Glen Williams, CEO of Cyberfort Group discusses why UK boards must lead with resilience, beyond compliance, to prevent costly breaches.
Infrastructure-level attacks
Despite growing investment in cybersecurity, many UK businesses remain critically exposed to infrastructure-level attacks.
They are under siege; from state actors, criminal groups and opportunistic attackers exploiting any weakness.
Too many are operating under a concerning illusion of safety, believing being compliant means being secure.
But compliance is not resilience and ticking regulatory boxes is no defence strategy.
The biggest vulnerability is not always a firewall or an unpatched system.
Increasingly, it lies at the top. This is the boardroom blind spot – a disconnect between the perceived and actual state of cybersecurity in UK organisations.
Many underestimate the scale, sophistication and speed of cyber-threats.
The result? A slow drift toward crisis – costing money, reputations, operations and in some cases, the very survival of the business.
Leaders must ask the hard questions: If we were breached tomorrow, could we still operate? How fast could we recover – and at what cost?
From airports to automakers: The threat is escalating
Recent attacks on Jaguar Land Rover, major UK airport ransomware incidents and other critical infrastructure show no sector is immune.
Attackers are more organised, more aggressive and increasingly focused on large-scale disruption.
These breaches often succeed not because defences are absent, but because they are insufficient.
Many businesses still assume cybersecurity is ‘being handled’ by internal IT or third-party providers – often generalists, not specialists.
But when facing organised crime groups or state-sponsored actors, general IT skills fall short.
The analogy holds: No one would trust a nurse to perform brain surgery – so why expect an IT generalist to protect the core of a business against elite cyber-threats?
The numbers speak for themselves. Of the 2.7 million registered UK businesses, only around 51,000 meet Cyber Essentials standards.
So basic cyber-hygiene is still being overlooked. With critical infrastructure now a prime target, the stakes are rising fast. Cybersecurity must be led from the top, by boards.
Why compliance does not equal resilience
Regulatory compliance frameworks such as ISO 27001, GDPR, the upcoming UK Cyber Resilience Act and Cyber Essentials serve a valuable purpose.
They set minimum standards and enforce accountability, but structure alone is not protection.
Compliance does not mean a business can detect, respond to or recover from an attack.
In fact, many companies seriously breached in recent years were fully compliant – on paper – but not operationally ready.
It is entirely possible to pass an audit and still be breached the very next day.
Worse, compliance is often used as a proxy for resilience – but it is often a lagging indicator of risk.
True resilience means having expert-led, scenario-tested, continuously evaluated strategies that are regularly refined and adapted to new threats.
Anything less leaves businesses dangerously exposed.
What real cyber-resilience looks like
Cyber-resilience is not a product you buy nor a policy you publish.
It is the organisation’s ability to absorb shocks and continue operating with minimal disruption – even when under attack.
Resilience starts at the board-level. This includes recognising cybersecurity as a core business risk as well as bringing in trusted partners, such as NCSC-assured consultancies who can help prepare organisations before, during and after an attack.
Resilient businesses invest in more than software; they invest in strategy.
They rehearse their response so that when a breach inevitably happens, teams avoid losing time or capability.
Access to experts like virtual Chief Information Security Officers (CISOs) or specialist placements support stronger governance.
Resilience also means going beyond annual assessments to include regular threat modelling, red teaming and incident response drills.
Preparedness must extend across the entire organisation: Leadership, technical teams and non-technical staff alike.
At Cyberfort, resilience is defined not by how quickly companies recover, but by how little it loses in the process – whether that is trust, uptime, data integrity, capital or brand reputation.
Accountability cannot be outsourced
Cyber-risk is business risk – it impacts revenue, reputation, regulatory standing and long-term viability.
Yet this reality is recurringly not landing where it needs to: In the boardroom.
Too often, cybersecurity is viewed as technical – something IT should manage.
This mindset leads to underinvestment, poor response protocols and strategic blind spots in decision-making when it matters most.
Boards are responsible for resilience. Delegating without oversight or mistaking compliance for readiness, is a dereliction of that duty.
Leaders must ask the right questions, challenge assumptions and ensure cybersecurity is embedded in strategic planning.
When cyber is ignored at the top, the entire organisation is left vulnerable.
To close the boardroom blind spot, leaders must first make cybersecurity a standing board agenda item – not as an operational update, but a strategic risk discussion and treated with the same urgency as financial performance or operational risks.
Cybersecurity breaches can impact the balance sheet just as swiftly and severely as a major market event.
Second, boards must invest in education for directors.
While directors do not need to be technical experts, they must understand the business implications associated with cyber-threats.
Finally, success metrics must shift. Instead of measuring success by the absence of incidents, organisations should focus on the speed and effectiveness of detection, containment and recovery efforts.
Don’t wait for the crisis
The time of treating cybersecurity as an IT issue has long passed.
Cyber-risk now permeates every strategic decision – from M&A to supply chains.
The price of inaction is not theoretical – it is real and growing – just ask the companies that did not survive.
The fallout of recent breaches includes broken shareholder value, customer trust and long-term reputational damage that no insurance policy can undo.
Far too many businesses rely on generalist defences in a specialist threat environment.
Boards can no longer afford to sit on the side-lines.
Cybersecurity must be embedded into every strategic decision, not siloed as a compliance exercise.
The question is no longer if a breach will occur, but how well the organisation will be prepared to respond when it does.
Those who wait for the crisis to act will already be too late.
