Cyber Resilience Audit and Review (Consultancy)

Cyber incidents often make headlines because of the disruption they cause, but they also reveal how organisations operate behind the scenes. The 2025 incident at Jaguar Land Rover (JLR) did exactly that, bringing into focus how closely its operations are connected to suppliers, shared systems and the wider manufacturing ecosystem.

What stood out wasn’t just the interruption itself, but the way it exposed the dependencies that keep a modern automotive operation moving. Supply chains in this sector are highly interconnected, and even a brief pause can surface links that usually sit quietly in the background. The JLR outage made some of those connections more visible and offered a practical reminder of how quickly operational pressures can ripple outward.

Seen through that lens, the incident becomes less about the disruption and more about what it revealed. It highlighted the level of interdependence built into today’s manufacturing environments and pointed to clear opportunities for organisations to strengthen their resilience. The lessons are practical, achievable and relevant far beyond the automotive sector.

A Quick Look at What Happened

When the cyber‑attack occurred, JLR paused parts of its UK production to contain the issue, restore affected systems and verify that operations could resume safely. What initially appeared to be a short interruption extended as teams completed recovery work and confirmed that core processes were stable.

The disruption affected several areas:

Manufacturing: some production lines paused and schedules were adjusted.
Supply chain: suppliers of all sizes experienced delays as orders and timings shifted.
Logistics: movements of parts and finished vehicles were rescheduled, creating knock‑on effects across transport networks.
Retail operations: downstream activity changed as production timelines moved.

Throughout the incident, JLR prioritised system stability and close coordination with partners. Production returned gradually, with a focus on safety and continuity across the manufacturing network.

The pause also offered a clearer view of how operational dependencies surface during unexpected events. It showed:

how quickly changes in one area can influence others
how reliant modern manufacturing is on shared digital processes
how important coordinated communication becomes when operations need to adjust at pace

This helps explain why the incident resonated beyond JLR itself. The effects were felt across a broad ecosystem of businesses, reinforcing the importance of understanding supply‑chain dependencies before they are tested.

Why This Was Really a Supply Chain Story

While the incident was centred on JLR, the wider context sits within the structure of automotive manufacturing. The sector relies on a broad network of suppliers, shared digital platforms and coordinated logistics processes, and any disruption naturally draws attention to how these elements interact in practice.

A few operational realities were highlighted during the pause:

Digital systems support day-to-day operations. Modern manufacturing uses a range of digital tools for ordering, scheduling, supplier coordination and logistics. When these systems are unavailable or slowed, it can influence how physical operations run.
Production processes are tightly timed. Automotive manufacturing typically follows structured, time-sensitive workflows. Even small changes to those workflows can create adjustments elsewhere, simply because the system is designed to move at a steady pace.
Suppliers notice changes quickly. When production activity shifts, suppliers often feel the effects early. Larger suppliers may have more capacity to absorb changes, but smaller businesses can be more exposed to sudden fluctuations.

Taken together, the incident illustrated how interconnected the automotive sector is. When a major manufacturer experiences a disruption, the effects can be felt across organisations of varying sizes and roles. It also provided a clearer view of where resilience measures can make a meaningful difference.

What Organisations Can Learn and Apply Right Now

Incidents like this are disruptive, but they also shine a light on where organisations can improve. The lessons aren’t limited to automotive manufacturing they apply to any business that relies on suppliers, partners or digital systems.

Here are the key takeaways.

Map Your Supply Chain

Most organisations have a list of suppliers. Very few have a clear picture of:

which suppliers rely on which systems
how data flows between them
where the single points of failure are
which suppliers are genuinely critical

A clear supply-chain map doesn’t need to be complicated but it does need to be accurate. And it’s an effective way to spot risks before they become problems.

This is especially important for organisations with complex operations. Without a clear map, it’s almost impossible to understand how a disruption in one area might affect another. JLR’s experience showed how quickly a single incident can ripple across an entire ecosystem.

Set Clear Security Expectations for Suppliers

Security requirements shouldn’t be vague or buried in contracts. They should be:

specific
measurable
regularly reviewed
aligned with your own risk appetite

If suppliers are part of your attack surface, and they are, they need to be part of your security strategy.

This doesn’t mean expecting every supplier to meet the same standards as a global manufacturer. It means setting expectations that are proportionate, realistic and clearly communicated. When suppliers know what’s expected of them, they’re far more likely to meet those expectations.

Limit Supplier Access to What’s Necessary

A common weakness in supply-chain breaches is overprivileged access. Suppliers often have:

more access than they need
access for longer than necessary
access that isn’t monitored

Follow the principle of least privilege:

If someone doesn’t need access today, they shouldn’t have it today.

This isn’t about mistrust; it’s about reducing the number of doors an attacker could potentially walk through. Access should be granted sparingly, monitored closely and removed promptly when no longer needed.

