There is growing pressure on businesses in the UK to treat cyber security not as a cost, but as a foundation for operational continuity. The latest report from the National Cyber Security Centre (NCSC) reveals a 50 per cent year-on-year increase in ‘highly significant’ cyber incidents. These are attacks that have paralysed the operations of brands such as Marks & Spencer, the Co-op and Jaguar Land Rover and have hit not only reputations but, more importantly, the operation of supply chains.
In the 12 months to August, the NCSC intervened in 429 incidents, half of which were of national significance. Particularly alarming is the increase in the most serious cases – from 89 to 204 over the year. This signals that cybercrime is not only escalating, but becoming more specialised and targeting key sectors of the economy.
As Richard Horne, chief executive of NCSC, stressed, ‘every leader – from a one-person company to a FTSE 350 giant – needs to have a plan for the day the screens go out’. It’s no longer just about preventing attacks, but preparing for survival scenarios: maintaining production, fulfilling orders, paying salaries.
Particular attention was paid to small and medium-sized companies functioning as suppliers to large organisations. Their low margins and limited IT resources make them the most vulnerable to the impact of customer operational interruptions. The example of Jaguar Land Rover shows the scale of the risk: almost six weeks of downtime and losses of up to £50m a week forced the intervention of the government, which provided the corporation with a £1.5bn loan guarantee to stabilise the supply chain.
It is becoming increasingly clear that cyber resilience needs to move from IT department level to board level. The UK’s Department for Science and Technology has sent letters to major companies, calling for responsibility for cyber security to be formally assigned at board level. This is a step towards a model familiar from financial regulation – where operational risk is treated strategically, not technically.
The increasing number of incidents of ‘national significance’ is not just a statistic, but an indicator of real tensions: the growing dependence of the economy on digital infrastructure and the realisation that a crisis can start with a click. As Horne asked: “If all the screens go out tomorrow – will you be able to continue operating?”
