Menu
Wed, 1 July 2026
THEHOUSE

"We Are Very Exposed": How Should The UK Protect Its Economy From Cyber-Attacks?

(santoelia / Adobe Stock)

9 min read

A wave of crippling cyber-attacks on major UK businesses has raised questions about Britain’s economic security – and who is responsible for protecting it. Noah Vickers reports

Every few years, the UK government publishes a new edition of the National Risk Register, a document outlining the greatest potential threats to the country’s security and what their impact would be.

As with previous editions, 2025’s version contains all the hallmarks of disaster movies; a civil nuclear accident, chemical and biological warfare and the arrival of another pandemic all rank among the most catastrophic of the imagined scenarios. But over the years, the range of possible emergencies attributed to one particular threat has grown: cyber-attacks.

Cyber-strikes on gas and electricity infrastructure, fuel supplies, nuclear power stations, the health system, the transport sector and telecommunications are each thought to have a five to 25 per cent chance of occurring at least once every couple of years. Any such attack would cost hundreds of millions of pounds and, certainly in the case of the NHS, lost lives too.

The National Cyber Security Centre (NCSC) warns it has dealt with a record 204 ‘nationally significant’ cyber-attacks in the year to September, up from 89 in the previous 12 months. It has advised organisations across the country to ensure they keep physical, paper copies of any contingency plans in the event that their IT systems are breached.

We are very exposed... We need to tighten up and change the culture of how we view this threat

Yet the highest-profile attacks this year have not been on public infrastructure but on some of Britain’s largest and most recognised companies, raising questions about how much oversight the government should have over the private sector to safeguard the nation’s economy.

 The Co-op and Marks & Spencer were hit within days of each other in April, followed by Jaguar Land Rover (JLR) in August. The damage caused to each of them – particularly for JLR and its complex web of affected supply chains – has prompted suspicion that hostile states like Russia could be behind them. The Telegraph reports that this is being considered as an active line of enquiry by the NCSC.

“We are seen as a country that certain nations wish to damage – and that’s, I think, partly driven by the tactics of intimidation, because we’re proving to be an irritant to certain countries in the political stances we’ve taken globally,” says Matt Western, chair of Parliament’s Joint Committee on National Security Strategy.

“Businesses and organisations, the public sector – we should recognise that we are very exposed and that we need to tighten up and change the culture of how we view this threat.”

Given that the government has made economic growth its number one mission, should businesses of a certain size be required to put in place a minimum cybersecurity standard?

“We are going to have to have a very close look at this in the context of national resilience,” says Western.

The Labour MP for Warwick and Leamington points to the days of disruption seen at Heathrow and other European airports after another recent attack on Collins Aerospace, a software provider used by airlines for their baggage and check-in systems.

“It’s a private company, but it’s the small widget in a software system which, if brought down, has massive consequences for the rest of the economy, and therefore there is a responsibility that goes with that…

“There has to be some degree of oversight by government, and that’s why I’m particularly interested by the Cyber Security and Resilience Bill that’s coming forward, in terms of what that might mean for the UK.”

The bill, announced in last year’s King’s Speech, has been hit by delays – most recently thought to have been caused by the Cabinet reshuffle. No update has been issued since the publication of a policy statement in April this year.

Rather than directly affecting businesses, however, the bill will instead place new duties on managed service providers (MSPs) – the firms that provide IT services to companies on an outsourced basis.

One such firm is Tata Consultancy Services (TCS), which counts the Co-op, M&S and JLR among its customers, and which previously said it would conduct an internal probe into whether it was a vector for the M&S attack. The IT giant subsequently insisted that no TCS systems or users were compromised.

“There is a limit on what government reach should look like,” says Western, “but I think there has to be an understanding between government and providers about what security is being provided through businesses, where it potentially has a significant impact on UK PLC.”

At the end of September, the government announced it would underwrite a £1.5bn loan guarantee for JLR. But there remain questions over how a company of JLR’s size came to be so exposed as to require that level of support. The business reportedly had no cyber-insurance at the time of the attack, while appearing to lack sufficient reserves to cover the disruption to its operations.

