Close This site uses cookies. If you continue to use the site you agree to this. For more details please see our cookies policy.
Contact   |   Sign in   |   Subscribe

Search

Type your text, and hit enter to search:
SearchSearch Icon
Receive a
FREE copy!Subscribe to
Newsletter

What does the UK Cyber Security and Resilience Bill mean for businesses? 

James Griffin writes about the UK Cyber Security and Resilience Bill, explaining its effect on supply chain security and why businesses must go beyond compliance to truly protect against growing cyber threats.

Cybersecurity - 1 (2)
Image by robiulcc2 | Freepik

Recent cyberattacks have laid bare the fragility of our interconnected digital infrastructure. In Europe over the last month, hackers struck a leading check-in system vendor, knocking out automated systems at major airports and stranding thousands of passengers in terminals.

The incident is a stark reminder that the modern aviation network, as is the case with many sectors (consider recent attacks on sectors as diverse as automotive, retail and even childcare providers), depends on a handful of critical third parties.

As I have often warned, the widespread disruption and cost (financial and personal) caused at airports show that cyber resilience is not just a mere abstract concept; it is a business and societal necessity, a strategic priority that all sectors must get a firm handle on or risk the consequences. In other words, we can no longer treat cyber resilience as another compliance box to tick; the whole industry must share responsibility for shoring up supply chains.

From a policy perspective, the UK’s forthcoming Cyber Security and Resilience Bill is a welcome step in this direction. The government is proposing to bring roughly 1,000 additional service providers, from IT contractors to managed service providers to data centres, into what it hopes will be a tougher regulatory regime.

In practice this means more organisations and suppliers will have to meet robust security requirements. For example, data-centre operators and MSPs will need to boost their risk assessments and network defences, and all third-party providers will be expected to strengthen data protection and incident reporting.

The policy aim is really quite clear: by extending oversight down the supply chain, critical sectors, such as transport, health and energy will be less easy targets for ransomware and espionage. The thinking being, and one that we agree with, is that you are only as secure as the most vulnerable part of your supply chain.

Yet it is a sobering reality that regulation alone will not close all the gaps.

We must confront the fact that too few businesses rigorously monitor their suppliers’ cyber hygiene. In the UK, it is estimated that fewer than one in five organisations have reviewed their supply chain cybersecurity in the past year. This creates dangerous blind spots, where attackers can, without sounding dramatic, lurk undetected.

Recent breaches illustrate the point more than words. In June 2023, criminals exploited a zero-day flaw in the MOVEit file-transfer software used by payroll provider Zellis. This put British Airways, the BBC, Boots and others in the headlines for all of the wrong reasons. Last year, a cyber-espionage attack on the UK’s Ministry of Defence no less, ended up exposing over 250,000 sensitive service personnel records by targeting a contractor’s payroll system.

Most recently, Jaguar Land Rover suffered one of the largest breaches in UK history, prompting potential government bailouts for the supply chain. Each case shows the same pattern: a flaw cascades rapidly into a multi-sector crisis. In our interconnected world, a single exploited link, whether in the supply chain or the lead company, can grind flights to a halt, leak military personnel data, or destroy businesses, all inflicting huge economic and strategic damage.

In my view, these wake-up calls demand a radical shift in mindset. We must move beyond the assumption that we just make our perimeters harder to breach. Instead, every organisation needs to proactively manage vendor risk and assume that supply chain attacks are coming. That means mapping all third-party dependencies, demanding proof of security controls from each supplier, and continuously reassessing those relationships.

I believe that too many businesses still do not check their suppliers properly, creating those blind spots that attackers can exploit. In practice, firms should routinely ask suppliers what security reviews they conduct – from penetration tests to ISO 27001 certification – and verify that no known vulnerabilities (such as unpatched web interfaces) lurk in their systems.

Beyond process reviews, a truly resilient supply chain relies on layered security and preparedness.

Sensitive data transfers should always be wrapped in a multitude of protections. This includes encrypting files and sharing keys separately while being diligent to remove sensitive data from external servers promptly after use. Organisations must follow basic cyber hygiene across their supply chains, and this covers some of the most basic practices, such as applying patches immediately when they are released, segmenting networks, enforcing strong authentication, and ensuring staff are adequately trained on phishing.

Importantly, every critical supplier relationship should be backed by a tried and tested incident response and continuity plan.

Breaches are inevitable; it’s just the nature of the evolving world but what matters is how quickly you recover.

For suppliers and service providers themselves, the message is equally clear: your customers cannot afford for you to fail. While organisations rely on external vendors for core functions from payroll to flight operations, a supplier’s security should be treated as critical as your own. This means performing thorough risk assessments on every tier of the supply chain, without fail, and continuously monitoring for anomalies, and then building redundancy.

For example, maintaining alternative suppliers or backup systems can keep your operations running even if a primary vendor goes dark. Every minute of downtime now carries a heavy cost, not just in money but in lost trust, so proactive security is a fundamental duty.

Looking ahead, the Cyber Security and Resilience Bill will give regulators and the technology secretary new tools to enforce these practices (including mandatory incident reporting and powers to update rules as threats evolve). But legislation alone won’t solve the problem without an industry culture of collective accountability. Every company must ask itself: what could happen if my vendor is attacked? By investing in rigorous vendor management, layered defences and agile response plans, we can turn regulatory pressure into practical resilience.

The last few months have shown that supply chain shocks can knock out airports or compromise national security overnight. It’s time for organisations large and small to treat those warnings seriously. Only by working together and treating the security of our common supply chains as everyone’s responsibility can we withstand the next wave of cyber threats. 

James Griffin is the CEO at CyberSentriq, an integrated cybersecurity and data protection platform purpose-built for managed service providers.

    Tweet       Post       Post
LoginRegister
Oops! Not a subscriber?

This content is available to subscribers only. Click here to subscribe now.

If you already have a subscription, then login here.