The UK government’s flagship cyber security conference returned to Glasgow last week for its tenth year – and if the conversations on the floor were anything to go by, the message from the NCSC and industry alike couldn’t be clearer: the bar is going up, and businesses that aren’t keeping pace are increasingly exposed.
The theme this year – The Next Decade: Accelerating our Cyber Defence – felt less like a conference slogan and more like a genuine call to action. Security Minister Dan Jarvis announced a £90 million government investment in cyber resilience, formally launched the Cyber Resilience Pledge, and named Cyber Essentials as a central pillar of the government’s response to growing threats to UK businesses. The conference highlighted the urgent need to speed up security measures in response to rapid technological advancements like AI and increasing, nation-state-level threats.
Cyber resilience is a team sport
The session that stayed with me most wasn’t about technology. It was about people. The message was straightforward: understanding how your organisation would actually respond to a serious cyber attack is more important than most businesses realise – and the only way to find out is to test it.
Tabletop exercises and practise came up repeatedly. Not as a compliance checkbox, but as a genuine diagnostic tool. Run one well and you quickly discover things like: if the business had to go to 24/7 shift working in order to work on containment and recovery, do you have three people who can work in rotation with the knowledge and specialism to complete a specific task? In a lot of organisations, the honest answer is no. Should that one person who knows how to recover system backups have to work 24 hours a day for 14 days straight, or do you look at how that knowledge can be documented and transferred to at least another three people?
The point being made wasn’t that technology fails you in a crisis – it’s that people and processes do. Everyone in a business has a role to play in resilience, and most businesses haven’t worked out what those roles are until it’s too late.
Where should businesses actually be spending their money?
The second thing that stuck with me was a blunt look at where attacks are actually coming from. NCSC CEO Richard Horne noted that frontier AI is already enabling the discovery and exploitation of existing vulnerabilities at scale, exposing where cyber fundamentals are still missing.
But the most striking statistic of the day wasn’t about AI. It was this: 45% of ransomware claims are the result of VPN compromise, and just over 20% come from Remote Desktop vulnerabilities. For sectors like Energy, where VPNs and RDP are the dominant methods of remote access, those numbers are alarming.
The recommendation that followed was practical and cost-effective. If you’re deciding where to invest first, MFA and Zero Trust remote access architecture are the answer. Not because they’re fashionable, but because they directly address the two methods attackers use most often. You don’t need to boil the ocean. You need to close the doors that are being kicked in the most.
What this means in practice
At Bedroq, this conversation reinforces what we already tell our clients: the fundamentals matter more than the sophisticated stuff. MFA, patching, access controls, Cyber Essentials – these aren’t boring. They’re the difference between a near miss and a front-page incident. With the government now formally tying Cyber Essentials to supply chain requirements through the new Pledge, organisations that haven’t taken certification seriously are going to find themselves squeezed from both above and below.
If anything about what you’ve read resonates with you and you want to talk about it, please get in touch, I’d be glad to help.
Get in touch
Michael Crabtree,
CISSP, ACIIS, Senior Technical Architect