Related Posts
by Lisa Ventura MBE FCIIS
Our November #InfosecLunchHour virtual meetup brought together a diverse group of cyber security professionals, business executives, and website designers for an engaging discussion about the state of cyber security in the UK. Under Chatham House rules, participants shared candid insights about the challenges facing British businesses in an increasingly hostile cyber landscape.
The NCSC Annual Review Takes Centre Stage
The conversation kicked off with a discussion of the National Cyber Security Centre’s annual review and its stark warnings about the escalating cyber threats facing UK businesses. The report’s message was clear: cyber security is no longer just an IT problem – it’s a business-critical issue that demands leadership attention at the highest levels.
A particularly interesting point raised was the NCSC’s recommendation for organisations to print out their cyber resilience and crisis plans. In an age of digital transformation, this seemingly old-fashioned advice struck a chord with participants who recognised the wisdom of having accessible documentation when digital infrastructure fails. As one participant noted, having physical copies ensures that critical information remains available even when systems are compromised.
The Awareness Gap: A Persistent Challenge
Despite high-profile cyber incidents affecting major retailers like Marks & Spencers, the Coop,Harrods and Jaguar Land Rover, the discussion revealed a concerning lack of awareness among many UK businesses. Several participants expressed frustration that whilst these attacks have certainly raised board-level concerns in some organisations, many small to medium enterprises still underestimate the threat they face.
The conversation highlighted a fundamental disconnect: whilst cyber security professionals understand the severity of the risks, communicating this urgency to business leaders remains challenging. One participant suggested that professional bodies and Chambers of Commerce need to take a more active role in disseminating cyber security guidance, noting that it’s unrealistic to expect the NCSC to reach every single business directly.
Supply Chain Vulnerabilities: The Weakest Link
A significant portion of the discussion focused on supply chain vulnerabilities – a topic that has gained prominence following several major incidents. Participants acknowledged that whilst large companies often become the headlines when attacked, the root causes frequently lie in compromised smaller suppliers who serve as gateways to larger targets.
The interconnected nature of modern technology means that even businesses with robust internal security can be vulnerable through their third-party relationships. This reality is particularly challenging for smaller companies who often lack the resources to implement comprehensive security measures whilst simultaneously serving as critical links in larger supply chains.
The AWS Outage: A Wake-Up Call
The recent AWS service disruption provided a timely case study for the group. Whilst AWS itself wasn’t compromised, the impact on businesses relying on cloud services was significant. The discussion revealed that the primary issues stemmed from failures in identity management services, highlighting the dangers of over-dependence on single points of functionality.
Several participants shared their experiences during the outage, ranging from minor inconveniences to significant operational disruptions. One participant mentioned the Co-op’s approach to disaster recovery, where a planned power cut-off was executed as part of their preparedness strategy – demonstrating the value of rehearsing emergency protocols before they’re needed.
Back to Basics: The Foundation of Good Security
A recurring theme throughout the discussion was the importance of fundamental security practices. Participants agreed that organisations often overcomplicate their security approaches when basic standards and mandatory training would suffice. The conversation emphasised that many successful attacks exploit basic security failures rather than sophisticated vulnerabilities.
The group discussed the concept of “cyber hygiene” – those essential, everyday practices that form the foundation of good security. Regular patching, strong password policies, employee training, and having both managed and unmanaged devices available were all highlighted as critical elements often overlooked in favour of more complex solutions.
Tailoring Advice for Different Business Types
One of the most valuable insights from the discussion was the recognition that cyber security advice needs to be tailored to different types of businesses. The “one size fits all” approach simply doesn’t work when addressing the diverse needs of UK enterprises, from sole traders to multinational corporations.
Participants noted that many existing standards and frameworks are designed with large organisations in mind, complete with separated roles, dedicated teams, and substantial resources. For smaller businesses, these frameworks can be overwhelming and impractical. The group called for more accessible, simplified guidance that smaller organisations can realistically implement.
Looking Ahead: December Discussions
As the meeting drew to a close, participants agreed to explore the topics of “red tape” and AI governance in December’s meetup. These subjects reflect the evolving challenges facing the cyber security community as regulatory requirements increase alongside technological complexity.
The next #InfosecLunchHour is scheduled for 3rd December 2025, with a special Christmas-themed meetup also planned for the week commencing 15th December. These sessions will continue to provide a valuable forum for open discussion under Chatham House rules, allowing participants to share experiences and insights freely.
Key Takeaways
The November #InfosecLunchHour reinforced several critical points for the UK cyber security community:
- Leadership engagement is essential: Cyber security must be understood and owned at board level, not relegated to IT departments
- Basic security practices matter: Many breaches could be prevented through fundamental cyber hygiene rather than expensive, complex solutions
- Supply chain security is everyone’s concern: Small businesses need support to secure themselves whilst serving as links to larger organisations
- Preparedness requires practice: Having documented plans – including physical copies – and rehearsing responses before incidents occur is crucial
- Tailored guidance is needed: The cyber security community must provide practical, accessible advice suited to organisations of all sizes
As cyber threats continue to evolve, forums like #InfosecLunchHour play a vital role in bringing the community together to share knowledge, discuss challenges, and work towards collective resilience. The strength of our cyber defences lies not just in technology, but in our ability to collaborate, communicate, and support one another in facing these shared challenges.
The #InfosecLunchHour virtual meetup takes place monthly and is open to all cyber security professionals and those interested in the field. For more information about upcoming sessions or to join the discussion, visit the Cyber Security Unity website or follow us on social media.