and an annual turnover of £10 million or more, this cycle brings a mandatory independent audit requirement.
If you have not yet begun preparing your evidence, now is the time. Early engagement allows you to identify and address any gaps before they become audit findings, and gives your team sufficient time to gather robust evidence across the 12 key assertions covering technical controls, governance, risk management, and incident response.
We have already completed a number of audits this cycle and are booking new clients now. Availability is filling up quickly, so if you are considering an independent audit, we would encourage you to get in touch sooner rather than later to secure your slot.
Run a phishing simulation
Human error remains the leading cause of security incidents in UK organisations. A phishing simulation is one of the most effective ways to understand how your team responds to social engineering attacks, and to build awareness without waiting for a real incident.
If you do not have an internal capability to run simulations, several affordable tools are available, and many managed security providers include phishing campaigns as part of ongoing security programmes. Even a basic simulation, followed by clear and constructive feedback, can significantly reduce risk.
Cyber Maturity
Cyber maturity refers to the degree to which an organisation has embedded cybersecurity practices into its people, processes, and technology — beyond merely meeting minimum compliance requirements. Maturity frameworks, such as those based on NIST CSF or ISO 27001, help organisations benchmark their current state and define a structured path towards a stronger, more resilient security posture. Higher maturity organisations are better placed to prevent, detect, and recover from cyber incidents.
Over 80% of cyber incidents involve a human element
According to Verizon's Data Breach Investigations Report, more than four in five breaches involve a human element, whether through phishing, stolen credentials, or social engineering. Technical controls are essential, but they must be complemented by a security-aware culture. Regular training, clear policies, and phishing simulations are among the most cost-effective investments an organisation can make.
If you are planning your security and compliance work for the months ahead, we would be delighted to help. Get in touch to discuss how Periculo can support your DSPT Audit, DCC Certification, penetration testing, or managed compliance requirements.