UK SMBs must reassess risk to prepare for the government’s new cyber bill

The UK government’s proposed Cyber Security and Resilience Bill marks a pivotal step in strengthening the nation’s cyber defenses, particularly for small and medium-sized businesses (SMBs). This legislative initiative, expected in Summer of 2025, is designed to align the UK’s cyber security standards more closely with those of the European Union (EU) and the United States (US), both of which have recently enhanced their regulatory frameworks.

Once passed, the bill will expand the scope of existing NIS regulations and require companies to report on a broader range of cyber incidents relating to ransomware attacks. By emphasizing supply chain security, increased reporting, and resilience-building, the legislation aims to foster a more proactive cyber risk culture among UK businesses, bringing them in line with global best practices in tackling ransomware threats and emerging cyber risks.The expanded UK regulation looks set to cover more sectors, including providers of digital services, and will mandate increased reporting of data ransom incidents.

This a timely move. A Microsoft/Bredin survey of SMBs in the US and UK with between 25 and 300 employees last year found one in three had fallen victim to a cyber attack in the previous 12 months and the average total cost of an attack to each firm was the equivalent of $254,445.

Threats are developing with more sophisticated use of social engineering, phishing and email compromise, which are often precursors for ransomware attacks that can have devastating consequences for SMBs. The new bill is a positive step in supporting businesses of all sizes, particularly those in the SMB sector, which often have fewer resources and less time to combat these evolving threats. Other ideas include a government consultationthis year on whether payment of ransoms by critical infrastructure organisations and the public sector should become illegal.

Although there is still little detail, the proposed bill should focus minds on improving the UK economy’s overall resilience, with SMBs firmly in the spotlight. Whether they like it or not, SMBs are increasingly seen as part of the UK’s critical infrastructure because they have customers in critical industries.

A successful attack on a single business can allow criminals, including foreign nation-state sponsored groups, to move through systems to ransom, extract or destroy data. They may choose to lie in wait ready to cripple key operational technologies in times of crisis.

The new bill will make it vital for SMBs to ensure they upgrade and nurture security culture, with information security needing to be managed at the board level and included in the overall risk management structure. This is especially important given the Cyber Breaches Survey found only 31% of businesses had undertaken a cyber risk assessment in the past year.

SMBs will need to assess current assets and the risk they pose for the operating and data security of the business. This provides an understanding of what is important and establishes which are the business’s essentialprocesses. With this information, SMBs can then go ahead and design a risk–based security solution.

It is very likely that the new bill will increase incident reporting responsibilities which may be unfamiliar. Limiting reputational damage becomes a priority – not through evasiveness – but through active steps to reduce the likelihood of a successful attack and any impact.

Should an incident occur, it will be imperative that SMBs act immediately to limit damage to themselves and their partners. Breached organisations should be as open as possible about what has happened and what they have done. They must be transparent about how they have sought to prevent attacks and are acting to mitigate any damage.

Unfortunately, many SMBs only have basic partnerships in cyber security and could easily find themselves floundering after a major cyber event. Organisations that are already working with a specialist managed security services provider have a considerable advantage. They have access to the expertise and experience that ensures they take the right steps. That not only means acting in full compliance with the regulations and best practice but also getting back to business-as-usual more rapidly, should there be a breach.

The advantages for the business are clear; reduced disruption, less time on reporting to investigating regulators and supply chain partners, and much smaller probability of fines, reprimands and demands for costly remedial action.

SMBs will be missing an opportunity if they do only the minimum possible to comply with the new regulation. The government rightly wants to develop security culture so organisations feel strengthening defences is part of their responsibility to wider society.

The data from reporting will give the government more insight but also enable specialists within the cyber industry to learn more about attack vectors and threat patterns.

The industry can use the information to build new tools and protective techniques and publicise more prominently the extent of the threats facing SMBs. Smaller businesses are frequently in the dark about how the tactics that criminals and hacktivists use are constantly changing. Any new frameworks in the new Cyber Security and Resilience Act will provide statistics and case studies everyone can learn from.

The Cyber Security and Resilience Bill should bring a welcome change to the security status quo in the UK. SMBs need to embrace it. While existing guidance such as Cyber Essentials and Essentials-Plus have been successful for the National Cyber Security Centre, the proposed legislation should promote cyber security as essential for all SMBs, providing a major boost in protection that will benefit the entire nation.