Build Segmentation into Your Architecture

Segmentation is an effective way to contain cyber incidents. If one system goes down, it shouldn’t take everything with it. In JLR’s case, the attack affected production systems across multiple factories a sign that segmentation could have reduced the blast radius.

Segmentation doesn’t eliminate risk, but it buys time. And in a cyber incident, time is everything.

It also helps organisations recover more quickly. When systems are segmented, it’s easier to isolate the affected areas, restore unaffected systems and bring operations back online in stages.

Test Your Response with Supplier Focused Scenarios

Most incident response exercises focus on internal failures. But real-world incidents often start elsewhere.

Useful scenarios include:

a key supplier going offline
a shared platform being compromised
a supplier’s credentials being used maliciously

These exercises don’t just test your technical response, they test communication, decision-making and the ability to keep the business running under pressure. They also help identify gaps that might not be obvious during day-to-day operations.

Strengthen Communication Channels with Suppliers

During a crisis, silence creates confusion. Clear, pre-agreed communication paths help everyone respond faster and more effectively.

This includes:

knowing who to contact
knowing how to escalate
knowing what information to share
knowing how to coordinate recovery

Good communication doesn’t fix the problem, but it makes sure that the people who need to know, do know. It also helps maintain trust both internally and externally.

When suppliers know what’s happening, they can take action to protect their own systems and support your recovery efforts. When they’re left in the dark, they can’t.

Build Contingency Plans for Critical Suppliers

If a supplier goes down, what’s your plan B? Or C? Or D?

Even a basic fallback plan can keep operations moving while the primary supplier recovers. It doesn’t need to be perfect it just needs to exist.

Contingency planning isn’t about expecting the worst. It’s about being prepared for the unexpected. And as JLR’s experience showed, the unexpected can happen quickly.

A More Constructive Way to Look at It

The JLR incident was a reminder that even well-established organisations can face unexpected disruption and that the strength of the response often depends on the preparation done long before anything goes wrong. Cyber incidents will always create challenges, but they also highlight where processes, relationships and systems can be strengthened.

For many organisations, the lesson is clear: resilience isn’t built in the moment of crisis. It comes from having tested response plans, clear communication routes and a realistic understanding of how suppliers, partners and digital systems fit together. The organisations that invest time in this preparation tend to recover more quickly, maintain trust more effectively and minimise the wider impact on their operations.

The JLR case showed how interconnected modern supply chains are and how important it is to be ready for disruption, wherever it originates. Treating supply-chain resilience as a core part of cyber security isn’t just good practice, it’s a practical step towards ensuring that when something unexpected happens, the organisation can respond with confidence rather than scramble to react.

Preparation doesn’t remove risk, but it does shape the outcome. And in a landscape where incidents are increasingly common, that preparation is what allows organisations to absorb the shock, protect their reputation and return to normal operations with far less disruption.

For more information about Cyberfort Supply Chain Security services contact us at [email protected] and one of our experts will be in touch.

Glen Williams, CEO of Cyberfort Group discusses why UK boards must lead with resilience, beyond compliance, to prevent costly breaches.

Infrastructure-level attacks

Despite growing investment in cybersecurity, many UK businesses remain critically exposed to infrastructure-level attacks.

They are under siege; from state actors, criminal groups and opportunistic attackers exploiting any weakness.

Too many are operating under a concerning illusion of safety, believing being compliant means being secure.

But compliance is not resilience and ticking regulatory boxes is no defence strategy.

The biggest vulnerability is not always a firewall or an unpatched system.

Increasingly, it lies at the top. This is the boardroom blind spot – a disconnect between the perceived and actual state of cybersecurity in UK organisations.

Many underestimate the scale, sophistication and speed of cyber-threats.

The result? A slow drift toward crisis – costing money, reputations, operations and in some cases, the very survival of the business.

Leaders must ask the hard questions: If we were breached tomorrow, could we still operate? How fast could we recover – and at what cost?

From airports to automakers: The threat is escalating

Recent attacks on Jaguar Land Rover, major UK airport ransomware incidents and other critical infrastructure show no sector is immune.

Attackers are more organised, more aggressive and increasingly focused on large-scale disruption.

These breaches often succeed not because defences are absent, but because they are insufficient.

Many businesses still assume cybersecurity is ‘being handled’ by internal IT or third-party providers – often generalists, not specialists.

But when facing organised crime groups or state-sponsored actors, general IT skills fall short.

The analogy holds: No one would trust a nurse to perform brain surgery – so why expect an IT generalist to protect the core of a business against elite cyber-threats?

The numbers speak for themselves. Of the 2.7 million registered UK businesses, only around 51,000 meet Cyber Essentials standards.

So basic cyber-hygiene is still being overlooked. With critical infrastructure now a prime target, the stakes are rising fast. Cybersecurity must be led from the top, by boards.