In light of this, the government has faced claims that its guarantee could set a concerning precedent, as other large firms may conclude that they can leave themselves in a similarly exposed position and rely on state support if the worst happens.

Western argues, however, that the support in this case was essential, as JLR occupies a unique position in Britain’s economy.

“The economic importance of JLR in terms of its contribution nationally to livelihoods and prosperity in towns and villages across our entire country – not just the Midlands – can’t be underestimated,” he says.

“It’s really striking that the complexity of the business, as I know it, means it is almost a special case, because the consequences of this attack are being felt in far corners of the land. 

“There are very few businesses I would say that this could apply to… because of just how intricate the supply chains are in this sector.”

But he adds: “That’s not to say that I’m sure government won’t be wanting to have more oversight of what is happening amongst some of these major businesses, to ensure that they’re doing the utmost to protect themselves.”

The balancing act for ministers will be in how to exercise that oversight while still allowing companies to make their own decisions about how to manage their business. When does a company become large enough for its success or failure to start making a material difference to the UK economy? And once it has become large enough, should responsibility for its resilience remain solely in the hands of that firm?

“You have a constant responsibility challenge, because there are so many different players across the value chain,” says Katharina Sommer, head of government affairs at information assurance firm NCC Group.

“Responsibility for cyber [security] is massively fragmented and confused, and that makes it really easy for any part of that value chain to drop away.”

We need to be very clear who is ultimately responsible and who will pay the price if things go wrong

In addition to the forthcoming bill, Sommer has welcomed the government’s commitment to publish an updated edition of the National Cyber Strategy by the end of this year.

“But we still need to address that issue of responsibility,” she said during a panel event at this year’s Conservative Party Conference. “We need to be very clear who is ultimately responsible and who will pay the price if things go wrong.

“We need to solve the issue of incentives, and how we create the right incentives for the right parts of the ecosystem and the economy, to take cyber seriously.

“That might mean mandating penalties for large organisations and more of a supporting hand for SMEs, for example. That might also mean placing greater obligations on technology suppliers to produce ‘secure by design’ software and technology products.”

Another idea may be found in the 2019 Brydon Review, which recommended that large companies publish resilience statements: structured, annual disclosures outlining how they prepare for and manage material risks, including cyber-threats.

“This proposal had broad political support at the time, including from current Cabinet ministers. Yet momentum has stalled,” wrote Lord Harris of Haringey and Baroness Neville-Jones, in a recent piece for The House.

Rob Elsey, chief digital and information officer at the Co-op, argues that ministers could also find ways of helping businesses keep their IT systems up to date, potentially in the form of tax incentives.

“Investing in new tooling and in removing legacy [systems] – that’s quite a costly exercise,” he tells The House. “Anything you can do to help make this an area which people choose to invest in is only going to be a good thing.”

The Co-op was relatively fortunate during its own attack earlier this year, Elsey explains, as its operations are “segmented” across a number of different zones, meaning that his team were able to isolate the threat and prevent it from installing any ransomware.

The scenario had been ‘war-gamed’ by Elsey and his colleagues in a series of exercises similar to those conducted by a government department, with a ‘bronze, silver and gold’ response framework. Yet despite their success in containing the threat, the Co-op estimates that the incident has precipitated a £120m hit to its profits across the year.

And while ministers urge businesses to follow best practice with cyber-hygiene, it could equally be said that the government should get its own house in order, as it remains unclear how many vulnerabilities exist across Whitehall’s own systems.

A report earlier this year by the Public Accounts Committee found that the Cabinet Office will miss its target of ensuring that government departments are cyber-resilient by the end of 2025. The report warned that ministers did not know exactly how many ‘legacy’ IT systems are in use across its estate, making it impossible to assess the level of risk they pose.

“Where there has not been the investment in government, we are vulnerable,” Western acknowledges.

“If you really want to take this seriously – as I and the committee will be wanting to impress upon the government – then you’re going to have to allocate more resource to it, and ensure that you keep ahead of the threat.” 

Read the most recent article written by Noah Vickers - One In Three Of Parliament's Cleaners Face Job Losses

Categories

Technology