Jill Broom, Head of Programme, Cyber Resilience at techUK, explains why strengthening defences across the wider economy is vital to safeguarding public services
The government wrote to all FTSE 350 companies urging them to ‘make cyber resilience a board-level responsibility’. This came in the wake of – as the National Cyber Security Centre’s (NCSC) Annual Review 2025 highlighted – a record number of ‘nationally significant’ cyber-attacks hitting the UK in the past year, including several high-profile incidents which seriously disrupted the operations, and significantly impacted the finances of national stalwarts such as Marks & Spencer and Jaguar Land Rover. We know, therefore, that cyber resilience must be improved across the wider economy – but why does this matter for public sector security?
The interconnected reality
In our increasingly connected world, digital threats are escalating in scale and sophistication, so no sector can afford to operate in isolation. Indeed, the NCSC’s Review set out that ‘the UK’s cyber security is a shared responsibility’. And, in addition to being a critical business and growth enabler, strengthening cyber defences across the wider economy is a key driver in safeguarding our public sector.
Public services rely on an extensive network of third-party suppliers and digital service providers. If one of those suppliers is compromised, the cyber risk doesn’t just fall within the bounds of that organisation. Last year’s Synnovis ransomware attack was a stark example of this. The attack on the pathology services provider resulted in NHS patient data breaches, but it also left hospitals and GP surgeries in London unable to use essential systems for processing blood tests, forcing the cancellation of many patient appointments.
Another example of our interconnected reality is that the UK’s critical national infrastructure (CNI), including our telecommunications networks and energy grids, are often privately owned, but they are integral to delivering public services. Strengthening cyber resilience across these sectors will help prevent systemic failures and ensure the continuity of emergency frontline services. More broadly, it will help to reduce national-level cyber risk.
Perception and trust are interlinked, too. When businesses demonstrate strong cyber security and resilience, public trust in digital systems increases – and this will be critical if our public services are to seize the opportunities that technology can offer citizens… not least when it comes to Digital ID.
This is the backdrop against which the government is introducing the Cyber Security and Resilience Bill because, while cyber resilience is a collective responsibility, legislation has a key role in enhancing it and driving accountability.
One of the Bill’s measures will bring private companies that are attractive targets for threat actors – including Managed Service Providers which offer core IT services to businesses and organisations – into the scope of the UK’s cyber security regulatory regime that helps safeguard our CNI. As well as increasing their accountability, these suppliers will need to focus on being prepared for an attack by implementing robust security controls, clear and documented security postures and strong backup and recovery processes.
While sectors such as manufacturing and retail remain out of scope for now (this could change in the future with the Bill’s new Delegated Powers measure), bringing some of their critical suppliers under the regulations’ remit should help to boost their resilience. However, per the FTSE 350 letter, government is also calling on organisations to follow its lead and require suppliers to meet Cyber Essentials standards. Embedding these foundational security requirements across the economy will also help to protect public services from disruptions that can impact service delivery or increase costs.
Recovery plans are a must
The disruption caused by recent cyber-attacks and their knock-on effect on the economy have sharpened the focus on the fact that cyber resilience – including the ability to recover from an attack – is just as important as has having robust cyber defences in place. Continuity plans follow on from what we all now know – it’s not a matter of if but when organisations fall victim to a cyber-attack.
A key emphasis in the NCSC’s Review was the plea to rehearse how to respond to significant incidents and have hardcopy response plans, to help ensure continuity of operations without critical IT and the quick rebuilding of that IT. Further, one of the five principles of the Cyber Governance Code of Practice referenced in the FTSE 350 letter is Incident Planning, Response and Recovery. Cyber-attacks on financial institutions, logistics operators, or manufacturers that cause significant harm have the potential to affect public finances if recovery isn’t swift. If government incurs costs through supporting disrupted industries, the funding and resources available for essential services like healthcare could be reduced.
A strong cyber sector is good for our public services
The designation of cyber security as a ‘frontier technology’ in the UK’s Industrial Strategy Digital & Technologies Sector Plan is a significant development; as is the recent publication of the Cyber Growth Action Plan which builds on the Strategy, recognising the ‘virtuous cycle’ where growth in the cyber sector enhances national resilience, and resilience in turn fuels innovation and economic expansion across all sectors.
By promoting this growth and fostering a stable environment for cyber investment and innovation, we can keep pace with evolving threats and secure evolving technologies. If we don’t keep innovating in this space, all sectors will be vulnerable to threat actors, and they won’t be able to reap the benefits technology delivers. Furthermore, the strength of the UK’s cyber industry bolsters our defence and intelligence partnerships with close allies.
Collaboration is critical for success
Historically, cyber resilience hasn’t been prioritised enough, leaving the whole economy exposed. But we can change this, especially while the impacts of recent attacks are front of mind. Indeed, as the NCSC’s Review says – ‘It’s time to act’.
The UK has a strong public–private partnership when it comes to tackling cyber threats and enhancing digital resilience; for example, industry works with the NCSC to deliver a whole-of-society response through programmes such as Industry 100. Public sector cyber resilience relies upon real-time threat intelligence sharing with industry as well as a collective incident response, ensuring faster threat detection, better coordination during incidents and a stronger national security position. We must continue to nurture this partnership.
The government’s letter to the FTSE 350 outlined some clear actions, but (collectively) we can do more to raise awareness of the support already available for organisations – including signposting NCSC guidance and toolkits such as the Cyber Security Board Toolkit and the Cyber Action Toolkit for SMEs. And we can ask more of our suppliers to incentivise the broader economy to prioritise cyber resilience, providing organisations with practical examples of how to do this.
techUK’s Cyber Resilience Programme works closely with our members who’re engaged in mitigating the ever-evolving cyber threat, amplifying key messages about cyber resilience. As such, there is a wealth of useful thought-leadership articles, research and reports from our members accessible on the techUK website – topics range from the threat landscape and cyber policy, to preparing for the post-quantum age and harnessing emerging technology in cyber defence.
I would encourage all organisations to collaborate with techUK’s members on achieving the asks in government’s letter and, more broadly, in taking cyber resilience seriously. By sharing best practice on matters such as supply chain security and knowledge about threats and mitigating measures, we can improve the cyber resilience of the entire economy – and, ultimately, better protect our essential public services.