Why compliance does not equal resilience

Regulatory compliance frameworks such as ISO 27001, GDPR, the upcoming UK Cyber Resilience Act and Cyber Essentials serve a valuable purpose.

They set minimum standards and enforce accountability, but structure alone is not protection.

Compliance does not mean a business can detect, respond to or recover from an attack.

In fact, many companies seriously breached in recent years were fully compliant – on paper – but not operationally ready.

It is entirely possible to pass an audit and still be breached the very next day.

Worse, compliance is often used as a proxy for resilience – but it is often a lagging indicator of risk.

True resilience means having expert-led, scenario-tested, continuously evaluated strategies that are regularly refined and adapted to new threats.

Anything less leaves businesses dangerously exposed.

What real cyber-resilience looks like

Cyber-resilience is not a product you buy nor a policy you publish.

It is the organisation’s ability to absorb shocks and continue operating with minimal disruption – even when under attack.

Resilience starts at the board-level. This includes recognising cybersecurity as a core business risk as well as bringing in trusted partners, such as NCSC-assured consultancies who can help prepare organisations before, during and after an attack.

Resilient businesses invest in more than software; they invest in strategy.

They rehearse their response so that when a breach inevitably happens, teams avoid losing time or capability.

Access to experts like virtual Chief Information Security Officers (CISOs) or specialist placements support stronger governance.

Resilience also means going beyond annual assessments to include regular threat modelling, red teaming and incident response drills.

Preparedness must extend across the entire organisation: Leadership, technical teams and non-technical staff alike.

At Cyberfort, resilience is defined not by how quickly companies recover, but by how little it loses in the process – whether that is trust, uptime, data integrity, capital or brand reputation.

Accountability cannot be outsourced

Cyber-risk is business risk – it impacts revenue, reputation, regulatory standing and long-term viability.

Yet this reality is recurringly not landing where it needs to: In the boardroom.

Too often, cybersecurity is viewed as technical – something IT should manage.

This mindset leads to underinvestment, poor response protocols and strategic blind spots in decision-making when it matters most.

Boards are responsible for resilience. Delegating without oversight or mistaking compliance for readiness, is a dereliction of that duty.

Leaders must ask the right questions, challenge assumptions and ensure cybersecurity is embedded in strategic planning.

When cyber is ignored at the top, the entire organisation is left vulnerable.

To close the boardroom blind spot, leaders must first make cybersecurity a standing board agenda item – not as an operational update, but a strategic risk discussion and treated with the same urgency as financial performance or operational risks.

Cybersecurity breaches can impact the balance sheet just as swiftly and severely as a major market event.

Second, boards must invest in education for directors.

While directors do not need to be technical experts, they must understand the business implications associated with cyber-threats.

Finally, success metrics must shift. Instead of measuring success by the absence of incidents, organisations should focus on the speed and effectiveness of detection, containment and recovery efforts.

Don’t wait for the crisis

The time of treating cybersecurity as an IT issue has long passed.

Cyber-risk now permeates every strategic decision – from M&A to supply chains.

The price of inaction is not theoretical – it is real and growing – just ask the companies that did not survive.

The fallout of recent breaches includes broken shareholder value, customer trust and long-term reputational damage that no insurance policy can undo.

Far too many businesses rely on generalist defences in a specialist threat environment.

Boards can no longer afford to sit on the side-lines.

Cybersecurity must be embedded into every strategic decision, not siloed as a compliance exercise.

The question is no longer if a breach will occur, but how well the organisation will be prepared to respond when it does.

Those who wait for the crisis to act will already be too late.

Nige Wilkinson – COO – Cyberfort

The introduction of the Cyber Resilience Bill marks a defining moment in the UK’s approach to digital security. For years, regulation has focused on the most visible parts of the critical national infrastructure, but the digital economy has become far more interconnected and far more dependent on the unseen operators that keep it running.

By widening the scope to include data centres, managed service providers and a new class of critical suppliers, the bill recognises that resilience is shaped not only by the organisations at the forefront of service delivery but also by those embedded deep within the national supply chain.

This shift is an important one. Data centres and managed service providers are now fundamental to how business is conducted. They host the information that fuels decision making, the platforms that support essential public services and the systems that underpin national productivity. Yet the bill’s current definition of a critical supplier remains broad and, at present, untested.

The absence of clear consultation with the industry on what constitutes criticality leaves room for uncertainty. A data centre hosting low risk workloads could be treated in the same way as one supporting essential public services. For operators and investors alike, such ambiguity could influence future development decisions and impose new requirements that are not aligned with the risk profile of their services.

While the details of classification require further refinement, the intention behind the legislation is sound. Cyber threats increasingly exploit the gaps that exist between interconnected partners rather than focusing solely on direct targets. As organisations have matured their own defences, attackers have looked outward to the suppliers and service providers that form the operational backbone of modern businesses.

The bill acknowledges this reality. It places supply chain resilience at the forefront of regulatory attention and emphasises that security must be consistent from end to end if it is to be effective.

Training people is easy. Securing partners is harder

Employees are often highlighted as the main vulnerability within organisations, yet they are also the most addressable. People can be trained, educated and equipped to understand the nature of evolving threats. Supply chains, by contrast, are more complex.

They are formed of partners who do not always adhere to the same standards and who may have very different levels of maturity in their own security practices. Without shared expectations and a unified framework, individual resilience will never translate into ecosystem resilience. The new provisions for faster incident reporting and enhanced enforcement powers are therefore meaningful steps towards creating a more transparent and accountable operating environment. They encourage collaboration, raise the collective bar and help ensure that weaknesses cannot be hidden within the less visible layers of the digital infrastructure.

Resilience requires more than regulation

However, true cyber resilience cannot be guaranteed by regulation alone. It must become embedded within organisational culture. Some businesses are still not fully compliant with GDPR despite its introduction seven years ago. Compliance, by itself, does not create resilience.

It is the minimum threshold, not the desired state. The new bill risks becoming another set of obligations that organisations react to rather than a catalyst for genuine transformation. The success of the legislation will depend on whether businesses choose to act now to strengthen their security posture or wait until the obligation becomes unavoidable.

Cyber resilience is ultimately about safeguarding the data, systems, people and partnerships that underpin both economic stability and public trust. The bill sends a clear message that resilience is no longer a matter of choice but a shared responsibility. Those who begin preparing today will be best placed to thrive in a future where cybersecurity is not an operational consideration but a fundamental requirement for sustainable growth.

Uncover hidden risks and develop a clear, practical cyber security action plan.

Automate compliance. Simplify security. Demonstrate trust. Vanta is the industry’s first Trust Management Platform. We automate GRC workflows and centralise security program management to give growing companies a fast, frictionless way to get compliant, stay secure, and earn and maintain the trust of vendors and customers alike.

Streamline your ISO 27001 certification process. Considered the international gold standard for information security management, ISO 27001 is essential for companies looking to kickstart their next phase of growth across Europe and other global markets.

Streamline evidence collection to verify controls across 35+ cybersecurity frameworks, moving beyond point-in-time assessments to continuous monitoring and risk management.

28^th July 2025, Newbury

Cyberfort, announced today that it has joined Vanta, the leading AI trust management platform, Managed Service Provider (MSP) Partner Program, enabling partners to grow their business and deliver more value to their clients by transforming trust into a marketable advantage.

Vanta is the leading trust management platform that helps simplify and centralise security and compliance for organisations of all sizes. Over 12,000 companies including Atlassian, Duolingo, Icelandair and Ramprely on Vanta to build, maintain and demonstrate their trust, all in a way that’s real-time and transparent.

Cyberfort will be using the Vanta platform to supplement their market leading Governance, Risk and Compliance (GRC) consultancy services. The GRC services Cyberfort provides enables organisations to make sure they are compliant against key regulatory frameworks including ISO 27001, ISO 42001, DORA, GDPR, NIST CSF 2.0, and SOC2.

Glen Williams Cyberfort CEO commented

“Many organisations are facing skills gaps and effective process management challenges in relation to Governance, Risk and Compliance. With data protection regulations evolving, governance becoming more complex and security compliance with industry standards crucial to a business’s success, organisations need access to the right skills, platforms and processes. We are delighted to be partnering with Vanta. The Vanta and Cyberfort partnership brings together two experts in their field, with a perfect match that compliment each other’s services. The Vanta platform with its automations, integrations and prebuilt frameworks alongside our accredited consultants will enable our customers to efficiently manage Governance, Risk and Compliance processes both today and in the future.”

Elliot Goldwater, SVP of Sales and Partnerships, Vanta said

“We’re thrilled to welcome Cyberfort to our MSP Partner Program, which offers the fastest and simplest approach to continuous security monitoring and automated compliance for managed service providers”

“By putting Vanta’s market-leading AI trust management platform as the cornerstone of their security managed service offering, Cyberfort can expand their clients’ security while building their own competitive advantage.”

At the foundation of the MSP Partner program is Vanta’s trust management platform that simplifies and centralises security program management by providing full visibility into an organisation’s risk. Vanta enriches those findings with contextual data, and helps organisations remediate issues and track progress as a single source of truth for their security posture. Vanta’s MSP Partner Program features a multi-tenant management console, world-class partner support and flexible billing integration, making it seamless for partners to deliver value to their clients while scaling up their business. For more information about Vanta’s MSP Partner Program, visit: https://www.vanta.com/msp.

Vanta’s Service Provider ecosystem strengthens customers’ security posture by partnering with the most prominent virtual Chief Information Security Officers, managed security service providers, and advisory/consulting firms. With Vanta as their foundational tool, partners are able to offer an expansive breadth and depth of security offerings, increasing overall client satisfaction.

