Business Leaders Cyber Briefing

Trish and Tom take a deep dive into the NCSC Annual Review for 2025 and unpack practical tips for business leaders.We're tearing open the most critical report of the year: the NCSC Annual Review 2025. The message from GCHQ is crystal clear: Cyber risk is no longer just an IT issue—it’s a boardroom priority.Forget those old assumptions—the threats are escalating at an alarming rate. Recent high-profile attacks on household names like M&S, Co-op, and JLR show that cyber incidents now cause operational standstills, affecting real lives and costing millions (like the £32.7 million loss following an attack on a pathology provider).We’re diving into why the NCSC CEO says the risk facing the nation is "widely underestimated", the dramatic 50% rise in highly significant incidents, and what leaders need to do now to embrace resilience. We unpack the impact AI is having on cyber security and how the bad guys are using it to target UK organisations more effectivelyAnd we round off with a conversation about the radical shift in how organisations need to tackle cyber security in their supply chain - it's not all about data security anymore!Tune in—the window for preparation is narrowing==========To learn more about the Cyber Swift platform mention in this podcast, sign up for the upcoming webinar on 28th October here: https://www.cool-waters.co.uk/events/how-to-build-a-cyber-secure-supply-chain-turning-awareness-into-action Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

This episode dives deep into UK Supply Chain Cyber Security, a critical and often overlooked area in today's digital world.So, what exactly is it? It's about securing the entire network of external partners, suppliers, and third-party services that your business relies on. Imagine your company as only as strong as its weakest link. In the UK, this is more urgent than ever: supply chain cyberattacks surged by a staggering 431% between 2021 and 2023. Despite this growing threat, shockingly few UK businesses formally review risks from their immediate suppliers (only 14%) or their wider supply chain (just 7%). The financial impact is immense, costing the UK economy an estimated £27 billion annually.Our understanding of supply chain cyber security has evolved significantly beyond mere data protection. While preventing data breaches remains vital, the new reality focuses on operational resilience. This means ensuring your suppliers remain functional and can continue delivering critical services, even if they suffer a cyberattack themselves. Recent high-profile incidents, like the 2024 Synnovis ransomware attack which disrupted NHS services, starkly illustrate how a supplier's compromise can halt critical operations, affecting everything from pension payments to patient care. The goal is no longer just to avoid losing data, but to guarantee your ability to operate smoothly.The easiest and most effective way for firms to manage this complex supply chain security is by asking for certifications from their suppliers. Cyber Essentials has emerged as the cornerstone of the UK's strategy, a government-backed scheme defining five fundamental technical controls that protect against the majority of common cyberattacks. It's not just a recommendation; it's rapidly becoming a critical business requirement, with major UK banks like Barclays and Lloyds Banking Group now expanding Cyber Essentials requirements across their supply chains. This streamlines due diligence, raises minimum standards across the economy, and has been proven to work: one firm, St. James's Place, saw an 80% reduction in cyber incidents after requiring 2,800 suppliers to achieve Cyber Essentials Plus.Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Business Leaders Cyber Briefing - Episode 12: Key TakeawaysWhat You'll Learn from This EpisodeTrish and Tom from Cool Waters Cyber break down the 2025 Cyber Security Breaches Survey findings to help UK financial services leaders understand their current risk landscape and improve their cyber defenses.Critical Insights for Business LeadersYour Risk Profile is Higher Than You Think74% of large businesses and 67% of medium businesses experienced cyber incidentsFinance and digitally intensive sectors face elevated risksRansomware attacks have doubled, now affecting 1% of all businesses (19,000 organizations)Phishing Remains Your Biggest Threat85% of breached businesses were hit by phishing attacksEven failed attempts drain significant staff timeAI-enhanced scams are making phishing more sophisticated and harder to detectFinancial Impact Can Be SevereAverage breach costs range from £1,600 to £8,260 depending on severityCyber-facilitated fraud averages £5,900 per incidentRepeat attacks are common—affected businesses face an average of 30 incidents annuallyKey Action ItemsStrengthen Board AccountabilityOnly 27% of businesses have a board member explicitly responsible for cyber securityFinance sector performs better (57%) but still has room for improvementMake cyber security a standing board agenda itemImprove Incident Response PreparednessJust 23% of all businesses have formal incident response plansOnly 39% of affected businesses report incidents externallyDevelop and regularly test your incident response proceduresImplement Proven FrameworksUse the UK Cyber Governance Code of Practice's five principles as your foundationConsider IASME Cyber Assurance for comprehensive governance alignmentStart with Cyber Essentials for essential technical controlsBottom LineThe episode demonstrates that while cyber threats are intensifying, businesses with structured governance and incident response capabilities are better positioned to minimize impact. The key is moving from reactive to proactive cyber security management through proven frameworks and clear board-level accountability.Next Steps: Assess your current cyber governance against the five principles, ensure you have formal incident response plans, and consider certification standards like Cyber Essentials or IASME Cyber Assurance to systematically strengthen your defences.Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Implementing the UK Cyber Governance Code of Practice with IASME Cyber AssuranceIn this episode, we discuss the crucial topic of cyber governance for business leaders. With 74% of large businesses and 70% of medium businesses in the UK experiencing a cyber breach in the past year, boards are now clearly expected to lead on cyber risk. In response, the UK government (via DSIT and NCSC) has introduced the voluntary Cyber Governance Code of Practice to guide boards and directors.The Code distils five key principles for effective cyber governance: Risk Management, Strategy, People, Incident Planning & Response, and Assurance & Oversight. However, implementing these practices can be a challenge.Our deep dive focuses on a pragmatic roadmap to implement the Code: the IASME Cyber Assurance standard. Formerly known as "IASME Governance", this government-backed standard is comprehensive yet accessible, developed with UK government support as an alternative to more complex standards like ISO/IEC 27001. Using IASME Cyber Assurance to implement the Code offers several benefits:• Integrated Approach: It delivers both the Cyber Governance Code's requirements and the technical controls of Cyber Essentials in one unified effort, avoiding duplicate work.• Structured Guidance: IASME provides detailed guidance, templates, and a structured question set to lead you through implementing controls, so you don't have to "reinvent the wheel".• Comprehensive Coverage: The standard covers technical controls, risk management, data protection (like GDPR), and regulatory compliance.• External Assurance: It culminates in an independent certification, providing tangible proof to stakeholders that your cyber governance meets a national standard.Learn how following a structured roadmap using IASME can help organisations achieve significant cyber maturity relatively quickly, often within ~3–6 months to certification.Implementing these steps can be challenging, which is why partnering with an NCSC-accredited Cyber Advisor can be invaluable. Advisors, like our sponsor Cool Waters Cyber, provide expert gap analysis, hands-on remediation support, plain-English communication, project management, and certification liaison. They offer a clear, pragmatic roadmap and help streamline the process, ensuring you meet the standards effectively.Cool Waters Cyber offers a comprehensive service to help boards implement the Cyber Governance Code of Practice. They provide tailored support backed by real-world experience and plain-English advice.Ready to strengthen your cyber governance? Cool Waters Cyber can help your firm implement the new code.Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Tune into this episode for a deep dive into the UK government's Cyber Governance Code of Practice. This Code is a crucial resource designed specifically for boards and directors. Understanding it can significantly benefit your organisation.By listening, you will gain insights into:• Why cyber governance is essential for modern businesses and organisations. Digital technologies are deeply embedded in most businesses, and critical operations often rely on them. Cyber risk is a material risk for almost all organisations.• The critical role of boards and directors in managing digital risks and protecting their organisations from cyber attacks. Governing cyber risk requires strong engagement and action at a leadership level.• How the Code helps protect your organisation's financial viability. Effective management of cyber risks is crucial, and building cyber resilience is key to recovering from harm caused by cyber events.• What the Cyber Governance Code of Practice is and how it sets out the most critical governance actions that directors are responsible for. It shows how boards and directors can build resilience to a wide range of cyber risks.• Who should use the Code: It's tailor-made for boards and directors of both public-sector and private organisations, especially medium and large ones. While not specifically for small organisations, they play a critical role in UK economic resilience and should seek to implement the Code's principles.• How the Code helps manage cyber risks effectively and reduce the likelihood and impact of cyber attacks. Cyber incidents can lead to major impacts like loss of income, damage to customer trust, or costly remedial action.• How the Code fits into a wider government support package. It is underpinned by resources such as Cyber Governance Training and the Cyber Security Toolkit for Boards, which help strengthen understanding and support implementation.• The key areas covered by the Code, including Risk Management, Strategy, People, Incident Planning, Response and Recovery, and Assurance and Oversight, detailing specific actions for each area.• Understanding the minimum standards for managing cyber risk, especially when the Code is used alongside Cyber Essentials, a government-backed certification scheme.Understanding the principles and actions outlined in the Code of Practice is crucial for effective governance and protecting your organisation in today's digital landscapeNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Is your organisation ready for the quantum revolution? This episode delves into the looming threat of quantum computing to current cybersecurity, explaining how powerful quantum computers could break widely used encryption like RSA and ECC, potentially by the early to mid-2030s. Understand the "harvest now, decrypt later" attacks that could expose your sensitive data in the future.This episode highlights the critical risks to UK businesses, especially in finance and the public sector, including the potential collapse of secure transactions, compromised citizen data, and threats to critical infrastructure. Learn about the UK's National Cyber Security Centre (NCSC) guidance and their 2035 deadline for migrating to quantum-resistant cryptography.Discover the essential steps business leaders need to take now to prepare for a post-quantum world, including raising executive awareness, assessing cryptographic usage, adopting crypto-agility, and planning for the transition to Post-Quantum Cryptography (PQC) standards recommended by NIST and the NCSC. For financial institutions, the episode also touches upon PCI-DSS compliance implications. Don't wait until it's too late – future-proof your organisation by understanding and acting on the quantum threat today..Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Passwords are out, and passkeys are in! But what exactly are passkeys, and why should business leaders care? In this episode, we break down passkeys in plain English—no tech jargon, just clear and practical insights.You'll learn:✅ What passkeys are and how they work✅ Why they’re more secure (and easier) than passwords✅ How passkeys can protect your business from phishing and credential theft✅ Why major companies like Google, Microsoft, and Apple are already making the switchWith upcoming Cyber Essentials changes likely to push businesses toward passkeys, now is the time to get ahead of the curve. Tune in to discover how passkeys can make life easier for your employees and keep your business safer.#GetCyberSorted #Passkeys #CyberSecurityNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

