Start 2026 right by making cyber security a priority

Cyber resilience starts with governance. Without strong governance, security measures lack direction and accountability. Yet, in 2025, only 36% of businesses had a formal cyber security policy, and even fewer had a business continuity plan, according to the UK Cyber Security Breaches Survey 2025.

Ensuring your organisation’s cyber and information security policies are up to date with regulatory and legal compliance goes a long way toward protecting against potential threats. Formal policies also shape organisational security culture, providing guidance to employees and creating accountability. Some key areas include:

• roles and responsibilities
• access control
• asset management
• data protection and back up
• third-party risk management
• acceptable AI use.

Furthermore, set to be introduced into law later this year, the UK’s Cyber Security and Resilience Bill will introduce significant governance changes which, depending on the nature of your organisation, could make your current cyber security policy obsolete.

Our Cyber Security team can help ensure your organisation has robust policies and processes aligned with industry best practice and regulatory requirements, as well as provide expert advice or support on preparing for the upcoming Cyber Security and Resilience Bill.

With increasing regulatory scrutiny and complex supply chains, proactive third-party risk management is critical for 2026. High-profile cyber incidents last year, such as the Jaguar Land Rover and M&S breaches, highlight just how damaging breaches through suppliers can be for businesses, and why they remain attractive targets for cybercriminals.

The Jaguar Land Rover breach is regarded as the most damaging cyberattack in UK history, with an estimated £1.9 billion cost, weeks of production disruption, and cascading effects across its supply chain, impacting up to 5,000 businesses. Similarly, the M&S breach led to months of disruption to online services and the theft of customer data, incurring a direct cost of £136 million and an estimated £300 million loss in profits due to reduced customer revenue.

Third-party risk management is no longer optional; it’s an essential element of cyber resilience. Organisations must ensure that suppliers, partners, and service providers adhere to robust cyber security standards and best practice. This includes conducting thorough due diligence, implementing contractual security requirements, and monitoring compliance throughout the relationship. Organisations should also manage what data third parties have access to and ensure your main point of contact at that supplier is listed in incident response plans.

We can help assess your organisation’s third-party risks through continuous due diligence, external vulnerability assessments, and data mapping exercises that give you visibility into what and where data is being shared and help identify operational dependencies.

Technology alone cannot stop cyber threats, and human error remains one of the biggest vulnerabilities. Phishing and social engineering attacks continue to be among the most common causes of breaches – especially with the growing use of AI to create convincing correspondence and deepfakes.

Employees can be your first line of defence, or your last. Either way, regular awareness and training are crucial for creating a security-first culture. Organisations must keep staff informed about emerging threats and best practices, test their response to scenarios, and ensure employees understand the organisation’s cyber security policy and procedures.

Our Cyber Security team can help educate and empower your staff to recognise, prevent, and respond to cyber threats effectively. We provide tailored training sessions and realistic phishing simulations to test and improve employee response.

If 2025 taught us anything, it’s that even with the best defences in place, no organisation is immune to cyber incidents. The difference between a minor disruption and a major crisis often comes down to preparation.

Well-defined and tested incident response and business continuity plans ensure organisations can act quickly and effectively when an attack occurs, while remaining operationally viable during remediation. Good preparation can reduce both the financial and reputational damage that cyber incidents frequently incur. The following should be defined in your incident response plan:

• core response: Defined roles and responsibilities, triaging, and escalation paths
• communication protocols: Clear internal and external communication strategies during an incident
• business continuity and recovery: Plans to maintain operations and restore systems as soon as possible
• post-incident review: Evaluate what worked well and identify areas for improvement.

We can help you develop and test your incident response and business continuity plans against realistic scenarios, as well as provide expert guidance on creating actionable incident response playbooks to ensure your team is ready to respond effectively when it matters most.