Cyberfort is an all-encompassing Cyber Security services provider. We are passionate about the cyber security services we deliver for our customers which keeps their people, data, systems and technology infrastructure secure, resilient and compliant. Over the past 20 years we have combined our market leading accreditations, peerless cyber security expertise, strong technology partnerships, investment in our future cyber professionals and secure locations to deliver a cyber security experience for customers which enables them to achieve their business and technology goals in an ever-changing digital world.

Glen Williams at Cyberfort describes five ways to elevate security measures beyond the UK’s Cyber Essentials Plus security standard

While cyber-security couldn’t rank a higher priority in the boardroom, there’s potentially a greater risk on the cyber-security agenda. It seems friction amongst leadership is creating a divide in business between the lack of a CISO or cyber-security representative at board level and the high cyber-security risks. This cavalier approach may in itself weaken cyber-defences and leave companies wide open to successful breaches.

In fact, the UK Government’s cyber-security breaches 2025 report reflects board reduction in specialist cyber-security representation, to the extent that board-level responsibility for cyber-security at company-director level has decreased from 38% to 27% over the last four years. But with almost three-quarters (72%) of business respondents seeing cyber-security as a ‘high priority’, there is a clear disconnect between the board responsibilities required and cyber-security reality.

This is likely the reason for the low average CISO tenure being estimated at 18 to 26 months, according to the CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures.

The UK Government cyber-security breaches report also tells us that current threat levels for UK businesses remain high, with as many as 43% of businesses and three in ten charities experiencing some kind of cyber-security breach or attack in the last 12 months. Being targeted is inevitable, and security teams must plan for a successful breach.

Cyber-security complacency at board level

With more CISOs stepping away from the boardroom, and in an increasingly active and intelligent cyber-threatscape featuring ransomware and highly targeted social engineering attacks, it’s likely that their board director peers aren’t qualified to step up to the ownership of cyber-security responsibilities.

There is clear evidence of the need for information security representation at board level. Research by the World Economic Forum shows that those organisations that have strong executive involvement in cyber-security are 400% more likely to repel or rapidly recover from an attack.

In fact, Cyberfort’s own customer research has highlighted an alarming complacency – that many businesses consider a Cyber Essentials Plus (CE+) certification sufficient to keep their organisation secure and fulfil board requirements. As high-profile breaches continue to dominate the media agenda, this is a high-risk strategy.

Limitations of CE+

Cyber Essentials Plus is a Government-backed certification scheme recommended as the minimum standard of cyber-security for organisations. Cyber Essentials launched in 2014 to offer a self-assessment process for adequate protection. The CE+ certification requires the same protections, along with vulnerability testing which requires external auditing before a pass can be achieved.

CE+ covers five basic areas, which might at one point have been sufficient to counter cyber-risks: patch management, access control, malware protection, secure configuration, and boundary firewalls.

Yet one of the greatest shortcomings of the CE+ strategy is the lack of information on real-time threat detection and response, an essential tool for the earliest threat detection. CE+ wasn’t designed to protect organisations against advanced persistent threats (APTs), targeted attacks, or any evolving techniques by criminal groups, which are so prevalent today.

According to the UK Information Commissioner’s Office (ICO), over 80% of successful cyber-security incidents begin with phishing, yet CE+ has no requirements around simulated phishing or awareness training beyond general advice.

Five ways to elevate cyber-security protection

In taking the following cyber-security measures, security leaders will have the best chance of being protected in the event of a cyber-attack:

Real-time threat detection and response
The use of Security Operations Centres (SOC), Security Information Event Management (SIEM) platforms, and Endpoint Detection and Response (EDR) are the most effective ways to counter a cyber-attack.

Phishing and social engineering resilience
This is the only way of outsmarting social engineering attacks where emails are highly personalised and look like they are coming from a known person.

Cloud and hybrid environment protection
CE+ still assumes a traditional network perimeter, ignoring many risks associated with modern SaaS, IaaS, and BYOD environments. The complexities of growing ecosystems are allowing vulnerabilities to grow.

Business continuity and incident response planning
Most remarkably, there is no requirement under CE+ to prove you can recover from a ransomware attack or data breach. Planning for the worst to occur is essential to fully understand potential risk.

Third-party and supply chain risk
As seen in recent high-profile breaches, attackers often exploit third party vendors or contractors to access their targets. As CE+ does not assess or govern these relationships, it’s up to each business to connect with its supply chain on relevant risks.

Consequences of gaps in protection

There are some serious risks associated with investing in and relying on CE+ alone. To start with, there are hefty fines payable for non-compliance, with the average ICO fine for a serious cyber-incident in the UK being £153,722 in 2024.