🔹 Episode Overview:For decades, the construction industry has made physical safety a top priority. Over time, mental well-being has also been recognised as a critical part of workplace safety. But now, a new challenge is emerging—one that many construction businesses aren’t prepared for: Cyber Safety.In this episode, we discuss the findings of our latest white paper on the evolution of safety culture in construction, revealing how cyber risks are becoming just as important as traditional workplace hazards. We’ll unpack:✅ How health and safety evolved from a compliance burden to a core business value.✅ The growing link between mental well-being and job site safety—and how stress can increase the risk of accidents.✅ Why cyber threats (like ransomware, phishing, and invoice fraud) are now a critical risk to construction firms.✅ How construction companies can apply lessons from traditional safety culture to build a strong cyber safety mindset.We also introduce our 6-Point Cyber Safety Action Plan, a practical guide to help construction firms protect their people, projects, and profits from cyber threats.🔹 Key Takeaways:✔️ Cyber attacks are increasing in the construction industry, but most firms are unprepared.✔️ Employees need to be trained to spot cyber threats just like they spot physical hazards.✔️ Cyber safety should be integrated into daily briefings, safety reports, and leadership discussions.✔️ The best way to avoid cyber attacks is to build a culture of cyber awareness.🔹 Get the Full Report:Want the complete insights? Download the full white paper, which includes the 6-Point Cyber Safety Action Plan and real-world strategies for construction firms.📥 [Download Your Copy Here]🔹 Who Should Listen?👷 Construction & engineering leaders🛠️ Health & Safety professionals💻 IT & Cybersecurity teams🏗️ Contractors & site managers📈 Business owners in the built environment🚀 Tune in and learn how to future-proof your construction business with cyber safety!Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

Join Trish and Tom as they explain what the UK Cyber Essentials scheme is, how it will benefit your business and the changes coming to the scheme from April 2025.Whether you already have Cyber Essentials and will need to renew after the changes come into effect or are considering going for the certification for the first time - this is essential listening.Always in plain English, always short and to the point - this is the Business Leaders Cyber Briefing from Cool Waters Cyber.Need help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

