CYBERUK 2025: One Month On – What’s Changing in Cybersecurity? 

In mid 2025, shortly after Manchester’s CYBERUK conference, the cybersecurity sector is in a fascinating spot. Market revenue has climbed to £13.2 billion, job creation is booming with 6,600 new positions, and government initiatives are multiplying.

Yet UK businesses are still suffering cyber breaches (last year 43% of firms were victims to an incident). Ransomware attacks have doubled, and high-profile incidents at M&S, Co-op, and Harrods continue to expose fundamental vulnerabilities.

So, what’s really happening? It seems that not every pound spent on cybersecurity has delivered like it should have.

What’s actually happened since Manchester

The government has been busy in Spring 2025. The Software Security Code of Practice launched officially at the conference, the NHS fired off demanding letters to supplier CEOs about patching and multi-factor authentication, and £1.8 million in Cyber Local funding got allocated to address regional disparities.

The fallout from attacks on UK retailers continued—the DragonForce / Scattered Spider incident still making headlines. Marks & Spencer’s online ordering was still down at the end of May (it was open for browsing only)—with at least a month of web orders lost, and potentially £300m+ in recovery costs. Co-op started to recover systems and inventory was mostly back to normal, especially in rural stores that experienced the worst shortages.

Meanwhile, momentum continued on the upcoming Cyber Security and Resilience Bill. In April, the government gave further details on this, with its 24-hour incident notification requirements, and the ongoing push for supplier accountability. These are positive steps, but they’re largely regulatory responses to problems that shouldn’t really exist in the first place.

The conference’s central message—that cybersecurity is “a contest” requiring resilience—has resonated widely. Richard Horne’s directive to “control the controllables” has hopefully started to sink in. But it’s troubling that we’re still talking about the same fundamental issues that should have been resolved years ago.

The elephant in the room: suppliers aren’t delivering

Let’s address something that didn’t get enough airtime at CYBERUK. The wave of recent attacks—from the coordinated phishing campaigns hitting Mailchimp and SendGrid to the retail sector breaches—reveals a pattern that goes beyond individual organisational failures.

These incidents often fall into the gap between infrastructure teams and cybersecurity providers. Infrastructure teams focus on keeping systems running; cyber teams focus on threat detection and compliance. When neither takes ownership of fundamental security hygiene, vulnerabilities are still open, despite the money spent on fixing them.

As Simon Whittaker from Vertical Structure observed in his post-CYBERUK report, “cyber security is a team sport requiring collaboration.” Yet many organisations are paying premium prices for security services that operate in isolation from their core IT operations.

The result is expensive monitoring systems that alert you to problems but don’t prevent them, and compliance frameworks that look impressive on paper but miss critical blind spots.

What’s gaining traction (and what isn’t)

The resilience conversation has stuck. Post-conference discussions often emphasise preparation for “zero IT” scenarios (where all systems fail) and comprehensive business continuity planning. The realisation that recovery from major incidents can take months or years—even with decryption tools—has finally penetrated C-suite thinking.

Supply chain security is  having its moment (again). The coordinated nature of recent attacks has made third-party risk impossible to ignore (it’s been a danger area for a long time, but too many organisations are still getting it wrong). The NHS’s supplier charter letter is the most concrete post-conference action, demanding immediate compliance with security baselines.

And unfortunately, legacy system risks remain largely unaddressed. Despite the revelation that 28% of the public sector’s IT estate consists of risky legacy systems, no systematic assessment programme has emerged. The parliamentary report called this “unacceptable,” yet concrete action is yet to appear.

It’s also concerning that Cyber Essentials adoption isn’t as high as it should be. With only 35,000 UK organisations certified out of 5.5 million businesses—a 0.6% penetration rate—the government’s acknowledgment that current numbers are “nowhere near where we need to be” hasn’t translated into transformative uptake strategies.

The collaboration challenge

The conference emphasised that cybersecurity is fundamentally collaborative, needing enthusiastic cooperation between government, industry, and internal teams. In practice, this collaboration can often break down at the organisational level.

Consider the typical scenario: your cybersecurity provider identifies a vulnerability, your infrastructure team has competing priorities, and business leadership wants to understand the risk in commercial terms. Without clear accountability and integrated processes, issues linger in this organisational no-man’s land.

The solution isn’t more sophisticated detection tools or additional compliance frameworks. It’s ensuring that security responsibilities are clearly defined, adequately resourced, and genuinely integrated with operational processes.

What boards should be asking now

Post-CYBERUK, the critical questions have shifted from “Are we compliant?” to “Are we actually secure?”

Start with visibility. Do you have a complete understanding of your digital estate, including legacy systems and third-party connections? Can you track how quickly vulnerabilities get identified and remediated across all environments?

Think about your supplier relationships. Are your cybersecurity providers actively collaborating with your infrastructure teams, or operating as separate entities? When vulnerabilities are identified, who owns the remediation process and timeline?

Most importantly, challenge the assumption that spending = security. The median time to patch vulnerabilities remains 30-60 days, despite significant global investment in security tools and services. If your organisation shows similar performance, you’re paying for detection without meaningful protection.

People, processes and tech

The most encouraging aspect of post-CYBERUK discussions has been the growing recognition that security effectiveness needs cultural change, not just tech solutions. As conference participants noted, “culture eats certification for breakfast.”

This means moving beyond tick-box compliance towards genuine risk management. It means making sure that your cybersecurity investments actually reduce your exposure, not just provide documentation that you’re taking it seriously.

Practically, this takes three things: clear accountability for security outcomes, integrated processes between security and infrastructure teams, and metrics that measure actual risk reduction rather than just compliance activity.

The cybersecurity sector’s growth shows that companies do actually see the importance of digital protection. The challenge now is making sure their investments translate into genuine resilience rather than expensive reassurance.

Moving past the basics

One month on from Manchester’s event, the message is clear: getting the fundamentals right is still the most effective path to proper cybersecurity resilience. You might indeed benefit from the latest AI-powered threat detection system, but you also want to make sure that basic security hygiene becomes the standard for everyone.

The conversation has evolved from whether cybersecurity matters to whether we’re doing it effectively. For organisations willing to ask hard questions about their current approach, this is a great opportunity to build genuinely strong defences.

For practical guidance on building effective security foundations, read our article on Security Hygiene: Why the Basics Matter More Than You Might Think. At Two Four Secure, we help organisations bridge the gap between cybersecurity investment and actual protection. Contact us to discuss how we can strengthen your security foundations.