Insurers are also increasing demands, with some underwriters insisting on evidence of 24/7 monitoring and incident response plans to stay covered. Business partnerships are also becoming dependent on a company’s cyber-security posture, with rising expectations of ISO 27001 or sector-specific certifications such as NHS DSPT or PCI-DSS compliance.

The knock-on effects of a business’s reputational and financial damage can’t be ignored. According to Hiscox’s 2024 Cyber-Readiness Report, almost half (47%) of organisations struggled to attract new customers following a successful cyber-attack. A major UK-based systems integrator suffered a breach in 2023 that cost £25 million in recovery, fines, and lost business, despite having security certifications.

The impact on business operations can be extensive with far-reaching consequences. In 2024, the average ransomware incident led to 21-24 days of downtime and cost $2.73 million, according to NinjaOne.

Four key actions security leaders must take

Ultimately, information security decision-makers must take four key actions to ensure their organisation is secure, resilient and compliant:

Ensure board-level oversight of cyber-risk through regular briefings, KPIs, and executive ownership

Commission an independent cyber-risk assessment that goes beyond Cyber Essentials Plus

Invest in detection and response capabilities – whether in-house or outsourced

Adopt a recognised security framework such as the NCSC’s Cyber-Assessment Framework, NIST Cyber-Security Framework (CSF) 2.0, or ISO 27001

Organisations must recognise that CE+ certification is not sufficient to counter today’s cyber-threats: it is only a baseline standard.

As threat actors are evolving faster than defences, cyber-security leaders and those who are responsible for cyber-security at board level, must have advanced detection capabilities to identify threats as they arise. This means elevating practices beyond CE+ and adopting new tools and measures that will maximise their defences, with proactive planning for a breach that can limit impact on the business, stakeholders, customers, employees and the supply chain, should the worst occur.

Moving forward as organisations navigate through the cyber-security world, one thing is clear. Cyber Essentials Plus is the beginning, not the end. By acting now, business directors and cyber-security teams can safeguard their organisations, protect stakeholder trust, and meet their obligations in an increasingly hostile threat landscape.

Cyber threats are evolving at an unprecedented pace, growing more sophisticated and harder to detect. In response, organisations are investing heavily in cutting-edge technologies, from firewalls and encryption to AI-powered threat detection systems. While these tools are essential, there is a growing tendency to rely too heavily on technology alone, overlooking a crucial element in the cyber security equation – people.

It is often said that humans are the weakest link in security, but this narrative is outdated and misleading. In reality, people can be the strongest line of defence, when they are properly trained, supported, and empowered. Cyber security is not just a technical challenge; it is a human one. The ability to recognise phishing attempts, follow secure practices, and respond swiftly to incidents often determines whether an attack succeeds or fails.

People are not the weakest link; they are the critical differentiator. At Cyberfort we believe it is time to shift the focus and invest in human resilience as much as technological strength.

Human Factor

According to the 2025 Verizon Data Breach Investigations Report (DBIR), approximately 60% of all confirmed breaches involved a human action, whether it was clicking on a malicious link, falling victim to social engineering, or making an error like misdelivering sensitive data. This statistic underscores a critical truth, while technology plays a vital role in cyber security, human behaviour remains a central factor in both risk and resilience. Rather than viewing people as the problem, organisations must recognise them as a powerful part of the solution. With the right training, awareness, and support, employees can become proactive defenders, identifying threats, reporting anomalies, and making informed decisions that technology alone cannot.

Culture and Behaviour

At the heart of a cyber resilient organisation is a culture that values open communication, psychological safety, and shared responsibility. These cultural traits shape the everyday behaviours that determine how effectively an organisation can prevent, detect, and respond to cyber threats.

Employees are encouraged, not punished, for reporting risks, mistakes, or suspicious activity. This openness ensures that potential threats are surfaced early and addressed quickly. Silence, often driven by fear of blame, is replaced with transparency and trust.

Mistakes are treated as learning opportunities. By shifting from a blame culture to a learning culture, organisations empower employees to speak up, share insights, and continuously improve. This mindset fosters resilience and agility in the face of evolving threats.

Cyber security is seen as everyone’s job, not just IT’s. When employees understand how their actions impact the organisation’s security, they are more likely to adopt secure behaviours and support one another in doing the same.

Human Judgement vs Tech

Even the most advanced AI systems cannot replicate human intuition. While automated tools are essential for detecting known threats at scale, they often lack the contextual awareness and critical thinking that trained employees bring to the table. A vigilant team member who questions a suspicious email or flags unusual behaviour can catch what algorithms might overlook. Their ability to escalate concerns quickly can mean the difference between a contained incident and a full-scale breach.

Humans provide reasoning, context, and prioritisation, qualities that machines cannot fully emulate. Cyber resilience is not just about identifying threats; it is about balancing risk, cost, and operational impact. These are nuanced decisions that require human understanding and judgment.