If your business processes card payment transactions you need to be PCI-DSS compliant.  This episode provides an introduction to PCI-DSS and along the way explains many key cyber security concepts that apply to all businesses.This podcast episode discusses PCI DSS, a global information security standard for organisations that handle branded credit cards from the major card schemes. The episode focuses on two key areas: scoping and segmentation.Scoping is the process of identifying all the systems, people, and processes that need to be included in a PCI DSS assessment. This is crucial because it determines which parts of an organisation’s infrastructure are subject to the PCI DSS requirements. Accurately determining scope helps organisations focus their security efforts and resources where they are most needed. The episode provides a detailed breakdown of the scoping process, including:Identifying all payment channels and how cardholder data is received.Documenting the flow of cardholder data and the systems involved.Identifying any systems, processes, and personnel that can interact with or impact the cardholder data environment.The episode emphasises the importance of considering all connected systems and the potential risks if these systems are overlooked during scoping.Segmentation is a security strategy that involves isolating the cardholder data environment (CDE) from other parts of the network. Effective segmentation can significantly reduce the scope of a PCI DSS assessment, making compliance easier to achieve and manage. The episode discusses different segmentation approaches and their impact on PCI DSS scope, particularly in the context of shared services like directory services. It stresses that segmentation should be part of a holistic security strategy and not a replacement for securing the entire infrastructure.The episode concludes by highlighting that effective scoping and segmentation can significantly reduce the risk of data breaches and streamline PCI DSS compliance efforts. It encourages business leaders to engage with their security teams to ensure a thorough understanding of these concepts and their impact on the organisation's overall security posture.Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.ukNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

The EU has passed the world’s first comprehensive law on Artificial Intelligence (AI): The AI Act. This groundbreaking legislation aims to ensure the safe, ethical, and transparent use of AI within the EU, impacting businesses in the UK and globally.Key Takeaways for Business Leaders:Understanding Risk Categories: The AI Act categorises AI systems based on their potential risk. Systems posing unacceptable risk, such as those used for social scoring or manipulative practices, are banned. High-risk systems, like those used in critical infrastructure, healthcare, or law enforcement, will face strict regulations, including pre-market conformity assessments and ongoing monitoring.Transparency is Paramount: Businesses using AI, especially generative AI systems like ChatGPT, must be transparent about their use. This includes disclosing AI-generated content, preventing the generation of illegal content, and providing summaries of copyrighted training data.Compliance is Essential: The AI Act enforces compliance through hefty fines, reaching up to 7% of a company's global annual turnover. Businesses need to understand their obligations and implement necessary measures to avoid costly penalties.Embrace the Opportunities: The AI Act aims to support innovation by offering testing environments and resources for start-ups and smaller companies. Businesses should leverage these opportunities to develop and deploy AI solutions responsibly.Call to Action:The AI Act signifies a significant shift in the AI landscape. Business leaders need to:Assess their current and future use of AI systems.Determine the risk category of each system.Develop and implement compliance strategies.Embrace transparency and ethical considerations.Stay informed about the evolving regulatory landscape.By taking proactive steps, businesses can ensure compliance, mitigate risks, and harness the power of AI responsibly.Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.ukNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

This episode explains Cyber Essentials, a UK government-backed scheme that helps charities protect themselves against common cyber attacks. Trustees and leaders are responsible for ensuring their charity's IT systems and data are secure. This is essential for maintaining public trust, protecting beneficiaries, and securing funding.Cyber Essentials certification demonstrates a commitment to cyber security, helping charities meet the increasing requirements of grant-making bodies and public sector contracts.Key actions for trustees:Understand the five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection.Implement key policies, such as applying security updates within 14 days, using supported software, having strong password policies, and managing user accounts and permissions.Ensure all systems used for charity business meet these requirements, including devices owned by trustees and volunteers.Cyber Essentials offers significant benefits:Protection against the vast majority of common cyber attacks.Increased confidence in data security.New funding opportunities.Reduced likelihood of cyber insurance claims.Free cyber insurance for small charities.This episode will guide you through the essential steps to protect your charity from cyber risks.Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.ukNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

