Cyber security – or a lack of it – has dominated headlines throughout the second half of this year. The attack that halted production at Jaguar Land Rover was estimated to have caused losses of around £1.9bn to the UK economy, according to figures from the UK’s Cyber Monitoring Centre.

Many of JLR’s suppliers faced cash flow problems as a result, with some resorting to loans to sustain operations. Over 5,000 UK organisations were affected by the incident. The CMC described the attack as the most economically damaging cyber event ever recorded in the country, classifying it as a Category 3 systemic event on its five-point scale.

The incident came to light just before the UK’s National Cyber Security Centre revealed that the country had faced a record 204 “nationally significant” cyber attacks in the past year – an average of four a week. The figure, released in the agency’s annual review of cyber incidents, compares with 89 over the previous year.

Eighteen of the 429 incidents handled by the NCSC were classed as “highly significant”, meaning they had the potential to seriously disrupt essential services – a near 50% rise, and the third annual increase in this category. Many incidents involved advanced persistent threat actors linked to hostile states or capable criminal groups.

Nationally significant incidents are defined as those with the potential to affect the UK’s national security, economy or critical infrastructure. In an increasingly connected world, such critical infrastructure extends to cloud infrastructure, making the subsequent major Amazon Web Services outage even more alarming. While not a malicious attack, the outage, which disrupted a wide range of online services, including banks and telecommunications providers, illustrates the systemic risks posed by concentrated cloud provider dependencies, and the vulnerability of digital ecosystems to a single region or critical service failure.

It may not be the avoidance of service failure itself, or even the risk of customer data loss, that motivates the majority of UK businesses to address the risk, however, according to research carried out by Towergate Insurance. Instead, more than half of the UK businesses it polled fear reputational damage above all else following an attack, putting reputation as a concern ahead, even, of customer data loss (the greatest concern for less than a third of the companies polled), business or revenue loss (the priority for just 13%) – and even regulatory fines (identified by a mere 3% as the major driver).

The insurer said the findings, released to mark Cyber Security Month in October, underline the fact that cyber security has become a matter of credibility and brand integrity as much as technical defence. Others might argue that cyber security efforts may be failing because motivations are misplaced.

For essential public services, including healthcare, water providers, transport and energy, at least, the UK Government is hoping to change those motivations. Its latest digital security effort, the new Cyber Security and Resilience Bill, hopes to use regulation as a lever to strengthen national security and boost cyber protections for some of the country’s most essential services.

Under the proposals, medium-sized and large companies providing IT management, IT helpdesk support and cyber security to private and public sector organisations like the NHS will also be regulated for the first time. The new Bill explicitly brings cloud infrastructure, datacentres and managed service providers into scope, recognising that dependence on a small number of digital service providers creates systemic risks.

The legislation introduces fresh reporting requirements for cyber incidents, new powers for regulators to direct organisations to improve resilience, and provisions to designate critical suppliers whose failure could disrupt essential services. Time will tell if the regulation has the teeth to change how organisations – in particular nationally significant ones – think and act on cyber risk.

---