Technology is powerful, but it is people who make it effective. Empowered employees are not just part of the defence; they are the heart of it.

Cross Functional Collaboration

Cyber resilience is not the sole responsibility of the IT or security team; it is a shared effort that spans the entire organisation. Building a truly resilient posture requires cross-functional collaboration, bringing together departments like HR, Legal, Communications, Risk, and Operations. Each team plays a unique and vital role in preparing for, responding to, and recovering from cyber incidents.

• HR ensures that security awareness is embedded into onboarding, training, and culture.
• Legal helps navigate regulatory obligations, breach notification requirements, and liability concerns.
• Communications manage internal and external messaging during a crisis to maintain trust and transparency.
• Operations and Risk assess business impact and coordinate continuity plans.

One of the most effective ways to strengthen this collaboration is through crisis simulations and tabletop exercises. These simulations test not just technical responses, but decision-making, communication, and coordination across teams, turning theory into practice and exposing gaps before real threats strike.

Leadership

Leadership and management play a pivotal role in shaping an organisation’s cyber resilience culture. When leaders actively model good security behaviour, such as using strong passwords, reporting phishing attempts, and following data protection protocols, they send a powerful message – cyber security is everyone’s responsibility. Their actions set the tone from the top, influencing how employees perceive and prioritise security in their daily work.

This leadership commitment must extend to the board level, where cyber security is treated as a strategic business risk, not just a technical issue. Board-level accountability ensures that resilience is embedded into governance, risk management, and long-term planning. When directors ask the right questions and demand regular updates on cyber posture, it reinforces the importance of security across the organisation.

Buy-in from management is not just symbolic; it is strategic. Leaders must champion resilience initiatives, allocate resources for training, and integrate cyber security into broader business goals. They also play a key role in setting behavioural norms, reinforcing secure practices through communication, recognition, and consistent example.

When leadership leads by example, from the boardroom to the front line, cyber resilience becomes part of the culture, not just a compliance checkbox.

From Theory to Practice

Organisational Resilience
A well-trained workforce is not just a support function; it is a frontline defence and a cornerstone of cyber resilience. True resilience is achieved when cyber security is embedded into the values, behaviours, and everyday actions of everyone in the organisation, not just the IT or security teams. This means cultivating a culture where security is second nature, from how emails are handled to how data is shared and stored.

Embedding this mindset requires more than annual training modules. It involves ongoing education, leadership buy-in, and visible reinforcement of secure behaviours. For example, Microsoft has implemented a company-wide security culture program that includes regular phishing simulations, gamified learning experiences, and executive-led security briefings. These initiatives are tailored to different roles and risk levels, ensuring relevance and engagement across the board.

The result? Employees become active participants in defence, spotting threats early, responding appropriately, and reinforcing a culture of vigilance and accountability.

Engaging Training
Cyber security training must go beyond the traditional “check-the-box” approach. To be effective, it needs to be engaging, relevant, and continuous. This means using storytelling, real-world scenarios, interactive simulations, and up-to-date threat examples that resonate with employees’ daily experiences. When training is relatable and dynamic, it not only captures attention but also builds lasting awareness and practical skills.

Effective training empowers staff to detect and respond to threats quickly, reducing the risk of breaches and enabling them to contribute to the development and safe use of new technologies. It also fosters a culture where security is seen as a shared responsibility, not just an IT concern.

A standout example is Google’s Security and Privacy Training Program, which uses gamified learning, phishing simulations, and scenario-based exercises tailored to different roles. Employees are regularly tested with real-time challenges, and the program evolves with emerging threats, keeping security top of mind and skills sharp.

Recognition and Reward
Recognising and rewarding good cyber security behaviour is a powerful way to reinforce a culture of resilience. When employees feel that their efforts to stay secure are noticed and appreciated, they are more likely to remain vigilant and engaged. Celebrating individuals or teams who demonstrate strong cyber hygiene, such as reporting phishing attempts, following secure data handling practices, or contributing to awareness initiatives, helps normalise and encourage these behaviours across the organisation.

Recognition does not have to be complex. It can range from shout-outs in team meetings and internal newsletters to formal awards or incentives. The key is consistency and visibility.

A best practice example comes from an American company called Salesforce, which runs a “Security Champions” program. Employees across departments are nominated for their proactive security efforts and receive public recognition, exclusive training opportunities, and branded rewards. This not only boosts morale but also builds a network of internal advocates who help spread security awareness organically.

By celebrating the right behaviours, organisations reduce human error and strengthen their first line of defence, their people.

Review and Response
Cyber security is most effective when it is treated as a shared responsibility, not just an IT function. One of the most impactful ways to reinforce this is by regularly collecting feedback from employees on what is working, what’s unclear, and where improvements are needed. This two-way dialogue encourages ownership, reinforces learning, and helps build a culture of vigilance and continuous improvement.

