This episode dives deep into UK Supply Chain Cyber Security, a critical and often overlooked area in today's digital world.

So, what exactly is it? It's about securing the entire network of external partners, suppliers, and third-party services that your business relies on. Imagine your company as only as strong as its weakest link. In the UK, this is more urgent than ever: supply chain cyberattacks surged by a staggering 431% between 2021 and 2023. Despite this growing threat, shockingly few UK businesses formally review risks from their immediate suppliers (only 14%) or their wider supply chain (just 7%). The financial impact is immense, costing the UK economy an estimated £27 billion annually.

Our understanding of supply chain cyber security has evolved significantly beyond mere data protection. While preventing data breaches remains vital, the new reality focuses on operational resilience. This means ensuring your suppliers remain functional and can continue delivering critical services, even if they suffer a cyberattack themselves. Recent high-profile incidents, like the 2024 Synnovis ransomware attack which disrupted NHS services, starkly illustrate how a supplier's compromise can halt critical operations, affecting everything from pension payments to patient care. The goal is no longer just to avoid losing data, but to guarantee your ability to operate smoothly.

The easiest and most effective way for firms to manage this complex supply chain security is by asking for certifications from their suppliers. Cyber Essentials has emerged as the cornerstone of the UK's strategy, a government-backed scheme defining five fundamental technical controls that protect against the majority of common cyberattacks. It's not just a recommendation; it's rapidly becoming a critical business requirement, with major UK banks like Barclays and Lloyds Banking Group now expanding Cyber Essentials requirements across their supply chains. This streamlines due diligence, raises minimum standards across the economy, and has been proven to work: one firm, St. James's Place, saw an 80% reduction in cyber incidents after requiring 2,800 suppliers to achieve Cyber Essentials Plus.

Need help with Cyber Security?

Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

What You'll Learn from This Episode

Trish and Tom from Cool Waters Cyber break down the 2025 Cyber Security Breaches Survey findings to help UK financial services leaders understand their current risk landscape and improve their cyber defenses.

Critical Insights for Business Leaders

Your Risk Profile is Higher Than You Think

• 74% of large businesses and 67% of medium businesses experienced cyber incidents
• Finance and digitally intensive sectors face elevated risks
• Ransomware attacks have doubled, now affecting 1% of all businesses (19,000 organizations)

Phishing Remains Your Biggest Threat

• 85% of breached businesses were hit by phishing attacks
• Even failed attempts drain significant staff time
• AI-enhanced scams are making phishing more sophisticated and harder to detect

Financial Impact Can Be Severe

• Average breach costs range from £1,600 to £8,260 depending on severity
• Cyber-facilitated fraud averages £5,900 per incident
• Repeat attacks are common—affected businesses face an average of 30 incidents annually

Key Action Items

Strengthen Board Accountability

• Only 27% of businesses have a board member explicitly responsible for cyber security
• Finance sector performs better (57%) but still has room for improvement
• Make cyber security a standing board agenda item

Improve Incident Response Preparedness

• Just 23% of all businesses have formal incident response plans
• Only 39% of affected businesses report incidents externally
• Develop and regularly test your incident response procedures

Implement Proven Frameworks

• Use the UK Cyber Governance Code of Practice's five principles as your foundation
• Consider IASME Cyber Assurance for comprehensive governance alignment
• Start with Cyber Essentials for essential technical controls

Bottom Line

The episode demonstrates that while cyber threats are intensifying, businesses with structured governance and incident response capabilities are better positioned to minimize impact. The key is moving from reactive to proactive cyber security management through proven frameworks and clear board-level accountability.

Next Steps: Assess your current cyber governance against the five principles, ensure you have formal incident response plans, and consider certification standards like Cyber Essentials or IASME Cyber Assurance to systematically strengthen your defences.

Need help with Cyber Security?

Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Implementing the UK Cyber Governance Code of Practice with IASME Cyber Assurance

In this episode, we discuss the crucial topic of cyber governance for business leaders. With 74% of large businesses and 70% of medium businesses in the UK experiencing a cyber breach in the past year, boards are now clearly expected to lead on cyber risk. In response, the UK government (via DSIT and NCSC) has introduced the voluntary Cyber Governance Code of Practice to guide boards and directors.

The Code distils five key principles for effective cyber governance: Risk Management, Strategy, People, Incident Planning & Response, and Assurance & Oversight. However, implementing these practices can be a challenge.

Our deep dive focuses on a pragmatic roadmap to implement the Code: the IASME Cyber Assurance standard. Formerly known as "IASME Governance", this government-backed standard is comprehensive yet accessible, developed with UK government support as an alternative to more complex standards like ISO/IEC 27001.

Using IASME Cyber Assurance to implement the Code offers several benefits:

• Integrated Approach: It delivers both the Cyber Governance Code's requirements and the technical controls of Cyber Essentials in one unified effort, avoiding duplicate work.

• Structured Guidance: IASME provides detailed guidance, templates, and a structured question set to lead you through implementing controls, so you don't have to "reinvent the wheel".

• Comprehensive Coverage: The standard covers technical controls, risk management, data protection (like GDPR), and regulatory compliance.

• External Assurance: It culminates in an independent certification, providing tangible proof to stakeholders that your cyber governance meets a national standard.

Learn how following a structured roadmap using IASME can help organisations achieve significant cyber maturity relatively quickly, often within ~3–6 months to certification.

Implementing these steps can be challenging, which is why partnering with an NCSC-accredited Cyber Advisor can be invaluable. Advisors, like our sponsor Cool Waters Cyber, provide expert gap analysis, hands-on remediation support, plain-English communication, project management, and certification liaison. They offer a clear, pragmatic roadmap and help streamline the process, ensuring you meet the standards effectively.

Cool Waters Cyber offers a comprehensive service to help boards implement the Cyber Governance Code of Practice. They provide tailored support backed by real-world experience and plain-English advice.

Ready to strengthen your cyber governance? Cool Waters Cyber can help your firm implement the new code.

Need help with Cyber Security?

Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk