Related Posts
The monthly #InfosecLunchHour meetup took place at 12.30pm on 1 October on Zoom, and it painted a sobering picture of the UK’s cyber security landscape. Whilst the industry celebrated awards and accolades at the National Cyber Awards last Monday night, including the well-deserved recognition of Dr Clare Johnson as Cyber Citizen of the Year, the frontline reality reveals an uncomfortable truth: we’re still treating security as an afterthought, and it’s costing us dearly.
The Teenager in the Server Room
Recent attacks on Jaguar Land Rover and Kiddo nurseries weren’t just isolated incidents; they’re symptoms of a broader systemic failure. Perhaps most disturbing was the revelation that many of these attacks are perpetrated by teenagers, not sophisticated nation-state actors, but young people who’ve found cyber-crime more profitable than traditional employment. When a teenager can bring down critical supply chains or compromise thousands of children’s personal data, we need to ask ourselves: what have we got wrong?
The answer, discussed at length during the meetup, isn’t simply about technical defences. It’s about a fundamental misunderstanding of risk, responsibility, and resilience across entire sectors.
The Nursery Software Wake-Up Call
One particularly chilling anecdote emerged about nursery software providers. One participant reportedly stated that a pre-school they are involved in would only investigate security measures if customers started asking about it. Let that sink in: organisations handling sensitive data about children are operating software where security is considered an optional extra, something to implement only when market pressure demands it.
This isn’t just poor business practice; it’s a safeguarding failure. Nurseries operate on very thin margins, and a single successful attack could put them out of business overnight. Yet the combination of weak password policies in systems like Google Classroom and unresponsive software vendors creates a perfect storm of vulnerability.
Supply Chains: The Hidden Single Point of Failure
The discussion around supply chain resilience revealed an uncomfortable paradox. Whilst businesses are encouraged to diversify and build resilience, the reality is that centralisation and supplier concentration create systemic risks we’re only beginning to understand. The recent JLR incident, requiring government loan guarantees, and the Co-op’s supply chain disruptions demonstrate that when critical suppliers fail, the ripple effects extend far beyond individual organisations.
Small businesses face an impossible choice: diversify their customer base and risk losing focus or concentrate their efforts and risk catastrophic failure if that single client suffers a cyber incident. Meanwhile, government support appears reserved for large enterprises, leaving SMEs to fend for themselves.
Security as Cost Centre: The Funding Conundrum
A recurring theme throughout the meeting was how security consistently ends up as a cost centre within organisations, with implementation delayed until an incident forces action. This reactive approach is financially rational from a quarterly reporting perspective but strategically disastrous for long-term resilience.
The discussion highlighted that we’re still asking organisations to invest in preventing problems they haven’t experienced yet, whilst simultaneously cutting budgets and expecting more output. Until security becomes viewed as an enabler rather than an expense, we’ll continue to see the same pattern: under-investment, inevitable breach, panic response, temporary improvement, gradual complacency, repeat.
Secure-by-Default: The Missing Foundation
The concept of “secure-by-default” and “secure-by-design” emerged as crucial principles, particularly for small organisations lacking dedicated security staff. The argument was compelling: systems should be inherently secure, requiring effort to unsecure rather than to secure. Why should a nursery manager need to become a cyber security expert to protect children’s data? Why should a small manufacturer need to hire consultants to ensure their supply chain systems aren’t vulnerable?
The rise of generative AI adds another dimension to this challenge, with data classification becoming critical as organisations unwittingly feed sensitive information into large language models. If our baseline systems aren’t secure-by-default, the additional attack surface created by AI adoption could be catastrophic.
Education: Starting Too Late with Too Little
The staffing challenge facing cyber security in the UK is stark: approximately 70,000 cyber security professionals exist, but only around 20,000 works directly in security roles rather than for vendors. This skills gap won’t be solved by recruiting more specialists; it requires a cultural shift.
The proposal for cyber security professionals to offer free awareness training to schools received strong support, though the sustainability of volunteer-based education remains questionable. More fundamentally, the discussion highlighted that we’re teaching the wrong thing at the wrong time. Brief modules on online safety in citizenship classes, which were discontinued, won’t create a security-conscious generation.
Security education needs to be integrated throughout the curriculum, focused on personal security skills that transcend IT. Students need to understand risk, verify identity, recognise manipulation, and make informed decisions about data sharing, skills applicable whether they’re using a smartphone or managing a business.
The Digital ID Debate: Solution or Surveillance?
The conversation around digital ID cards revealed deep divisions about government intentions and implementation risks. Whilst some argued that a well-designed digital ID system might actually reduce current security risks, particularly around mobile device vulnerabilities, others expressed concern about mission creep and government overreach.
Iceland’s model of using local banks as ID verification points was cited as a potential solution, though the closure of bank branches across the UK makes this approach impractical. The fundamental question remained unanswered: are we implementing digital ID to solve a specific problem, or are we creating a solution looking for a problem whilst enabling unprecedented surveillance capabilities?
Where Do We Go From Here?
#InfosecLunchHour this month revealed several uncomfortable truths that the industry needs to confront. Cyber-crime has become a viable career path for teenagers, suggesting our societal structures are failing young people whilst simultaneously creating security risks. Software vendors remain unaccountable for security failings, particularly in sectors handling vulnerable populations. Supply chain concentration creates systemic risks that individual businesses cannot mitigate alone. Security remains underfunded and deprioritised until crisis strikes. Our education system isn’t preparing the next generation for a digital-first world.
These aren’t technical problems requiring technical solutions. They’re structural, cultural, and economic challenges that demand policy intervention, industry collaboration, and a fundamental rethinking of how we approach security across society.
Perhaps the most important takeaway is this: we can’t continue to treat cyber security as a specialist concern for a small number of professionals. It’s a fundamental requirement for a functioning digital society, and until we embed that understanding into our education, our business practices, and our policy making, we’ll continue to see cyber-attacks increasing at an exponential rate.
The question isn’t whether we can afford to make these changes. After the Jaguar Land Rover cyber-attack, after Kido nurseries, after countless other incidents this year alone, the question is: can we afford not to?
This article has been written under Chatham House rules based on discussions at the October 2025 #InfosecLunchHour meetup. Individual comments have not been attributed to specific participants.
The next #InfosecLunchHour meet up will take place on Wednesday 5 November 2025 at 12.30pm GMT on Zoom. Please email Lisa Ventura MBE FCIIS via lisa@csu.org.uk to be added to the calendar invite and receive the Zoom joining details if you would like to come along and take part.