Feedback mechanisms can include anonymous surveys, post-training evaluations, suggestion boxes, or open forums during team meetings. The key is to act on the feedback, showing employees that their insights lead to real changes.

A best practice example comes from a UK company called PwC, which integrates cyber security feedback loops into its broader risk culture program. After simulations or incidents, employees are invited to share their experiences and suggestions. This feedback is then used to refine training, update policies, and improve response plans. The result is a more engaged workforce and a security strategy that evolves with real-world input.

By listening to employees and responding meaningfully, organisations not only improve their defences but also foster a sense of collective responsibility and trust.

Case Studies

Click on the navy blue boxes below to read each case study.

Ministry of Defence Payroll Data Breach (2024) – Human Oversight Led to Exposure

UK Retail Sector Ransomware Attacks (2024–2025) – Human Error as Entry Point

Co-Op – Swift Human Detection and Containment, just days after the M&S breach

In 2024, a major breach occurred at Shared Services Connected Ltd (SSCL), a contractor for the UK Ministry of Defence. The incident compromised sensitive payroll data for over 272,000 current and former military personnel, including personal and financial information.

While the breach was executed through external compromise, investigations pointed to inadequate internal controls and oversight, including poor access management and insufficient employee awareness of data handling risks. This case underscores how human oversight and weak internal processes can expose even highly sensitive government data to exploitation.

Several human-led response actions were taken to contain the damage and begin recovery:

Immediate Government Oversight and Transparency: UK Defence Secretary Grant Shapps addressed Parliament, confirming the breach and identifying SSCL as the contractor involved. This public acknowledgment helped establish transparency and accountability from the outset.
Rapid Notification and Support for Affected Personnel: The Ministry of Defence prioritised notifying individuals whose home addresses and financial details were exposed. Affected personnel were offered access to commercial data protection services, including credit monitoring and alerts for suspicious activity.
Cross-Government Review and Human Oversight: The Cabinet Office launched a full review of SSCL’s work across government, not just within the MoD. This involved bringing in specialist analysts to assess internal controls, data handling practices, and contractor oversight, a clear example of human-led auditing and governance.
Focus on Cultural and Procedural Reform: The breach prompted a broader conversation about internal oversight, employee awareness, and access management. While technical fixes were part of the response, the emphasis on reviewing human processes and decision-making reflects a shift toward strengthening the human layer of cyber resilience.

These actions demonstrate how, even after a breach caused in part by human oversight, people were central to the response and recovery, from leadership transparency to operational containment and long-term cultural reform.

Several high-profile UK retailers, including Marks & Spencer, Harrods, and Co-op, were targeted in ransomware attacks where human error played a central role. In these cases, employees were tricked into clicking malicious links or downloading infected attachments, allowing attackers to gain access to internal systems.

These incidents highlight the ongoing vulnerability of even well-resourced organisations when cyber hygiene and awareness are not embedded across all levels. In response, many of these companies have since implemented enhanced phishing simulations, role-based training, and stricter access controls to reduce human risk.

The recovery was driven by people:

M&S also launched internal awareness campaigns to reinforce secure behaviours and prevent future incidents.

IT and cyber security teams worked around the clock to isolate affected systems and restore operations.
The CEO issued a public apology, reinforcing transparency and accountability.
Customer service teams were mobilised to support affected users, including guiding them through password resets and addressing concerns about data exposure.
M&S also launched internal awareness campaigns to reinforce secure behaviours and prevent future incidents.

Co-Op was targeted in an attempted ransomware attack. However, human vigilance made the difference:

The IT security team detected the intrusion early and took proactive steps to shut down systems before the ransomware could fully deploy.
This quick action minimised disruption, keeping stores and websites operational.
Co-op issued clear internal guidance to its 70,000 staff, including instructions to keep cameras on during remote meetings and avoid recording calls, a move aimed at preventing further exploitation.
The company praised its internal teams for their rapid, coordinated response, which helped contain the breach and protect customer data.

These incidents show that while human error can open the door to cyber threats human action, when empowered and prepared, is also the key to resilience and recovery.

Final Thoughts

Technology will always be a cornerstone of cybersecurity, enabling detection, automation, and defence at scale. But technology alone cannot adapt, reason, or care. It is people who bring resilience to life. They are the ones who notice the unusual, ask the right questions, escalate concerns, and recover systems under pressure.

By investing in your people, educating, empowering, and engaging them, you do not just build a secure organisation, you build a resilient one. One that can anticipate, absorb, and adapt to threats, not just react to them.

Cyber resilience is not just about systems, firewalls, or AI. It is about culture, communication, and collective responsibility. It is about creating an environment where every individual understands their role in protecting the organisation and feels confident to act.

In the end, resilience is not built by machines, it is built by people. And its people who will make the difference when it matters most.

For more information about Cyberfort Cyber Resilience services please contact us at [email protected].