This episode explores cybersecurity in the UK, examining threats, resilience efforts, and long-term strategies. It draws on the National Cyber Security Centre's (NCSC) 2024 Annual Review.Key Themes:Escalating Cyber Threats: The UK faces a "diffuse and dangerous" cyber threat landscape, with increasing attacks from hostile states (Russia, China, Iran, North Korea), organised crime, and opportunistic actors. These threats are becoming more sophisticated, exploiting vulnerabilities in critical infrastructure, supply chains, and democratic processes.Bridging the Resilience Gap: The UK's cyber defences are struggling to keep pace with evolving threats. While basic cybersecurity practices can prevent most attacks, widespread adoption is lacking. The episode emphasises the urgency for organisations to prioritise cybersecurity as an investment, not a compliance burden.Building a Robust Cyber Ecosystem: The NCSC advocates for a collaborative approach to enhance the UK's cyber resilience. This involves:Securing government through initiatives like the Government Cyber Coordination Centre (GC3).Empowering sectors through collaboration with industry-specific Trust Groups.Defending democracy through partnerships with the Defending Democracy Taskforce and bolstering election security.Developing a skilled workforce by inspiring young talent through programs like CyberFirst and supporting higher education institutions.Fostering innovation through collaboration with startups and industry leaders.Shaping the Future of Cybersecurity: The episode highlights the need for proactive, long-term strategies:Stronger legislation and regulation, like the Cyber Security and Resilience Bill, to raise security standards and protect critical infrastructure.Creating market incentives to drive investment in "secure by design" products and services by addressing issues like information asymmetry and prioritising security over speed and cost.Embracing emerging technologies like AI and post-quantum cryptography (PQC) securely, while managing associated risks.This episode provides a comprehensive overview of the state of cybersecurity in the UK, highlighting the need for urgent action, collaboration, and long-term vision to build a more secure and prosperous digital future.Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.ukNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk

This episode explores the evolving landscape of cybersecurity legislation in the EU and the UK, examining key initiatives aimed at fortifying digital defences against an increasingly sophisticated threat environment.The EU's Cyber Resilience Act, now in force, establishes mandatory cybersecurity standards for all products with digital elements sold in the EU market. The act aims to ensure that manufacturers prioritise cybersecurity throughout a product's lifecycle, from design and development to maintenance, and requires products to meet specific cybersecurity requirements before receiving the CE marking.Complementing the Cyber Resilience Act, the EU's Digital Operational Resilience Act (DORA) focuses on enhancing the cybersecurity posture of financial entities and their critical ICT third-party service providers. This regulation introduces stringent requirements for ICT risk management, incident reporting, operational resilience testing, and the oversight of third-party risks. DORA aims to ensure the financial sector's ability to withstand and recover from ICT disruptions, safeguarding the stability of the EU's financial system.Meanwhile, the UK government is preparing to introduce the Cyber Security and Resilience Bill in 2025. This bill seeks to bolster the UK's cyber defences by strengthening existing regulations and expanding their reach to cover more digital services and supply chains. The bill also emphasises the need for increased incident reporting to enhance government understanding of cyber threats and vulnerabilities.Felicity Oswald, CEO of the UK's National Cyber Security Centre (NCSC), highlights the growing threat posed by hostile state actors, particularly China, in her keynote speech at CYBERUK 2024. Oswald emphasises the need for proactive cybersecurity measures, urging businesses and organidations to prioritise security from the outset rather than treating it as an afterthought. She also stresses the importance of collaboration between government, industry, and international allies in effectively defending against cyber threats.Both the EU's legislative initiatives and the UK's upcoming bill, alongside the strategic insights shared by the NCSC, underscore the growing importance of robust cybersecurity measures in today's interconnected world. While the EU's approach emphasises harmonised standards and comprehensive risk management frameworks, the UK's strategy focuses on strengthening national defences and fostering collaborative partnerships. This episode provides a deep dive into these key developments, analysing their implications for individuals, businesses, and governments navigating the complex challenges of the digital age.Business Leaders Cyber Briefing is produced by Cool Waters Cyber, a UK based cyber security firm who have been protecting businesses across 3 continents since 1999.  We are an NCSC Assured Service Provider and Cyber Advisor. To learn more: www.cool-waters.co.ukNeed help with Cyber Security? Speak to Cool Waters Cyber - NCSC assured Cyber Advisors and Cyber Essentials experts - www.cool-waters.co.uk