At the UK official CyberUK conference in Glasgow in April 2026, Dan Jarvis, the Home Office Security Minister announced a Cyber Resilience Pledge. That’s a voluntary commitment asking for three concrete actions, from businesses: make cyber to a board-level responsibility, register with the UK official National Cyber Security Centre’s (NCSCโs) free Early Warning Service; and require the Cyber Essentials certification across their supply chains.
The Government has also written to the CEOs and chairs of UK leading companies. Ministers have stated that cyber security is no longer just an IT department โproblemโ but a boardroom imperative. At the same time, the UKโs cyber security sector is growing, according to a UK Government ‘;sectoral analysis’, with revenues up 11 per cent. and the number of firms in the space risingย 20 per cent to over 2,600 companies. So, while the UK has no shortage of expertise, there has historically been a shortage of is board-level urgency and focus, according to AJ Thompson, pictured, CCO at Northdoor plc an IT services firm.
He says: โFrustratingly it has been clear for years that cyber resilience starts right at the top. A CISO without board backing is fighting with one hand tied behind their back. So, any initiative that puts cyber on the agenda in the boardroom is a step in the right direction. The question, as always, is whether organisations will follow through beyond the voluntary signature.
โFor what itโs worth, the government does deserve some credit for framing this not as a compliance exercise but as a competitive differentiator. Organisations that sign up will be listed publicly and held up as exemplars. Thereโs a reputational incentive here, alongside the practical one.
โAnd whilst this is currently a voluntary exercise, with the Cyber Security and Resilience Bill progressing through Parliament, companies should be expecting that this to turn to mandated in the coming months.
โOf course, the real point here is that hackers will not care about a companyโs signature on a cyber resilience pledge. All threat actors are continuously probing, looking for weaknesses and vulnerabilities and increasing the sophistication of their attacks. They are not pausing their activity because you signed a declaration and posted on your website.
โInstead, companies should be proactive in their defensive and resilience efforts. Patching systems, training staff, testing incident response plans and equally importantly, ensuring that the board is asking the hard questions about what the latest threats look like and what is in place to deal with a potential threat. These questions should not just be restricted to the aftermath of a high-profile breach, but every quarter at the very least.
โThe Cyber Resilience Pledge is a useful catalyst, but it is not the end solution. It should be considered as the starting gun rather than the finish line; those who treat it any other way have already lost. Sign the pledge. Absolutely. But then do the work. Because the hackers certainly are.โ
Nation-state affiliated threats
The relationship between global geopolitics and DDoS activity has become closer in recent times โ cyberattacks almost move in lockstep with geopolitical conflict, says Darren Anstee, CTO for security at NETSCOUT. He says: “For over 15 years, we have seen real-world events echoed on the digital battlefield โ from the 2007 attacks on Estonia to the current volatility surrounding Ukraine and the Middle East. However, the big shift weโve seen in the last few years is around the range of targets being hit.
โWe are now seeing high-volume attacks coinciding with events at the national level, such as disruptions linked to regional protests, local elections, and political speeches. These events, with minimal global geopolitical significance, are becoming standard targets for reactionary cyber aggression.
โThe targets being selected vary depending on the primary goal of the hacktivist adversary. Some groups are looking to generate media noise, taking aim at high-profile targets where any impact has limited strategic importance. Others are selecting targets based on the impact any outage would have to economies and day-to-day life.
โSo what can UK firms and enterprises do to keep themselves safe from the attacks perpetrated by nation state threat actors? First and foremost, these threat actors are no longer focused solely on organisations directly involved in geopolitical conflict. Simply being associated with what would be considered a primary target, as a part of a supply chain, is enough. All UK firms must assume that they are at risk of attack, and must therefore ensure they have appropriate, layered defences in place. These include on-premise to defend critical applications and vulnerable infrastructure, such as firewalls, and in the cloud to deal with the increasing number of high-scale attacks we are seeing.โ
