The UK Government is looking into new laws which will help protect businesses from cyber threats. 

As part of the Plan for Change set of milestones the Labour Government hopes to achieve by the end of the current Parliament, the new Cyber Security and Resilience Bill aims to boost protection of supply chains and critical national services, including IT service providers and suppliers.   

Secretary of State for Science, Innovation, and Technology, Peter Kyle, said: “Economic growth is the cornerstone of our Plan for Change, and ensuring the security of the vital services which will deliver that growth is non-negotiable. 

“Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage.  

The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world – giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government,” he added. 

Billions lost to cyber threat each year 

The UK economy loses billions to cyber threats each year and the disruption they can cause is another major issue.  

Last summer’s attack on Synnovis, a company which provides pathology services to the NHS, saw thousands of appointments missed and cost around £32.7m. The disruption in the NHS trusts affected saw five planned C-sections rescheduled, 18 organs were diverted for use by other trusts, and 736 hospital outpatient appointments and 125 community outpatient appointments had to be postponed. 

Figures also show a hypothetical cyber-attack focused on key energy services in the South East of England could wipe more than £49 billion from the wider UK economy. 

In the year to September 2024, the National Cyber Security Centre (NCSC) managed 430 cyber incidents, with 89 of these being classed as nationally significant – a rate of almost two every week.  

The most recent iteration of the Cyber Security Breaches Survey also highlights 50% of British businesses suffering a cyber breach or attack in the last 12 months, with more than seven million incidents being reported in 2024. 

The Cyber Security and Resilience Bill aims to ensure the vital infrastructure and digital services the country relies on are more secure than ever. 

Jonathon Ellison, NCSC Director of National Resilience, said: “We are certainly seeing more frequent, sophisticated and intense hostile activity in UK cyberspace, and there is global evidence that critical systems make attractive targets for hostile states and malicious cyber actors. 

“The NCSC is supportive of the additional measures under consideration that would give the UK some of the strongest protections in the world against advanced attackers targeting our Critical Network Infrastructure.” 

As well as including the cyber defences the UK needs to meet the challenges of today’s cyber criminals, the legislation will also include measures enabling a swift response to any new threat which may arise in the future. 

In order to do this, the Technology Secretary is being given powers to update the regulatory framework to keep pace with the ever-changing cyber landscape.  

Existing UK regulations reflect law inherited from the EU and are the UK’s only cross-sector cyber security legislation. These have now been superseded in the EU and require urgent update in the UK to ensure that the infrastructure and economy here is not comparably more vulnerable. 

If the proposals are adopted: 

• More organisations and suppliers will need to meet robust cyber security requirements, including data centres, Managed Service Providers (MSPs) and critical suppliers. This means third-party suppliers will need to boost their cyber security in areas such as risk assessment to minimise the possible impact of cyber- attacks, while also beefing up their data protection and network security defences.  
• Regulators will have more tools to improve cyber security and resilience in the areas they regulate, with companies required to report more incidents to help build a stronger picture of cyber threats and weaknesses in our online defences. 
• The government would have greater flexibility to update regulatory frameworks when needed, to respond swiftly to changing threats and technological advancement. This could include extending the framework to new sectors or updating security requirements. 

Cyber protections businesses need to implement 

Because the most common cyber threats are relatively unsophisticated, businesses are advised to protect themselves through the use of a set of “cyber hygiene” measures. 

These include updated malware protection, cloud back-ups, passwords, restricted admin rights and network firewalls.  

However, there have been consistent declines in the use of some of these measures registered mainly in micro, small and medium businesses during the last three waves of the survey: 

• use of password policies (79% in 2021, vs. 70% in 2023) 
• use of network firewalls (78% in 2021 vs. 66% in 2023) 
• restricting admin rights (75% in 2021, vs. 67% in 2023) 
• policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023). 

A larger proportion of businesses take actions to identify cyber risks than charities. Larger businesses are the most advanced in this regard.  Around seven in ten businesses (71%) and six in 10 charities (62%) report that cyber security is a high priority for their senior management.   

 

The survey also continued to see a pattern in awareness of cyber security, with larger organisations tending to treat cyber security more seriously, and consequently allocating more resources to it. 

Of course, this doesn’t mean that large scale organisations are immune to cyber-attack as the recent ransomware threats against major UK retailers including M&S, Harrods and the Co-op demonstrate. 

The survey also highlights that, for the first time, the majority of large businesses were also reviewing supply chain risks, although this is still relatively rare across organisations overall.  

And the importance of looking at third-party supply chains was proven just this week when one of the suppliers to supermarkets including Tesco, Sainsbury’s and Lidl, Peter Green Chilled, said it was being threatened by a ransomware demand received via email.  

Last year, a spate of cyber-attacks on supply chain providers saw sensitive data leaked or held to ransom from organisations including the Ministry of Defence, The Metropolitan Police, and a significant number of charities.

The NCSC, working with colleagues in the Department for Science, Innovation and Technology (DSIT), Non-Executive Directors (NEDs) and industry experts, has produced a package of resources to help boards meet the imperative to govern cyber security risks. 

This is because ultimately, cyber security is a board-level responsibility. 

How Veracity AI helps your business 

To combat an ever-evolving threat, you need technology that’s prepared for the unknowns just as much as the known predators.  

Our patented, AI-powered bot detection technology does just that. Small businesses work harder than anyone else to build reputation and deliver high levels of service — with limited time and budget.  

But a single bot attack can cost you your hard-earned reputation, or your entire business. Veracity Web Threat Protection keeps your business safe, reduces wasted spend, improves customer experiences and gives you accurate information to grow.  

Better still, the free tier can be set up in just five minutes. 

Talk to us about how we can help you protect your business from cyber threats. 

21st May 2025