The UK is tightening cyber laws, but attackers are already inside the system

The NCSC's 2025 Annual Review recorded a 50% rise in highly significant cyber incidents for the third consecutive year, with the agency managing the equivalent of one serious attack every two days. 43% of UK businesses reported a breach or attack in the past year alone - which is equal to around 600,000 organisations.

Against that backdrop, the government's Cyber Security and Resilience Bill is a serious and overdue response. The government's own words are striking: the existing laws, last updated in 2018, have "fallen out of date and are insufficient to tackle the threats faced." That candour, at least, is welcome.

But welcome is not the same as sufficient. The Bill's gaps are real.

When M&S and Jaguar Land Rover both suffered damaging attacks in 2025, neither fell within the Bill's scope. Proposed bans on ransomware payments were quietly dropped and the phased implementation through secondary legislation means the armour goes on slowly, while the attacks most certainly do not wait. The ambition is right. The execution still leaves exposure.

The deeper problem, however, is cultural, not just legislative. Security cannot be siloed. Every organisation that touches a critical service, however small, carries a share of collective responsibility for the resilience of the whole supply chain.

There is a clear disconnect between confidence and capability. While 94% of organisations believe they could effectively detect, respond to and recover from a major incident, in practice, teams achieved only 22% decision accuracy and took an average of 29 hours to contain.

This gap leaves organisations dangerously exposed, cascading disruption across supply chains, halting services people rely on and in some cases, posing a risk to public safety.

Boards must treat third-party cyber risk with the same urgency as financial risk and they must actively map and mitigate the gaps in their supplier networks.

A small IT contractor with weak credentials, or an unpatched service provider, can become the door through which an entire sector is compromised. The Synnovis attack in 2024, which had a significant impact on patients across the NHS, proved exactly that.

In terms of security and defence, this is not a new strategic concept, it is an ancient one. Iran is not attacking US carrier groups in the Gulf. It is choking the Strait of Hormuz, a narrow waterway carrying roughly 20% of the world's oil, because that is where maximum disruption meets minimum resistance.

State-sponsored and criminal cyber actors apply identical logic. Why attack a hardened firewall directly when you can compromise a small contractor that services it? This is asymmetric strategy, the same principle that saw guerrilla forces outlast superpowers in Afghanistan by innovating faster and owning the narrative rather than fighting on the frontlines.

The attacker's cost-to-impact ratio is extraordinarily favourable. The defender, focused on the perimeter, can sometimes find they are looking in the wrong direction.

The Bill's instinct to bring managed service providers and critical suppliers into scope is correct. However, the execution must go further. Baseline security standards need to be applied to the entire supplier ecosystem, not just those retrospectively designated as critical.

The indirect attack is already here and being actively exploited. Combatting this threat requires regulation that thinks systematically in chains, not just perimeters and an economy-wide security culture that doesn't wait to be told.

As Chatham House has warned, without that shift, the UK remains at risk of exactly the cascading crisis our adversaries are working to engineer.

_

Tom Exelby is the Head of Cyber at Red Helix

LBC Opinion provides a platform for diverse opinions on current affairs and matters of public interest.

The views expressed are those of the authors and do not necessarily reflect the official LBC position.

To contact us email opinion@lbc.co.uk